会话参数分析

FortiGate # diagnose sys session list
session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu 
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=192.168.2.10/192.168.1.10
hook=pre dir=org act=noop 192.168.1.10:44610->192.168.2.10:22(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.2.10:22->192.168.1.10:44610(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 pol_uuid_idx=520 auth_info=0 chk_client_info=0 vd=0
serial=000c48ed tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=158/156, ipid=156/158, vlan=0x0000/0x0000
vlifid=156/158, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=5/5
  • proto:协议号,ICMP:1,TCP:6,UDP:17。更多请参考:https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

  • proto_state:会话状态,跟协议相关。

    • ICMP:ICMP没有状态,一直显示proto_state=00。

    • UDP:UDP是没状态状态的协议。

      • proto_state=00:表示没有收到reply方向的udp报文。
      • proto_state=01:表示收到reply方向的udp报文
    • TCP:TCP是有状态的协议,proto_state=xy。

      • x与服务器的状态相关,当没有开启UTM或者Proxy时,x一直为0。
      • y与客户端的状态相关联,当FortiGate收到syn时,y的值为2;收到syn/ack时,y的值为3;收到ack时,即完成三次握手,y的值为1。
State Value
NONE 0
ESTABLISHED 1
SYN_SENT 2
SYN & SYN/ACK 3
FIN_WAIT 4
TIME_WAIT 5
CLOSE 6
CLOSE_WAIT 7
LAST_ACK 8
LISTEN 9
  • duration:会话存在的时间。

  • expire:从会话经过最后一个包开始,从timeout时间开始倒计时。

  • timeout:会话在当前状态下的超时时间(TCP会话各状态超时时间,非特殊情况不要修改,请参考策略与对象→配置Session TTL章节)。

  • origin-shaper:会话发起方流量匹配的traffic shaper策略。

  • reply-shaper:会话反向流量匹配的traffic shaper策略。

  • per_ip_shaper:会话匹配的per-ip策略。

  • tunnel:隧道的名称。

  • state:会话表示状态。

会话状态 状态说明
may-dirty Session details allowed to be altered
dirty Session has been altered (requires may-dirty)
npu Session goes through an acceleration ship
npd Session is denied for hardware acceleration
npr Session is eligible for hardware acceleration (more info with npu info: offload=x/y )
rem Session is allowed to be reset in case of memory shortage
eph Session is ephemeral
oe Session is part of Ipsec tunnel (from the originator)
re Session is part of Ipsec tunnel (from the responder)
local Session is attached to local fortigate ip stack
br Session is bridged (vdom is in transparent mode)
redir Session is redirected to an internal FGT proxy
wccp Session is intercepted by wccp process
nlb Session is from a load-balanced vip
log Session is being logged
os Session is shaped on the origin direction
rs Session is shaped on the reply direction
ndr Session is inspected by IPS signature
nds Session is inspected by IPS anomaly
auth Session is subject to authentication
block Session was re-evaluated to block
ext (deprecated) Session is handled by a session helper
app_ntf Session matched a policy entry that contains "set block-notification enable"
F00 After enable traffic log in policy, session will have this flag
  • dev:FortiGate接口索引index,可以通过diagnose netlink interface list查看,如下所示。dev=13->14/14->13表示数据流发起方从port5到port6,数据流的响应方从port6到port5。

    FortiGate# diagnose netlink interface list | grep 13
    if=port5 family=00 type=1 index=13 mtu=1500 link=0 master=0
    # diagnose netlink interface list | grep 14
    if=port6 family=00 type=1 index=14 mtu=1500 link=0 master=0
    
  • dir=org act=noop 192.168.1.10:44610->192.168.2.10:22(0.0.0.0:0) :发起方:源IP→目的IP,没有做SNAT或DNAT。

  • dir=reply act=noop 192.168.2.10:22->192.168.1.10:44610(0.0.0.0:0) :响应方:源IP→目的IP,与发起方相反,没有做SNAT或DNAT。

  • policy_id:匹配的策略ID。

  • vd:vdom的索引index,root vdom的索引是0,通过diagnose sys vd list查看。

    FortiGate # diagnose sys vd list
    
    list virtual firewall info:
    name=root/root index=0 enabled fib_ver=136 rpdb_ver=0 use=172 rt_num=35 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
    
  • serial:会话ID。

  • app:应用ID。

  • url_cat:URL类别。

  • offload original direction/reply direction:0:会话没有卸载到NP;8:会话卸载到NP6;9:会话卸载到NP7。

    • offload=8/8:表示发起方向和反向流量都卸载到NP6了。
    • offload=9/9:表示发起方向和反向流量都卸载到NP7了。

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-04-01 18:07:55

results matching ""

    No results matching ""