topic Re: how can I get entire session table? in General Topics

how can I get entire session table?

nextgenhappines — Wed, 23 Oct 2013 17:33:51 GMT

Working on the 5060 in 5.0.7, the active session count is around 60k+, in cli 'show session all' output will only return ~3000 sessions. API returns 9995 lines. How can I get the entire session table?

The use case, I will like to be able to take a snapshot of the firewall session table at a given specific moment; find out which vsys has the most active sessions, group by top 10 source / destination ip address / destination port per vsys.

Any suggestions?

Thanks,

Ernest

Re: how can I get entire session table?

Retired Member — Thu, 24 Oct 2013 08:36:30 GMT

Can the Whole Session Log be Exported?

I think taking this report for the sessions after logged (from traffic logs )will give you parallel information.

Re: how can I get entire session table?

workarounds — Thu, 24 Oct 2013 16:10:35 GMT

Here are the problem that I can see using the traffic logs,

traffic log is only generated when the session is closed/ended, unless you change policy setting to log at session start. But it is not recommended, and you can't change all the policy at the same time...

How can I do it?

Ernest

Re: how can I get entire session table?

Retired Member — Thu, 24 Oct 2013 17:01:52 GMT

Hi,

start session is used especially for debugging.you can cofigure this for all policy at one time if you don't have any configured.

Just edit your config with a tool(even word can do)

change

<log-start>no</log-start>
<log-end>yes</log-end>

<log-start>yes</log-start>
<log-end>yes</log-end>

Then after you examine what you need for a day or 1 week, you will rollback to old config.

Re: how can I get entire session table?

workarounds — Fri, 25 Oct 2013 00:12:58 GMT

Hello,

I am looking from an operational perspective, if the firewall session table count is higher than normal, how do you find out which vsys/protocol/source ip/destination ip/destination ports is causing the high session counts?

Re: how can I get entire session table?

sspringer — Fri, 25 Oct 2013 00:26:44 GMT

I believe that ACC would help in this effort. Has that provided more information?

Re: how can I get entire session table?

gwesson — Fri, 25 Oct 2013 00:34:44 GMT

You could always use the "count yes" syntax of the CLI command show session all

By adding progressively more specific filters, you can narrow down the sessions you are looking for. For example:

> show session all filter count yes

> show session all filter count yes from trust

> show session all filter count yes from trust application web-browsing

> show session all filter count yes from trust application web-browsing source 192.0.2.5

... and so on. By getting the count for each filter, you can find what may be odd in favor of what you are looking for. With the filter, you may not be able to display more than 3000 entries or whatever is present, but the count should help narrow down what is causing the imbalance.

Hope this helps,

Greg Wesson

Re: how can I get entire session table?

nextgenhappines — Fri, 25 Oct 2013 01:12:43 GMT

Hello Greg,

Right, I can use show session meter to determine which vsys has the high session counts and start drill down from that point. But some vsys has 15k+ sessions. By drilling down via cli to determine the cause of the high session count, that could take few minutes if lucky, else you may not able to find the problem.

Re: how can I get entire session table?

nextgenhappines — Fri, 25 Oct 2013 14:36:31 GMT

Again, ACC only get the data after the sessions closed and needed to wait 15 mins for ACC to update the information. I don't think I have 15 mins to wait for an answer.