FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 191368

Description

 
This article explains how to use filters to clear sessions on a FortiGate unit, based on the CLI command:
 
diagnose sys session <arguments>
 

Scope

 

FortiGate units running FortiOS firmware version 4.00 MR3 or 5.0.x.


Solution

 

Clearing sessions matching some common filtering criteria can be done from the CLI in 2 steps:

  1. Set up a session filter.

 

The base command is 'diagnose sys session filter <options>'.

 

To see the options:

 

diagnose sys session filter ?

clear      clear session filter

dport      dest port

dst         dest ip address

negate    inverse filter

policy     policy id

proto      protocol number

sport      source port

src         source ip address

vd          index of virtual domain. -1 matches all


To see the current filter settings, type:

 

diagnose sys session filter

session filter:

vd: any

proto: any

source ip: any

dest ip: any

source port: any

dest port: any

policy id: any

expire: any

duration: any

       

  

Example of filter matching a source IP and a destination port :

 

diagnose sys session filter src 10.160.0.1
diagnose sys session filter dport 80
diagnose sys session filter

session filter:
        vd: any
        proto: any
        source ip: 10.160.0.1-10.160.0.1
        dest ip: any
        source port: any
        dest port: 80-80
        policy id: any
        expire: any
        duration: any

 

Example of filter matching a range of source IPs and a range of destination ports:

 

diagnose sys session filter src 10.160.0.1  10.160.0.10

diagnose sys session filter dport 80  888

diagnose sys session filter

session filter:
        vd: any
        proto: any
        source ip: 10.160.0.1-10.160.0.10
        dest ip: any
        source port: any
        dest port: 80-888
        policy id: any
        expire: any
        duration: any

 

Example of filter matching a source IP without filtering any port:

 

diagnose sys session filter src 10.160.0.1

diagnose sys session filter

session filter:
        vd: any
        proto: any
        source ip: 10.160.0.1-10.160.0.1
        dest ip: any
        source port: any
        dest port: any
        policy id: any
        expire: any
        duration: any

 

Example of filter matching a destination IP without filtering any port:

 

diagnose sys session filter dst 10.160.0.1

diagnose sys session filter

session filter:
        vd: any
        proto: any
        source ip: any
        dest ip: 10.160.0.1-10.160.0.1
        source port: any
        dest port: any
        policy id: any
        expire: any
        duration: any

 

 

  1. Clear the session(s) matching the filter defined previously with the command:

     

    diagnose sys session clear

     

    Warning: Using the 'diagnose sys session clear' command without any filter will clear all sessions currently opened on the FortiGate unit.

    Note: To see the session list, use the following command. The output will also be based on the filter defined previously:


    diagnose sys session list

     

Related articles:

Troubleshooting Tip: FortiGate session table information.