FortiGate Informação da Tabela de Seção

Para exibir a tabela de sessão:
diagnose sys session list


Para configurar o filtro de sessão

diagnose sys session filter
clear – clear session filter
dport – dest port
dst – dest ip address
duration – duration
expire – expire
negate – inverse filter
policy – policy id
proto – protocol number
sport – source port
src – source ip address
vd – index of virtual domain. -1 matches all

a) ICMP (proto 1) 
Note: There are no states for ICMP, it always shows proto_state=00

b) TCP (proto 6)
Note: proto_state is a 2 digit number because the FortiGate is a stateful firewall (keeps the track of both directions of the session); proto_state=OR meaning Original direction and the Reply direction

StateValueExpire Timer (default)
NONE010 s
ESTABLISHED13600 s
SYN_SENT2120 s
SYN & SYN/ACK360 s
FIN_WAIT4120 s
TIME_WAIT51 s
CLOSE610 s
CLOSE_WAIT7120 s
LAST_ACK830 s
LISTEN9120 s

c) UDP (proto 17)
Note: Even though UDP is a stateless protocol, the FortiGate still keeps track of 2 different ‘states’

StateValue
UDP Reply not seen0
UDP Reply seen1

d) SCTP (proto 132)

StateValueExpire Timer (default)
SCTP_S_NONE060 s
SCTP_S_ESTABLISHED13600 s
SCTP_S_CLOSED210 s
SCTP_S_COOKIE_WAIT35 s
SCTP_S_COOKIE_ECHOED410 s
SCTP_S_SHUTDOWN_SENT530 s
SCTP_S_SHUTDOWN_RECD630 s
SCTP_S_SHUTDOWN_ACK_SENT73 s
SCTP_S_MAX8n/a



duration: duration of the session (value in seconds)
expire: acountdown from the “timeout” since the last packet passing via session (value in seconds)
timeout: indicatorhow long the session can stay open in the current state (value in seconds)
*shaper: the traffic shaper profile info (if traffic shaping is utilized)
policy_dir: 0 original direction | 1 reply direction
tunnel: VPN tunnel name
helper: name of the utilized session helper
vlan_cos: Ingress COS values are displayed in the session output in the range 0-7/255, but admin COS values are displayed in the range 8-15/255 even though the value on the wire will be in the range 0-7. When no COS is utilized the value is 255/255
state:

may-dirtySession details allowed to be altered
dirtySession has been altered (requires may-dirty)
npuSession goes through an acceleration ship
npdSession is denied for hardware acceleration
nprSession is eligible for hardware acceleration (more info with npu info: offload=x/y )
remSession is allowed to be reset in case of memory shortage
ephSession is ephemeral
oeSession is part of Ipsec tunnel (from the originator)
reSession is part of Ipsec tunnel (from the responder)
localSession is attached to local fortigate ip stack
brSession is bridged (vdom is in transparent mode)
redirSession is redirected to an internal FGT proxy
wccpSession is intercepted by wccp process
nlbSession is from a load-balanced vip
logSession is being logged
osSession is shaped on the origin direction
rsSession is shaped on the reply direction
ndrSession is inspected by IPS signature
ndsSession is inspected by IPS anomaly
authSession is subject to authentication
blockSession was blocked by IPS inspection
ext(deprecated) Session is handled by a session helper
app_ntfSession matched a policy entry that contains “set block-notification enable”

dev: interface index can be obtained via “diagnose netlink interface list”:

if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0

Referência: https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

Equivalência entre comandos Cisco e Fortigate

Comandos FortigateComandos CiscoDescrição
show full-configurationshow runMostrar configuração em execução
execute factory-resetwrite eraseRestaura configurações iniciais
show system interfaceshow run interface briefExibe a configuração das interfaces
diagnose hardware deviceinfo nicshow interfaceExibe o status e as estatísticas das interfaces.
get system statusshow versionExibe informações sobre o sistema
get system arp | diagnose ip arp list show arpMostra tabela arp
get router info routing-table all show ip routeMostra tablea de rotas
diagnose system session listshow ip nat translationMostra tabela de NAT
diagnose system session clearclear ip nat translationDerruba seções
get router info ospf neighborshow ip ospf neighborMostra vizinho de rotas do OSPF
get router info bgp neighborshow ip bgp neighborMostra vizinho de seção BGP
get router info bgp summaryshow ip bgp summaryMostra seções BGP e quantiodade de rotas

Lista de Comandos FortiOS

ComandoResultado
get sys statusVerifica Versão, Modo de Operação, Modo HA, Hora do sistema, etc.
get system performance firewall statisticsMostra volume trafegado.
get system performance statusMostra utilização de CPU e Memória, informa uptime do equipamento.
get system performance topMostra processos que mais utilizam CPU.
get sys ha statusMostra informações do HA.
diagnose sys ha statusVerifica status do HA.
diag sys session full-statMostra table de seções do firewall (máximo e em uso).
diag sys session listLista todas as seções no firewall.
diagnose sys session filter src 192.168.227.129Filtra quais seções irá listar no comando anterior.
get system interface physicalLista as interfaces físicas.
diagnose hardware deviceinfo nic wan1Mostra contadores da interface física.
get system arpLista tabela ARP.
get router info routing-table allLista tabela de rotas.
get router info routing-table details 10.20.100.10Mostra rotas para destino específico.
get sys statusMostra status do sistema.
diag vpn tunnel up phase2-name phase1-nameSubir um túnel de VPN.
diag vpn tunnel down phase2-name phase1-nameBaixar um túnel de VPN.
diagnose vpn tunnel list name myphase1Verifica status do túnel de VPN.
diag vpn tunnel dumpsaTesta túnel de VPN.
diagnose vpn tunnel statMostra estado no túnel de VPN, zero significa sem assossiação segura.
diagnose vpn ipsec statusMostra status do túnel de VPN.
diag vpn tunnel listLista todos os túneis de VPN.

Flags TCP

URG – O pacote contem dados importantes

ACK – Certificação que recebeu o ultimo pacote ou outra resposta.

PSH – Envia imediatamente mesmo se o buffer não estiver cheio.

RST – Reseta a conexão ( ocorreu erro ou coisa parecida ).

SYN – Inicia conexão.

FIN – Termina conexão

Nível Debug VPN IPSec Fortigate

diag debug reset
diag debug disable
diag debug application ike -1

-1 mostra todas as mensagens na  fase 1 e 2
Demais nível de debug
2 Shows config changes
4 Shows connections which will be established
8 Only Phase-1 as Phase-2 comunications messages
16 Shows only NAT-T (Nat-Traversal)
32 Shows only DPD
64 Shows only Encryption/Decryption Key’s
128 Shows only Encryption Traffic payload