FortiGate Informação da Tabela de Seção

Para exibir a tabela de sessão:
diagnose sys session list


Para configurar o filtro de sessão

diagnose sys session filter
clear – clear session filter
dport – dest port
dst – dest ip address
duration – duration
expire – expire
negate – inverse filter
policy – policy id
proto – protocol number
sport – source port
src – source ip address
vd – index of virtual domain. -1 matches all

a) ICMP (proto 1) 
Note: There are no states for ICMP, it always shows proto_state=00

b) TCP (proto 6)
Note: proto_state is a 2 digit number because the FortiGate is a stateful firewall (keeps the track of both directions of the session); proto_state=OR meaning Original direction and the Reply direction

StateValueExpire Timer (default)
NONE010 s
ESTABLISHED13600 s
SYN_SENT2120 s
SYN & SYN/ACK360 s
FIN_WAIT4120 s
TIME_WAIT51 s
CLOSE610 s
CLOSE_WAIT7120 s
LAST_ACK830 s
LISTEN9120 s

c) UDP (proto 17)
Note: Even though UDP is a stateless protocol, the FortiGate still keeps track of 2 different ‘states’

StateValue
UDP Reply not seen0
UDP Reply seen1

d) SCTP (proto 132)

StateValueExpire Timer (default)
SCTP_S_NONE060 s
SCTP_S_ESTABLISHED13600 s
SCTP_S_CLOSED210 s
SCTP_S_COOKIE_WAIT35 s
SCTP_S_COOKIE_ECHOED410 s
SCTP_S_SHUTDOWN_SENT530 s
SCTP_S_SHUTDOWN_RECD630 s
SCTP_S_SHUTDOWN_ACK_SENT73 s
SCTP_S_MAX8n/a



duration: duration of the session (value in seconds)
expire: acountdown from the “timeout” since the last packet passing via session (value in seconds)
timeout: indicatorhow long the session can stay open in the current state (value in seconds)
*shaper: the traffic shaper profile info (if traffic shaping is utilized)
policy_dir: 0 original direction | 1 reply direction
tunnel: VPN tunnel name
helper: name of the utilized session helper
vlan_cos: Ingress COS values are displayed in the session output in the range 0-7/255, but admin COS values are displayed in the range 8-15/255 even though the value on the wire will be in the range 0-7. When no COS is utilized the value is 255/255
state:

may-dirtySession details allowed to be altered
dirtySession has been altered (requires may-dirty)
npuSession goes through an acceleration ship
npdSession is denied for hardware acceleration
nprSession is eligible for hardware acceleration (more info with npu info: offload=x/y )
remSession is allowed to be reset in case of memory shortage
ephSession is ephemeral
oeSession is part of Ipsec tunnel (from the originator)
reSession is part of Ipsec tunnel (from the responder)
localSession is attached to local fortigate ip stack
brSession is bridged (vdom is in transparent mode)
redirSession is redirected to an internal FGT proxy
wccpSession is intercepted by wccp process
nlbSession is from a load-balanced vip
logSession is being logged
osSession is shaped on the origin direction
rsSession is shaped on the reply direction
ndrSession is inspected by IPS signature
ndsSession is inspected by IPS anomaly
authSession is subject to authentication
blockSession was blocked by IPS inspection
ext(deprecated) Session is handled by a session helper
app_ntfSession matched a policy entry that contains “set block-notification enable”

dev: interface index can be obtained via “diagnose netlink interface list”:

if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0

Referência: https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042