"execute set system session filter" & "get system session" - working or broken?

AlexFeren · ‎10-06-2015

'CLI Reference for FortiOS 5.2', for section 'execute set system session filter' states "Use these commands to define the session filter for get system session commands."

Firstly, 'get system session' is a non-'Global' VDOM command, however, 'execute set system session filter' is a 'Global' VDOM command - so, I don't understand why they should be partnered....

More importantly, even I can't get them to work - observe:

FG60C (global) # diagnose sys vd list | grep root name=root index=0 enabled ....

:

FG60C (global) # execute set system session filter list session filter: vd: 0 proto: any source ip: any dest ip: 208.91.114.47-208.91.114.47 source port: any dest port: any policy id: any expire: any duration: any

but in VDOM 'root':

FG60C (root) # get system session list

show all sessions, not just those destined for 208.91.114.47.

and

FG60C (root) # get system session status

counts all sessions, not just those destined for 208.91.114.47.

Of course, issuing "get system session list | grep 208.91.114.47"

I'm not able to find more documentation on how to use these two sets of commands - am I using them wrong or are they broken?

R's, Alex

PS. I'm running 60C v5.2.3 in VDOM mode.

PSS. I am aware of 'diagnose sys session filter' executable in Global VDOM, but that is a different matter.

emnoc · ‎10-06-2015

Try the following and let me know if this work , but I think your problem is your not using session-info in your get cmd

execute set system session filter dport 443

get system session-info list

Why FTNT did this ? is unknown but I've been burnt forgetting this option in global context also and more so when everything else is get sys session list

;(

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎10-06-2015

Try the following and let me know if this work , but I think your problem is your not using session-info in your get cmd

execute set system session filter dport 443

get system session-info list

Why FTNT did this ? is unknown but I've been burnt forgetting this option in global context also and more so when everything else is get sys session list

;(

PCNSE

NSE

StrongSwan

AlexFeren · ‎10-06-2015

In Global VDOM:

FG60C (global) # get system session-info list | grep -c '>208.91.114.47' 11

'root' VDOM: FG60C (root) # get system session list | grep -c 208.91.114.47 11

11=11 match - brilliant, thank you!!

I'll mention this documentation error to Fortinet next time I have a Ticket.

AlexFeren · ‎10-06-2015

Actually, I just noticed that get system session-info list output is identical to diagnose sys session list. In fact, the latter is better because diagnose sys session filter has more (NAT) filter attributes than execute set system session filter.

Since both require access to Global VDOM, this is not a genuine substitute to get system session which only requires access permission to admin's VDOM and provide a more compact printout.

neonbit · ‎10-06-2015

I just tried this now and am having the same problem.

Running on 5.2.4 with no VDOMs. Tried a simple filter for tcp, but when I run the get sys session list command I can see all sessions (including UDP and ICMP).

"execute set system session filter" & "get system session" - working or broken?

Nominate a Forum Post for Knowledge Article Creation