Refer to the exhibit. The partial output of a diagnose command is shown. Which two conclusions can you draw from the output shown in the exhibit? (Choose two answers)

A. The packets that belong to this session are checked against firewall policy ID 25.
B. The TCP session is not established.
C. This is a pinhole session to allow traffic for a TCP protocol that dynamically assigns TCP ports.
D. FortiGate will drop the expected traffic if it does not arrive within 23 seconds.

Correct Answer: C,D

Brave-Dump Clients Votes

CD 66.67%

AD 33.33%

Comments

Fatma Salih 2026-01-13 16:20:49

Selected Answers: A, D

policy is explicitly mentioned

Adam 2026-01-15 07:08:17
This is expectation session where FortiGate opens the pinhole port for the expected return traffic from the server to client. I believe mentioned policy_id=25 is for the original session from client to server, while that expectation session from server to client doesn't hit any firewall policy and it's allowed by FortiGate via Session Helper, such as in active FTP flow.

James 2026-01-24 22:25:12

Selected Answers: C, D

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-helpers-and-expectation-sessions/ta-p/189938

Even though the policy ID is 25 in the example it does not mean that the traffic matches policy 25. The value 'policy_id=25' in the expect session is just a copied value from the master session, which is the oldest helper-ftp session. Once an expect session is created, it acts as a pinhole on the firewall policy. Traffic matching the expected session does not need to match or be allowed by the firewall policy to be forwarded by the system.

Anonymous User 2026-02-11 22:08:27

Selected Answers: C, D

Same as James: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-helpers-and-expectation-sessions/ta-p/189938
C)
diagnose sys session list expectation -> The pinhole ports that the session helper opened can be verified using the following command to list the expectation session

D) expire=23