By Manny Fernandez

April 6, 2023

FortiGate Troubleshooting Sessions

There are many options when troubleshooting in FortiGate firewalls.  I am a BIG sniffer guy.  Anyone that knows me or has worked with me, knows my motto of when in doubt, sniff it out.  Being able to understand a packet capture is paramount in troubleshooting anything involving networking.  FortiOS has many troubleshooting techniques and commands.   I regularly use the dia sniffer packet and dia debug flow.  Another one is the dia sys session .  This command is used to look at the session table.

Stateful inspection; a firewall technology that keeps track of the state of active connections and uses the information to allow reverse traffic through the firewall. For instance, if you are on the inside and make a connection to a web-server, the firewall will automatically permit the return traffic to come through the firewall for a controlled period of time.  Stateful Firewalls also create state for stateless traffic such as ICMP and UDP.

I must give credit where credit is due Check Point (as in Check Point Firewall) developed the technique in the 1990s. It has since been adopted as the standard for firewalls from open source IP Tables to FortiGate firewalls and everything in between.

Let’s take a look at the command.  The syntax is

LAB-601E # dia sys session 
sync List session sync.
list List session.
clear Clear the sessions defined by filter.
stat Stat session.
full-stat Fully stat session.
exp-stat Expectation session statistics.
ttl TTL session.
filter List session with filters.
help Session help.

You almost, almost, almost always want to use the filter option.  NOT using it, will show ALL sessions and in a production environment, this WILL overflow your session.

With the filter command, you can get filter out the noise and try to pinpoint the traffic you are interested in.  Once you create the filter with this command, you can then use the dia sys session list which will then list the packets that match the filter you created.  Now that you created your filter and listed it

In this example, I am performing a ping to 9.9.9.9 and we want to identify the session.

  1. We can see proto=1 .  Protocols have numbers associated with them.  The most used ones is ICMP as 1 , TCP as 6 and UDP as 17
  2. With ICMP, the proto_state will ALWAYS be 00 since the packet is non-stateful by default.
  3. Source NAT, in this section, you can see 10.1.105.25 is talking to 9.9.9.9 and it will be NAT’d to 23.126.142.214
  4. Destination NAT, this is the return traffic as it is being un-NAT’d.
  5. MAC address.  This section tells you the MAC address of the device in question OR the upstream device such as a router or switch.
  6. The policy ID the traffic is matching.

Here is a list of protocol numbers:

  1.  Here we can see proto=6 which is TCP
  2. State of the proto is 11 (see below)
  3. This shows when the packet’s life will expire in my example, it is 3598
  4. This is the default  tcp timeout on that particular packet.  Take a look at my tcp timeout article.
  5. Source NAT, here we can see my 10.1.105.25 going to 173.254.28.87 (www.infosecmonkey.com)
  6. This is the reverse connection.
  7. Again the MAC address.

In my article I referenced, this tool was essential because I needed to make sure that, THAT particular session needed to stay open for 8 hours.

Now we will look at a udp example

This is very similar to the other examples, but obviously, the proto=17 which is UDP.

 

duration - duration of the session in seconds.
expire - a countdown based on the 'timeout' defined as the default. 
timeout -  How long that session stays in the state table.
shaper - If traffic shaping is being used, this will tell you what shaper is being used.
policy_dir - 0 originating direction | 1 response.
tunnel - VPN tunnel name if one is used.
helper - If helpers are being used, what helper is used.
vlan_cos - Ingress COS values are shown in the output using the range 0-7/255, however, admin COS values are within the range of 8-15/255 
state - The Values are contained in the table below.

 

Remember to always issue the  dia sys session filter clear  or you will get info you may not be expecting or want.

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • 1. High-Level Overview The FortiGate Wireless Intrusion Detection System... Full Story

  • What MIMO Actually Does Multiple Input, Multiple Output (MIMO)... Full Story

  • A practitioner's tour of the diagnose, test, and fnsysctl... Full Story