Sometimes it can be really useful to clear specific sessions on a FortiGate to help with troubleshooting.
This is especially useful when you've made a change to the config, test it out but you don't get the result you expected. Usually this is because the firewall is still using an existing session that was using the old config. An example of this would be changing the UTM policies.
To clear a session, first we must configure the filter so that we only delete the sessions we want. Without creating a filter then the clear command will delete all sessions.
Press ? after the filter command below to see all options available:
fg60cxadsl # diagnose sys session filter
clear clear session filter
dintf destination interface
dport dest port
dst dest ip address
duration duration
expire expire
negate inverse filter
nport NAT'd source port
nsrc NAT'd source ip address
policy policy id
proto protocol number
proto-state protocol state
sintf source interface
sport source port
src source ip address
vd index of virtual domain. -1 matches all
Firstly as a good habit I always clear the filter before I begin. This ensure that the filters I configure are the ones that will be used.
fg60cxadsl # diagnose sys session filter clear
In this example I want to delete all HTTP sessions originating from my PC. I've made some changes to the UTM web filtering profile that are not working as I expected, so I want to clear my web sessions to ensure it's using the correct filter. To do this I use the src and the dport options to set the source IP (my PC) and the destination address (port 80 for HTTP)
fg60cxadsl # diagnose sys session filter src 192.168.1.110
fg60cxadsl # diagnose sys session filter dport 80
Next it's time to clear the session by issuing the session clear command as follows:
fg60cxadsl # diagnose sys session clear
After this command all my web sessions are dropped and need to be renegotiated again. I attempt to reload the website and confirm that my changes worked!
This is especially useful when you've made a change to the config, test it out but you don't get the result you expected. Usually this is because the firewall is still using an existing session that was using the old config. An example of this would be changing the UTM policies.
To clear a session, first we must configure the filter so that we only delete the sessions we want. Without creating a filter then the clear command will delete all sessions.
Press ? after the filter command below to see all options available:
fg60cxadsl # diagnose sys session filter
clear clear session filter
dintf destination interface
dport dest port
dst dest ip address
duration duration
expire expire
negate inverse filter
nport NAT'd source port
nsrc NAT'd source ip address
policy policy id
proto protocol number
proto-state protocol state
sintf source interface
sport source port
src source ip address
vd index of virtual domain. -1 matches all
Firstly as a good habit I always clear the filter before I begin. This ensure that the filters I configure are the ones that will be used.
fg60cxadsl # diagnose sys session filter clear
In this example I want to delete all HTTP sessions originating from my PC. I've made some changes to the UTM web filtering profile that are not working as I expected, so I want to clear my web sessions to ensure it's using the correct filter. To do this I use the src and the dport options to set the source IP (my PC) and the destination address (port 80 for HTTP)
fg60cxadsl # diagnose sys session filter src 192.168.1.110
fg60cxadsl # diagnose sys session filter dport 80
fg60cxadsl # diagnose sys session clear
9 comments:
This was helpful. Thanks!
Thank you that is exactly what I was looking for!
Thank you, very helpful!
still very valid info
Super helpful. We are using 2 WAN connections with failover, and some connections were stuck using wan2 after wan1 came back up. Cleared all sessions with wan2 as dintf, which fixed everything. Thanks!
Al is a FortiGod
I know this is an old post but this flat saved my ass last night. Our real Fortinet guy had the day off and the server guys had been having an issue with clustering across a MetroE flanked by a couple of Fortigates for weeks. Turned out there was an old UDP session sending to the wrong interface but since the source and destination ports and IPs were exactly the same all of the new traffic was still matching it and trying to use it. Cleared that session and everything magically worked. Server guys loved me. Kudos to you. Thank you!
That was greatful. we had to do this on ASA. thought the world would have moved ahead. rather they focussed only on fancy things.
Thank you from 2022
Post a Comment