How to see sessions between client and server on FortiGate ?

May 18, 2019 gyankovan Cyber Security, How to Security 0

When you connect a website or a service over the FortiGate, occurs a session between client and server. This sessions are kept on a session table by FortiGate. This function can help us when we need to see sessions.

You have two different ways to see the sessions. Web management (GUI) and CLI.

Web management (GUI): Go to Fortiview in the Main Menu.

CLI: run the diagnose sys session list command

Cli is usually used to troubleshoot in order to see more details in the sessions. Before you run the command, you may want to have some filter options that are shown in the following list.

FGT-01 # diagnose sys session filter ?
vd                              Index of virtual domain. -1 matches all.
sintf                           Source interface.
dintf                          Destination interface.
src                             Source IP address.
nsrc                           NAT’d source ip address
dst                             Destination IP address.
proto                         Protocol number.
sport                         Source port.
nport                         NAT’d source port
dport                         Destination port.
policy                       Policy ID.
expire                       expire
duration                    duration
proto-state                Protocol state.
session-state1           Session state1.
session-state2           Session state2.
clear                          Clear session filter.
negate                       Inverse filter.

For example:

FGT-01 # diag sys session filter src 10.228.3.211

FGT-01 # diag sys session filter dst 10.1.1.251

FGT-01 # diag sys session list

When you run a session list command, you will see an output or some outputs as below.

Output:

session info: proto=6 proto_state=01 duration=828221 expire=3508 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=1374982/14905/1 reply=2124492/13749/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=11->24/24->11 gwy=10.228.3.1/10.228.3.211
hook=pre dir=org act=noop 10.228.3.211:59375->10.1.1.251:445(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.1.251:445->10.228.3.211:59375(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=53 auth_info=0 chk_client_info=0 vd=0
serial=0d420a52 tos=ff/ff app_list=2005 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x003400
npu info: flag=0x81/0x81, offload=6/6, ips_offload=0/0, epid=20/7, ipid=7/20, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
total session 1

As you see above, you can find all detailed information in the output. If you can’t, it means that the session isn’t established successful. The Reason of this problem can be that client requests or server replies may not reach the FortiGate.

You can find more information following link.

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

Share
Tweet
Share

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.