How to examine the firewall session list

How to examine the firewall session list

One further step is to examine the firewall session. The firewall session list displays all the sessions the FortiGate unit has open. You will be able to see if there are strange patterns such as no sessions apart from the internal network, or all sessions are only to one IP address.

When examining the firewall session list in the CLI, filters may be used to reduce the output. In the web-based manager, the filters are part of the interface.

 

To examine the firewall session list – web-based manager

  • Go to System > FortiView> All Sessions.

 

To examine the firewall session list – CLI

When examining the firewall session list, there may be too many sessions to display. In this case it will be necessary to limit or filter the sessions displayed by source or destination address, or NATed address or port. If you want to filter by more than one of these, you need to enter a separate line for each value.

 

The following example shows filtering the session list based on a source address of 10.11.101.112.

FGT# diag sys session filter src 10.11.101.112

FGT# diag sys session list

 

The following example shows filtering the session list based on a destination address of 172.20.120.222.

FGT# diag sys session filter dst 172.20.120.222

FGT# diag sys session list

 

To clear all sessions corresponding to a filter – CLI

FGT# diag sys session filter dst 172.20.120.222

FGT# diag sys session clear

 

Check source NAT information

Remember NAT when troubleshooting connections. NAT is especially important if you are troubleshooting from the remote end of the connection outside the FortiGate unit firewall. On the dashboard session list, pay attention to Src address after NAT, and Src port after NAT. These columns display the IP and port values after NAT has been applied.

The NAT values can be helpful to ensure they are the values you expect, and to ensure the remote end of the sessions can see the expected IP address and port number.

When displaying the session list in the CLI, you can match the NATed source address (nsrc) and port (nport). This can be useful if multiple internal IP addresses are NATed to a common external facing source IP address.

FGT# diag sys session filter nsrc 172.20.120.122

FGT# diag sys session filter nport 8888

FGT# diag sys session list

2 thoughts on “How to examine the firewall session list

  1. Phil Tuttiett

    Great article, thanks. How can I filter active sessions in the browser by destination subnet?
    Can already do Destination Interface, or Destination IP, but I want the equivalent of Destination IP=166.83.219.0/24.

    Thanks for your help 🙂

    Reply
    1. Mike Post author

      I would do a filter on the CLI and look there. The CLI will provide much more data than the GUI will unfortunately.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.