How to examine the firewall session list
One further step is to examine the firewall session. The firewall session list displays all the sessions the FortiGate unit has open. You will be able to see if there are strange patterns such as no sessions apart from the internal network, or all sessions are only to one IP address.
When examining the firewall session list in the CLI, filters may be used to reduce the output. In the web-based manager, the filters are part of the interface.
To examine the firewall session list – web-based manager
- Go to System > FortiView> All Sessions.
To examine the firewall session list – CLI
When examining the firewall session list, there may be too many sessions to display. In this case it will be necessary to limit or filter the sessions displayed by source or destination address, or NATed address or port. If you want to filter by more than one of these, you need to enter a separate line for each value.
The following example shows filtering the session list based on a source address of 10.11.101.112.
FGT# diag sys session filter src 10.11.101.112
FGT# diag sys session list
The following example shows filtering the session list based on a destination address of 172.20.120.222.
FGT# diag sys session filter dst 172.20.120.222
FGT# diag sys session list
To clear all sessions corresponding to a filter – CLI
FGT# diag sys session filter dst 172.20.120.222
FGT# diag sys session clear
Check source NAT information
Remember NAT when troubleshooting connections. NAT is especially important if you are troubleshooting from the remote end of the connection outside the FortiGate unit firewall. On the dashboard session list, pay attention to Src address after NAT, and Src port after NAT. These columns display the IP and port values after NAT has been applied.
The NAT values can be helpful to ensure they are the values you expect, and to ensure the remote end of the sessions can see the expected IP address and port number.
When displaying the session list in the CLI, you can match the NATed source address (nsrc) and port (nport). This can be useful if multiple internal IP addresses are NATed to a common external facing source IP address.
FGT# diag sys session filter nsrc 172.20.120.122
FGT# diag sys session filter nport 8888
FGT# diag sys session list
Great article, thanks. How can I filter active sessions in the browser by destination subnet?
Can already do Destination Interface, or Destination IP, but I want the equivalent of Destination IP=166.83.219.0/24.
Thanks for your help 🙂
I would do a filter on the CLI and look there. The CLI will provide much more data than the GUI will unfortunately.