Technical Tip: Using filters to clear sessions on a FortiGate

byHasnain Zaidi
0

 

This article explains how to use filters to clear sessions on a FortiGate unit using CLI commands:

Command:
diagnose sys session <arguments>

Scope

FortiGate.

Solution

Clearing sessions matching specific filtering criteria can be done from the CLI in two steps:

Step 1: Set Up a Session Filter

Use the command:
diagnose sys session filter <options>

To see the available options, type:
diagnose sys session filter ?

Available Options:

  • vd: Index of virtual domain. Use -1 to match all.
  • vd-name: Name of virtual domain. Use -1 or "any" to match all.
  • sintf: Source interface.
  • dintf: Destination interface.
  • src: Source IP address.
  • nsrc: NAT'd source IP address.
  • dst: Destination IP address.
  • proto: Protocol number.
  • sport: Source port.
  • nport: NAT'd source port.
  • dport: Destination port.
  • policy: Policy ID.
  • expire: Expiration time.
  • duration: Session duration.
  • proto-state: Protocol state.
  • session-state1: Session state (part 1).
  • session-state2: Session state (part 2).
  • ext-src: Add source address to the extended match list.
  • ext-dst: Add destination address to the extended match list.
  • ext-src-negate: Add source address to the negated extended match list.
  • ext-dst-negate: Add destination address to the negated extended match list.
  • clear: Clear session filter.
  • negate: Inverse filter.

To view current filter settings, use:
diagnose sys session filter

Note:

  1. The following options are available only in FortiOS 5.4.1 and above:

    • session-state1
    • session-state2

  2. The following options are available only in FortiOS 6.0.4 and above:

    • ext-src
    • ext-dst
    • ext-src-negate
    • ext-dst-negate

Examples

  1. Filter by source IP and destination port:

    diagnose sys session filter src 10.160.0.1
diagnose sys session filter dport 80
diagnose sys session filter

    Resulting filter:

    vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: 10.160.0.1-10.160.0.1
dest port: 80-80

  2. Filter by a range of source IPs and destination ports:

    diagnose sys session filter src 10.160.0.1 10.160.0.10
diagnose sys session filter dport 80 888
diagnose sys session filter

    Resulting filter:

    source ip: 10.160.0.1-10.160.0.10
dest port: 80-888

  3. Filter by source IP only:

    diagnose sys session filter src 10.160.0.1
diagnose sys session filter

  4. Filter by destination IP only:

    diagnose sys session filter dst 10.160.0.1
diagnose sys session filter

  5. View Session List
    To see the session list (based on the defined filter), use:
    diagnose sys session list

Step 2: Clear Matching Sessions

After setting the filter, use the following command to clear matching sessions:
diagnose sys session clear

Warning:
Using diagnose sys session clear without any filters will clear all sessions currently open on the FortiGate.

View Session List

To see the session list (based on the defined filter), use:
diagnose sys session list

Example Output:

session info: proto=6 proto_state=01 duration=536 expire=3596 timeout=3600 refresh_dir=both
state=log local
statistic(bytes/packets/allow_err): org=12719/77/1 reply=29093/41/1 tuples=2
tx speed(Bps/kbps): 23/0 rx speed(Bps/kbps): 87/0
orgin->sink: org out->post, reply pre->in dev=18->22/22->18 gwy=0.0.0.0/10.109.49.31
hook=out dir=org act=noop 10.109.49.31:5627->96.45.46.46:853

Would you like further assistance with this?

Tags:
Hasnain Zaidi

Hey Folks! Welcome to my blog. Stay tuned as we will be discussing the Installation, Configuration and Troubleshooting of Systems, Networks, Cloud Integration and Bunch of other Tech Stuff.

Post a Comment (0)
Previous Post Next Post