会话参数分析
会话参数分析
FortiGate # diagnose sys session list
session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=192.168.2.10/192.168.1.10
hook=pre dir=org act=noop 192.168.1.10:44610->192.168.2.10:22(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.2.10:22->192.168.1.10:44610(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 pol_uuid_idx=520 auth_info=0 chk_client_info=0 vd=0
serial=000c48ed tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=158/156, ipid=156/158, vlan=0x0000/0x0000
vlifid=156/158, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=5/5proto:协议号,ICMP:1,TCP:6,UDP:17。更多请参考:https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml 。proto_state:会话状态,跟协议相关。ICMP:ICMP 没有状态,一直显示 proto_state = 00。
UDP:UDP 是没状态状态的协议。
- proto_state = 00:表示没有收到 reply 方向的 udp 报文。
- proto_state = 01:表示收到 reply 方向的 udp 报文
TCP:TCP 是有状态的协议,proto_state = xy。
- x 与服务器的状态相关,当没有开启 UTM 或者 Proxy 时,x 一直为 0。
- y 与客户端的状态相关联,当 FortiGate 收到 syn 时,y 的值为 2;收到 syn/ack 时,y 的值为 3;收到 ack 时,即完成三次握手,y 的值为 1。
| State | Value |
|---|---|
| NONE | 0 |
| ESTABLISHED | 1 |
| SYN_SENT | 2 |
| SYN & SYN/ACK | 3 |
| FIN_WAIT | 4 |
| TIME_WAIT | 5 |
| CLOSE | 6 |
| CLOSE_WAIT | 7 |
| LAST_ACK | 8 |
| LISTEN | 9 |
duration:会话存在的时间。expire:从会话经过最后一个包开始,从 timeout 时间开始倒计时。timeout:会话在当前状态下的超时时间(TCP 会话各状态超时时间,非特殊情况不要修改,请参考 策略与对象 → 配置 Session TTL章节)。origin-shaper:会话发起方流量匹配的 traffic shaper 策略。reply-shaper:会话反向流量匹配的 traffic shaper 策略。per_ip_shaper:会话匹配的 per-ip 策略。tunnel:隧道的名称。state:会话表示状态。
| 会话状态 | 状态说明 |
|---|---|
| may-dirty | Session details allowed to be altered |
| dirty | Session has been altered (requires may-dirty) |
| npu | Session goes through an acceleration ship |
| npd | Session is denied for hardware acceleration |
| npr | Session is eligible for hardware acceleration (more info with npu info: offload=x/y ) |
| rem | Session is allowed to be reset in case of memory shortage |
| eph | Session is ephemeral |
| oe | Session is part of Ipsec tunnel (from the originator) |
| re | Session is part of Ipsec tunnel (from the responder) |
| local | Session is attached to local fortigate ip stack |
| br | Session is bridged (vdom is in transparent mode) |
| redir | Session is redirected to an internal FGT proxy |
| wccp | Session is intercepted by wccp process |
| nlb | Session is from a load-balanced vip |
| log | Session is being logged |
| os | Session is shaped on the origin direction |
| rs | Session is shaped on the reply direction |
| ndr | Session is inspected by IPS signature |
| nds | Session is inspected by IPS anomaly |
| auth | Session is subject to authentication |
| block | Session was re-evaluated to block |
| ext | (deprecated) Session is handled by a session helper |
| app_ntf | Session matched a policy entry that contains "set block-notification enable" |
| F00 | After enable traffic log in policy, session will have this flag |
dev:FortiGate 接口索引 index,可以通过 diagnose netlink interface list 查看,如下所示。dev = 13->14/14->13 表示数据流发起方从 port5 到 port6,数据流的响应方从 port6 到 port5。FortiGate# diagnose netlink interface list | grep 13 if=port5 family=00 type=1 index=13 mtu=1500 link=0 master=0 # diagnose netlink interface list | grep 14 if=port6 family=00 type=1 index=14 mtu=1500 link=0 master=0dir=org act=noop 192.168.1.10:44610->192.168.2.10:22(0.0.0.0:0):发起方:源 IP → 目的 IP,没有做 SNAT 或 DNAT。dir=reply act=noop 192.168.2.10:22->192.168.1.10:44610(0.0.0.0:0):响应方:源 IP → 目的 IP,与发起方相反,没有做 SNAT 或 DNAT。policy_id:匹配的策略 ID。vd:vdom 的索引 index,root vdom 的索引是 0,通过 diagnose sys vd list 查看。FortiGate # diagnose sys vd list list virtual firewall info: name=root/root index=0 enabled fib_ver=136 rpdb_ver=0 use=172 rt_num=35 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0serial:会话 ID。app:应用 ID。url_cat:URL 类别。offload original direction/reply direction:0:会话没有卸载到 NP;8:会话卸载到 NP6;9:会话卸载到 NP7。- offload = 8/8:表示发起方向和反向流量都卸载到 NP6 了。
- offload = 9/9:表示发起方向和反向流量都卸载到 NP7 了。