会话状态信息查询
# diagnose sys session list
session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=192.168.2.10/192.168.1.10
hook=pre dir=org act=noop 192.168.1.10:44610->192.168.2.10:22(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.2.10:22->192.168.1.10:44610(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 pol_uuid_idx=520 auth_info=0 chk_client_info=0 vd=0
serial=000c48ed tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=158/156, ipid=156/158, vlan=0x0000/0x0000
vlifid=156/158, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=5/5
proto:协议号,icmp:1;tcp:6;udp:17;更多请参考:https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
proto_state:会话状态,跟协议相关
ICMP:ICMP没有状态,一直显示proto_state=00
UDP:UDP是没状态状态的协议,proto_state=00:表示没有收到reply方向的udp报文;proto_state=01:表示收到reply方向的udp报文
TCP:TCP是有状态的协议,proto_state=xy,x与服务器的状态相关,当没有开启UTM或者Proxy时,x一直为0;y与客户端的状态相关联,如FortiGate收到syn时,y的值为2;收到syn/ack时,y的值为3;收到ack时,即完成三次握手,y的值为1。
| State | Value |
|---|---|
| NONE | 0 |
| ESTABLISHED | 1 |
| SYN_SENT | 2 |
| SYN & SYN/ACK | 3 |
| FIN_WAIT | 4 |
| TIME_WAIT | 5 |
| CLOSE | 6 |
| CLOSE_WAIT | 7 |
| LAST_ACK | 8 |
| LISTEN | 9 |
duration:会话存在的时间
expire:从会话经过最后一个包开始,从timeout时间开始倒计时
timeout:会话在当前状态下的超时时间
TCP会话各状态超时时间,非特殊情况不要修改
config system session-ttl
set default 3600
end
config system global
set tcp-halfclose-timer 120
set tcp-halfopen-timer 10
set tcp-rst-timer 5
set tcp-timewait-timer 1
end
UDP会话超时时间,非特殊情况不要修改
config system global
set udp-idle-timer 180
end
origin-shaper:会话发起方流量匹配的traffic shaper策略
reply-shaper:会话反向流量匹配的traffic shaper策略
per_ip_shaper:会话匹配的per-ip策略
tunnel:隧道的名称
state:会话表示状态
| may-dirty | Session details allowed to be altered |
|---|---|
| dirty | Session has been altered (requires may-dirty) |
| npu | Session goes through an acceleration ship |
| npd | Session is denied for hardware acceleration |
| npr | Session is eligible for hardware acceleration (more info with npu info: offload=x/y ) |
| rem | Session is allowed to be reset in case of memory shortage |
| eph | Session is ephemeral |
| oe | Session is part of Ipsec tunnel (from the originator) |
| re | Session is part of Ipsec tunnel (from the responder) |
| local | Session is attached to local fortigate ip stack |
| br | Session is bridged (vdom is in transparent mode) |
| redir | Session is redirected to an internal FGT proxy |
| wccp | Session is intercepted by wccp process |
| nlb | Session is from a load-balanced vip |
| log | Session is being logged |
| os | Session is shaped on the origin direction |
| rs | Session is shaped on the reply direction |
| ndr | Session is inspected by IPS signature |
| nds | Session is inspected by IPS anomaly |
| auth | Session is subject to authentication |
| block | Session was re-evaluated to block |
| ext | (deprecated) Session is handled by a session helper |
| app_ntf | Session matched a policy entry that contains "set block-notification enable" |
| F00 | After enable traffic log in policy, session will have this flag |
dev:FortiGate接口索引 index,可以通过diagnose netlink interface list查看
dev=13->14/14->13 表示数据流发起方从port5到port6,数据流的响应方从port6到port5
# diagnose netlink interface list | grep 13
if=port5 family=00 type=1 index=13 mtu=1500 link=0 master=0
# diagnose netlink interface list | grep 14
if=port6 family=00 type=1 index=14 mtu=1500 link=0 master=0
dir=org act=noop 192.168.1.10:44610->192.168.2.10:22(0.0.0.0:0) :发起方:源IP-->目的IP
dir=reply act=noop 192.168.2.10:22->192.168.1.10:44610(0.0.0.0:0) :响应方:源IP-->目的IP,与发起方相反
policy_id:匹配的策略ID
vd:vdom的索引index,root vdom的索引是0,通过diagnose sys vd list查看
# diagnose sys vd list
list virtual firewall info:
name=root/root index=0 enabled fib_ver=136 rpdb_ver=0 use=172 rt_num=35 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
serial:会话ID
app:应用ID
url_cat:url类别
offload original direction/reply direction:0:会话没有卸载到NP;8:会话卸载到NP6;9:会话卸载到NP7
offload=8/8:表示发起方向和反向流量都卸载到NP6了