- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Multiple sessions are assigned with...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Forward traffic logs and Session output shows same session ID on multiple sessions.
This article describes this feature.
Solution
Multiple sessions on the Firewall session output and Forward traffic logs displays same session ID.
When the session is created using the Session helper, the child sessions will have the same session ID which was assigned to the parent session.
For example: If Session helper is configured for FTP protocol, all the Data channel will have the same session ID as Control channel session.
Below is the Example of an RPC session and its child sessions
RPC session.
Forward traffic logs and Session output shows same session ID on multiple sessions.
This article describes this feature.
Solution
Multiple sessions on the Firewall session output and Forward traffic logs displays same session ID.
When the session is created using the Session helper, the child sessions will have the same session ID which was assigned to the parent session.
For example: If Session helper is configured for FTP protocol, all the Data channel will have the same session ID as Control channel session.
Below is the Example of an RPC session and its child sessions
RPC session.
session info: proto=6 proto_state=05 duration=402147 expire=4 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=9Child sessions (allowed by the Session helper triggered on the above session).
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ helper=dcerpc vlan_cos=0/255 <----- RPC ALG enabled for the session.
state=log dirty may_dirty f00
statistic(bytes/packets/allow_err): org=620/7/1 reply=452/4/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.59.1.251:65465->172.29.3.112:135(0.0.0.0:0)
hook=post dir=reply act=noop 172.29.3.112:135->10.59.1.251:65465(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0 <----- 00678c12 is the session ID.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
session info: proto=6 proto_state=01 duration=29546 expire=3575 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6This is an Expected behavior.
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ vlan_cos=255/255
state=log intree <----- Child session.
statistic(bytes/packets/allow_err): org=16290/158/1 reply=56899/189/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 2/0
orgin->sink: org pre->post, reply pre->post dev=32->35/35->32 gwy=172.29.3.112/10.59.1.251
hook=post dir=org act=noop 10.59.1.251:63393->172.29.3.112:63807(0.0.0.0:0)
hook=pre dir=reply act=noop 172.29.3.112:63807->10.59.1.251:63393(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0 <----- Same session ID as parent.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
session info: proto=6 proto_state=01 duration=25 expire=3584 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ vlan_cos=255/255
state=log intree <----- Child session.
statistic(bytes/packets/allow_err): org=137880/1427/1 reply=3690440/2666/1 tuples=2
tx speed(Bps/kbps): 5369/42 rx speed(Bps/kbps): 143708/1149
orgin->sink: org pre->post, reply pre->post dev=32->35/35->32 gwy=172.29.3.112/10.59.1.251
hook=post dir=org act=noop 10.59.1.251:53891->172.29.3.112:49156(0.0.0.0:0)
hook=pre dir=reply act=noop 172.29.3.112:49156->10.59.1.251:53891(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0 <----- Same session ID as parent.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
Session helpers:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/300534/session-helpers
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.