FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssener
Staff
Staff
Article Id 196988

Description


This article provides an explanation of various fields of the FortiGate session table.

 

Scope

 

FortiGate.


Solution

 

 

To display the session table:

 

 

diagnose sys session list

 

To set up a session filter:

 

diagnose sys session filter <options>
clear       clear session filter

dport       dest port
dst         dest ip address
duration    duration
expire      expire
negate      inverse filter
policy      policy id
proto       protocol number
sport       source port
src         source ip address
vd          index of virtual domain. -1 matches all

 

Starting with FortiOS versions 7.2.x and above, more filters will be visible:

di sys session filter ?    <- Use '?' after 'filter' in this command to list all filter options.


vd               Index of virtual domain. -1 matches all.
vd-name          Name of virtual domain. -1 or "any" matches all.
sintf            Source interface.
dintf            Destination interface.
src              Source IP address.
nsrc             NAT'd source ip address
dst              Destination IP address.
proto            Protocol number.
sport            Source port.
nport            NAT'd source port
dport            Destination port.
policy           Policy ID.
expire           expire
duration         duration
proto-state      Protocol state.
session-state1   Session state1.
session-state2   Session state2.
ext-src          Add a source address to the extended match list.
ext-dst          Add a destination address to the extended match list.
ext-src-negate   Add a source address to the negated extended match list.
ext-dst-negate   Add a destination address to the negated extended match list.
clear            Clear session filter.
negate           Inverse filter.

To clear filtered sessions (or all sessions, if no session filter is set):

 

diagnose sys session clear

      

After clearing the session then it is possible to clear the session filter as well so that next time the older filter sessions are not visibles:

It is also a good practice to use this command before using any session filter. 

 

     di sys session filter clear

 

Example of session table entry:

 

session info: proto=6 proto_state=01 duration=142250 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=9376719/61304/1 reply=3930213/32743/1 tuples=2
tx speed(Bps/kbps): 65/0 rx speed(Bps/kbps): 27/0
orgin->sink: org out->post, reply pre->in dev=13->0/0->13 gwy=0.0.0.0/10.5.27.238
hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(0.0.0.0:0)
hook=in dir=reply act=noop 173.243.132.165:514->10.5.27.238:16844(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0161f3cf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0

 

In the example above is shown a session for traffic directed from source IP 10.5.27.238 port 16844 to destination IP 173.243.132.165 port 514.
The gateway to the destination is 0.0.0.0 as it hasn't been identified yet, and the gateway to the source is 10.5.27.238

 

proto: protocol number
proto_state: state of the session (depending on protocol)

 

  1. ICMP (proto 1).
    Note: There are no states for ICMP. It always shows proto_state=00.

  2. TCP (proto 6).
    Note: proto_state is a 2-digit number because the FortiGate is a stateful firewall (keeps track of both directions of the session); proto_state=OR means the Original direction and the Reply direction.

 

State

Value

Expire Timer (default)

NONE

0

10 s

ESTABLISHED

1

3600 s

SYN_SENT

2

10 s

SYN & SYN/ACK

3

10 s

FIN_WAIT

4

120 s

TIME_WAIT

5

1 s

CLOSE

6

10 s

CLOSE_WAIT

7

120 s

LAST_ACK

8

30 s

LISTEN

9

120 s

 

For TCP, the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy). If flow or proxy inspection is done, then the first digit will be different from 0.

The second digit is the client-side state. The table above correlates the second-digit value with the different TCP session states. For example, when FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when the SYN/ACK packet is received. After the three-way handshake, the state value changes to 1.

When a session is closed by both sides, FortiGate keeps that session in the session table for a few seconds more, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5.

 

  1. UDP (proto 17).
    Note: Even though UDP is a stateless protocol, the FortiGate still keeps track of 2 different 'states'.

State

Value

UDP Reply not seen

0

UDP Reply seen

1

 

UDP time to live (TTL) - Expire Timer, is by default 180 seconds.

 

  1. SCTP (proto 132).

 

State

Value

Expire Timer (default)

SCTP_S_NONE

0

60 s

SCTP_S_ESTABLISHED

1

3600 s

SCTP_S_CLOSED

2

10 s

SCTP_S_COOKIE_WAIT

3

5 s

SCTP_S_COOKIE_ECHOED

4

10 s

SCTP_S_SHUTDOWN_SENT

5

30 s

SCTP_S_SHUTDOWN_RECD

6

30 s

SCTP_S_SHUTDOWN_ACK_SENT

7

3 s

SCTP_S_MAX

8

n/a

 

duration: duration of the session (value in seconds).
expire: a countdown from the 'timeout' since the last packet passing via session (value in seconds).
timeout: an indicator of how long the session can stay open in the current state (value in seconds).
*shaper: the traffic shaper profile info (if traffic shaping is utilized).
policy_dir: 0 original direction | 1 reply direction.
tunnel: VPN tunnel name.
helper: name of the utilized session helper.
vlan_cos: Ingress COS values are displayed in the session output in the range 0-7/255, but admin COS values are displayed in the range 8-15/255 even though the value on the wire will be in the range 0-7. When no COS is utilized the value is 255/255.
state: See the table below for a list of states and what is the meaning.

 

State

Explanation

may-dirty

Session details are allowed to be altered.

dirty

The session has been altered (requires may-dirty).

npu

The session goes through an acceleration ship.

npd

The session is denied for hardware acceleration.

npr

The session is eligible for hardware acceleration (more info with npu info: offload=x/y).

rem

The session is allowed to be reset in case of a memory shortage.

eph

The session is ephemeral.

oe

The session is part of the IPsec tunnel (from the originator).

re

The session is part of the IPsec tunnel (from the responder).

local

The session is attached to the local FortiGate IP stack.

br

The session is bridged (VDOM is in transparent mode).

redir

The session is redirected to an internal FGT proxy.

wccp

The session is intercepted by wccp process.

nlb

The session is from a load-balanced vip.

log

The session is being logged.

os

The session is shaped in the origin direction.

rs

The session is shaped by the reply direction.

ndr

The session is inspected by IPS signature.

nds

The session is inspected by IPS anomaly.

auth

The session is subject to authentication.

authed

The session was successfully authenticated.

block

The session was re-evaluated to block (policy changed).

ext

(deprecated) The session is handled by a session helper.

app_ntf

Session matched a policy entry that contains 'set block-notification enable'.

F00

After enabling traffic log in policy, the session will have this flag.

pol_sniff

After enabling packet capture in policy, session will have this flag.

rst_tcp

Flag visible when firewall policy has 'timeout-send-rst enabled'.

synced

The session has been synchronized.

need_sync

With 30sec ha sync delay. The session will be synced
when reaching 30 seconds of lifetime.

complex

The session is handled by a session helper.

app_valid

 

The relevant rule has app control profile applied and FGT ipsengine was able to identify the application. (The session will have a field such as app= indicating the application.)

                                                                                                                                    

dev: an interface index can be obtained via 'diagnose netlink interface list':

 

if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0

 

NAT information:


hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(20.30.40.50:20000)
hook=in dir=reply act=noop 173.243.132.165:514->20.30.40.50:20000(10.5.27.238:16844)

 

LEGEND: <source_IP>:<source_port>-><destination_IP>:<destination_port>(<NAT_IP>:<NAT_port>).

 

  • When applying SNAT, NAT information overwrites the <source_IP>:<source_port>.
  • When applying DNAT, NAT information overwrites the <destination_IP>:<destination_port>.

 

policy_id: policy ID, which is utilized for the traffic.
auth_info: indicates if the session holds any authentication data (1) or not (0).

vd: VDOM index can be obtained via 'diagnose sys vd list':

 

name=root/root index=0 enabled use=237 rt_num=144 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0

 

Note: In case of multiple VRF configured, VRF id can be obtained from vd value:

 

     misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0:20

 

In the above scenario, the vd value appears as 0:20, where 0 is VDOM index and 20 is the VRF ID.

 

serial: unique session identifier.

tos:

  1. The policy has tos/dscp configured to override this value on a packet.
  2. A proxy-based feature is enabled and it is necessary to preserve the tos/dscp on packets in the flow by caching the tos/dscp on the kernel session from the original packet and then setting it on any subsequent packets that are generated by the proxy.

 

app: application ID.

url_cat: See the following table:

 

Potentially Liable:

   48 Personal Vehicles

    1 Drug Abuse

   54 Dynamic Content

    3 Hacking

   55 Meaningless Content

    4 Illegal or Unethical

   58 Folklore

    5 Discrimination

   68 Web Chat

    6 Explicit Violence

   69 Instant Messaging

   59 Proxy Avoidance

   70 Newsgroups and Message Boards

   62 Plagiarism

   71 Digital Postcards

   83 Child Abuse

   77 Child Education

Bandwidth Consuming:

   78 Real Estate

   19 Freeware and Software Downloads

   79 Restaurant and Dining

   24 File Sharing and Storage

   80 Personal Websites and Blogs

   25 Streaming Media and Download

   82 Content Servers

   72 Peer-to-peer File Sharing

   85 Domain Parking

   75 Internet Radio and TV

   87 Personal Privacy

   76 Internet Telephony

   89 Auction

General Interest - Personal:

General Interest - Business:

   17 Advertising

   31 Finance and Banking

   18 Brokerage and Trading

   41 Search Engines and Portals

   20 Games

   43 General Organizations

   23 Web-based Email

   49 Business

   28 Entertainment

   50 Information and Computer Security

   29 Arts and Culture

   51 Government and Legal Organizations

   30 Education

   52 Information Technology

   33 Health and Wellness

   53 Armed Forces

   34 Job Search

   56 Web Hosting

   35 Medicine

   81 Secure Websites

   36 News and Media

   84 Web-based Applications

   37 Social Networking

   92 Charitable Organizations

   38 Political Organizations

   93 Remote Access

   39 Reference

   94 Web Analytics

   40 Global Religion

   95 Online Meeting

   42 Shopping

    0 Unrated

   44 Society and Lifestyles

Local Categories:

   46 Sports

  140 custom1

   47 Travel

  141 custom2

 

Related articles:

Technical Tip: Using filters to clear sessions on a FortiGate unit.

Technical Tip: Check the session list and filter by IP address or port using 'grep'.

Comments
khairul_azhar

tcp-halfopen-timer will affect the value of SYN_SENT and SYN/ACK expiry timer as both parameters are consider under halfopen  TCP stage.

 

Checked from FOS v5, v6 and v7 the  tcp-halfopen-timer default value is 10s. Updating SYN_SENT and SYN/ACK expiry timer to 10s