Troubleshooting Tip : FortiGate Firewall session list information
Products
FortiGate
Description
This article provides detail about the session list in a FortiGate.
Solution
• To display the session table:
FGT # diagnose sys session list
• To setup session filter:
FGT # diagnose sys session filter <options>

clear       clear session filter
dport       dest port
dst         dest ip address
duration    duration
expire      expire
negate      inverse filter
policy      policy id
proto       protocol number
sport       source port
src         source ip address
vd          index of virtual domain. -1 matches all
• To clear one or all sessions filtered by the options above (if no session filter set, it will reset all sessions):

FGT # diagnose sys session clear


General session information for TCP


Description of the State field in the session table
 
State Meaning
log Session is being logged

local

Session is originated from or destined for local stack
ext Session is created by a firewall session helper
may_dirty Session is created by a policy. For example, the session for ftp control channel will have this state but ftp data channel will not.
ndr Session will be checked by IPS signature
nds Session will be checked by IPS anomaly
br Session is being bridged (TP mode)
npu Session is possible to be offloaded to NPU
wccp Session is handled by WCCP (Version 4.0)


Example of a session with multiple flag set :

session info: proto=6 proto_state=11 expire=3527 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0

logtype=session ha_id=1 hakey=0

tunnel=/

state=redir log may_dirty ndr nds br

statistic(bytes/packets): org=48/1 reply=0/0 tuples=2

orgin->sink: org pre->post, reply pre->post oif=6/8

gwy=194.199.143.130/193.251.169.175

hook=pre dir=org act=noop

193.251.169.175:3761->194.199.143.130:25(0.0.0.0:0)

hook=post dir=reply act=noop

194.199.143.130:25->193.251.169.175:3761(0.0.0.0:0)

set=2: 10.0.0.1, 10.0.0.2,

pos/(before,after) 0/(0,0), 0/(0,0)

misc=20004 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=1babac4b tos=ff/ff


Proto_state field for TCP
Note : proto field table values : because the FortiGate is a statefull firewall, it also keeps the track of the 'reply session', this is why proto_state has 2 digits : proto_state=OR meaning Original direction and the Reply direction
State
Value
Expire Timer (default)
NONE
0
10 s
ESTABLISHED
1
3600 s
SYN_SENT
2
120 s
SYN & SYN/ACK
3
60 s
FIN_WAIT
4
120 s
TIME_WAIT
5
120 s
CLOSE
6
10 s
CLOSE_WAIT
7
120 s
LAST_ACK
8
30 s
LISTEN
9
120 s
 
Proto_state field for SCTP

Start from FortiOS 4.2 FortiGate support stateful firewalling for SCTP.
State
Value
Expire Timer (default)
SCTP_S_NONE
0
60 s
SCTP_S_ESTABLISHED
1
3600 s
SCTP_S_CLOSED
2
10 s
SCTP_S_COOKIE_WAIT
3
5 s
SCTP_S_COOKIE_ECHOED
4
10 s
SCTP_S_SHUTDOWN_SENT
5
30 s
SCTP_S_SHUTDOWN_RECD
6
30 s
SCTP_S_SHUTDOWN_ACK_SENT
7
3 s
SCTP_S_MAX
8
n/a
 
Example of a TCP session:
session info: proto=6 proto_state=02 duration=99 expire=23 timeout=3600 flags=00
000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=2059
policy_dir=0 tunnel=/
state=local nds
statistic(bytes/packets/allow_err): org=120/2/0 reply=176/2/1 tuples=2
orgin->sink: org out->post, reply pre->in dev=0->2/2->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 172.16.4.5:3522->172.16.4.6:179(0.0.0.0:0)
hook=in dir=reply act=noop 172.16.4.6:179->172.16.4.5:3522(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 id_policy_id=0 auth_info=0 chk_client_info=0 vd=1
serial=00031b91 tos=ff/ff app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=172.16.4.5, bps=0

Proto_state field for UDP

Even though UDP is a sessionless protocol, the FortiGate still keeps track of 2 different 'states'

State Value
UDP Reply not seen 0
UDP Reply seen 1


Example state 00: UDP packet has been seen and session has been created, but no reply packet has been seen so far

session info: proto=17 proto_state=00 expire=179 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0

logtype=session ha_id=0 hakey=42691

tunnel=/

state=local

statistic(bytes/packets): org=7685450/17248 reply=237440/4240 tuples=2

orgin->sink: org out->post, reply pre->in oif=0/5

gwy=0.0.0.0/10.250.250.250

hook=out dir=org act=noop

10.250.250.250:1025->192.168.171.201:514(0.0.0.0:0)

hook=in dir=reply act=noop

192.168.171.201:514->10.250.250.250:1025(0.0.0.0:0)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=0006d655 tos=00/00


Example state 01: UDP packet has been seen and session has been created, reply packet(s) has been seen as well

session info: proto=17 proto_state=01 expire=22 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0

logtype=session ha_id=0 hakey=42650

tunnel=/

state=local may_dirty

statistic(bytes/packets): org=590/5 reply=822/6 tuples=2

orgin->sink: org pre->in, reply out->post oif=5/2

gwy=10.250.250.250/0.0.0.0

hook=pre dir=org act=noop

192.168.171.160:33712->10.250.250.250:161(0.0.0.0:0)

hook=post dir=reply act=noop

10.250.250.250:161->192.168.171.160:33712(0.0.0.0:0)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000ae073 tos=ff/ff


Proto_state field for ICMP (proto 1)


There are no states for ICMP, it always show proto_state=00
Related Articles
Technical Tip: Using filters to clear sessions on a FortiGate unit
Last Modified Date: 03-27-2015 Document ID: FD30042