Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎03-21-2020 03:17 AM Edited on ‎01-18-2024 09:08 PM By Community Manager

Article Id 191159

Troubleshooting Tip: Using ‘grep’ and session list for session statistics

Description


This article describes how to utilize the ‘grep’ command in combination with session list to get more detailed statistics.

 

Scope

 

FortiGate.

Solution
FortiGate CLI allows using the ‘grep’ command to filter specified output for specified strings.

As an example, 'show full-configuration | grep ‘<IP address>’' will show if the IP address specified occurs in the FortiGate configuration at any point.
Parameters can also be used, and in combination with the ‘dia sys session list’ command can allow a deeper insight into what sessions are present.

Example:

 

diag sys session list | grep –c ‘dirty may_dirty’

 

This will count how many dirty sessions are present in the (optionally filtered) session table.
Dirty sessions have the status ‘dirty’, and all sessions have the status ‘may_dirty’.
Searching for ‘dirty may_dirty’ will print the dirty sessions; using the parameter ‘-c’ will count the occurrences instead.

Example:

 

diag sys session list | grep -B 5 -A 10 local

 

This will print all local sessions that ‘diag sys session list’ which include in its output.
It filters for ‘local’ which is a session state, and then prints the preceding 5 lines and the trailing 10 lines for each occurrence to print the full session information.

The combination of ‘diag sys session filter’ to pre-filter the sessions ‘diag sys session list’ will dump, and then using ‘grep’ to filter/count particular occurrences of sessions.

diag sys session filter’ can be used to constrain the possible matches based on source IP/destination IP, soure port/destination port, policy ID, duration, NAT IP or NAT port.
‘grep’ can be used afterwards to narrow down session states, authenticated users and other details that the ‘session filter’ command does not allow for.

Other parameters may be used as well:

Usage: grep [-invfcABC] PATTERN.
Options:

 

-i Ignore case distinctions.

-n Print line number with output lines.
-v Select non-matching lines.
-f Print fortinet config context.
-c Only print count of matching lines.
-A Print NUM lines of trailing context.
-B Print NUM lines of leading context.
-C Print NUM lines of output context.

 

On new firmware versions as v7.x, new grep options were added. Here is the output collected from a FortiGate running v7.0.12:

 

Usage: grep [-ilHhnqvscABC] PATTERN [FILE...]
Options:
-i Ignore case distinctions
-l List names of files that match
-H Prefix output lines with filename where match was found
-h Suppress the prefixing filename on output
-n Print line number with output lines
-q Quiet
-v Select non-matching lines
-s Suppress file open/read error messages
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context

 

Related articles:

Troubleshooting Tip: FortiGate session table information

Technical Tip: The usage of "grep" filter command on the FortiGate CLI

39274
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.