FortiGate – CLI commands to identify who is consuming your bandwidth

Posted on by sirhartmann

Hi all

I was searching for a quick solution to identify what’s happen on the firewall if users reporting very poor performance or a ping response for common websites grows up to hundrets of miliseconds.

Perhaps it’s a DDOS, Clients/Users doing wrong things or it’s just a missconfigured update service.

To identify what’s happen, you need to connect to CLI.

First you can clear the application statistics to identify what actually consuming your bandwidth.

diagnose stats app-stat-clear

Now you need to find out which application is the one who consumes your bandwidth – wait a minute to gather statistics

diagnose stats app-bandwidth

app=”SSL” appid=15895 total-sessions=59 bps=404657 bytes=404657
app=”Twitter” appid=16001 total-sessions=2 bps=137956 bytes=137956
app=”HTTP.BROWSER” appid=15893 total-sessions=50 bps=45220 bytes=45220
app=”iCloud” appid=29880 total-sessions=2 bps=21911 bytes=21911
app=”HTTP.BROWSER_Firefox” appid=34050 total-sessions=2 bps=4737 bytes=4737

This command shows a list of current application crossing your firewall. The first one is probably the interessting one. For further analysis you need the following command:

diagnose stats app-usage-ip <applicationID or Name>

diagnose stats app-usage-ip HTTP.BROWSER

app=”HTTP.BROWSER” total-usage=45220 total-sessions=50

ip=”192.168.1.1″ total-sessions=16 bytes=14128
ip=”192.168.1.2″ total-sessions=15 bytes=13417
ip=”192.168.1.3″ total-sessions=12 bytes=10776
ip=”192.168.1.4″ total-sessions=6 bytes=5298
ip=”192.168.1.5″ total-sessions=1 bytes=1601

You find now a list of source addresses using this application. Now you have identified the source of the bandwidth consumer.

If you want to know more details about the session, you can filter the session list diagnose using the source ip.

diagnose sys session filter clear

diagnose sys session filter src <src ip>

diagnose sys session filter src 192.168.1.1

diagnose sys session list

You get now a list of all sessions from this source ip.

For me it’s a good way to quickly find which applications crossing the firewall and consuming your bandwidth.

2 thoughts on “FortiGate – CLI commands to identify who is consuming your bandwidth

  1. Hi.
    Do you realy want to drop all sessions with ‘diag sys session clear’ or only clear filter rules with ‘diag sys session fileter clear’ in your example?

    Liked by 1 person

    Reply

Leave a comment