How to see sessions between client and server on FortiGate ?

May 18, 2019 gyankovan Cyber Security, How to Security 0

When you connect a website or a service over the FortiGate, a session occurs between the client and the server. These sessions are kept on a session table by FortiGate. This function can assist us when sessions need to be viewed.

You have two different ways to see the sessions. Web management (GUI) and CLI.

Web management (GUI): Go to Fortiview in the Main Menu.

CLI: run the diagnose sys session list command

Cli is usually used to troubleshoot in order to see more details in the sessions. Before you run the command, you may want to have some filter options that are shown in the following list.

FGT-01 # diagnose sys session filter ?
vd                              Index of virtual domain. -1 matches all.
sintf                           Source interface.
dintf                          Destination interface.
src                             Source IP address.
nsrc                           NAT’d source ip address
dst                             Destination IP address.
proto                         Protocol number.
sport                         Source port.
nport                         NAT’d source port
dport                         Destination port.
policy                       Policy ID.
expire                       expire
duration                    duration
proto-state                Protocol state.
session-state1           Session state1.
session-state2           Session state2.
clear                          Clear session filter.
negate                       Inverse filter.

For example:

FGT-01 # diag sys session filter src 10.228.3.211

FGT-01 # diag sys session filter dst 10.1.1.251

FGT-01 # diag sys session list

When you run a session list command, you will see an output or some outputs as below.

Output:

session info: proto=6 proto_state=01 duration=828221 expire=3508 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=1374982/14905/1 reply=2124492/13749/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=11->24/24->11 gwy=10.228.3.1/10.228.3.211
hook=pre dir=org act=noop 10.228.3.211:59375->10.1.1.251:445(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.1.251:445->10.228.3.211:59375(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=53 auth_info=0 chk_client_info=0 vd=0
serial=0d420a52 tos=ff/ff app_list=2005 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x003400
npu info: flag=0x81/0x81, offload=6/6, ips_offload=0/0, epid=20/7, ipid=7/20, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
total session 1

As you can see from above, all detailed information becomes available in the output. If the information is not available then this means the session was not established successfully. The reason for this problem may be because the client requests or the server replies may not have reached FortiGate.

You can find more information following link.

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

Share
Tweet
Share

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.