https://wiki.pedrono.fr/api.php?action=feedcontributions&user=Jules&feedformat=atomPedroWiki - Contributions de l’utilisateur [fr]2024-03-29T13:46:42ZContributions de l’utilisateurMediaWiki 1.30.1https://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=856FORTIGATE - Useful CLI commands2024-02-28T10:24:57Z<p>Jules : /* IPsec tunnel establishment diagnostic */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Useful Resources =<br />
<br />
* [https://www.youtube.com/watch?v=Tf8FEsq_qNc Tutorial for DHCP relay over an IPSec tunnel].<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
To see even default options:<br />
<br />
# show fu<br />
<br />
(for full-configuration)<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
Or [https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 this one from Fortinet Community].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
==== Phase1 ====<br />
<br />
# diag debug application ike -1<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
or<br />
<br />
# diag vpn ike log-filter dst-addr4 <remote_IP><br />
# diag debug app ike 255<br />
<br />
and then<br />
<br />
# diag debug enable<br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# show firewall policy<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=OpenSSL_-_Commandes_utiles&diff=855OpenSSL - Commandes utiles2024-01-29T13:33:21Z<p>Jules : /* Générer un CSR */</p>
<hr />
<div>= Introduction =<br />
<br />
Cet article liste les commandes openssl les plus couramment utilisées. Il y a déjà des 100aines de pages sur internet, l'idée de cet article est de capitaliser dans le temps à titre personnel.<br />
<br />
= Liens utiles =<br />
<br />
* [https://www.sslshopper.com/article-most-common-openssl-commands.html Page sur SSLShopper]<br />
* [https://www.tbs-certificats.com/FAQ/fr/192.html Génération de CSR (TBS)]<br />
* [https://en.wikipedia.org/wiki/Self-signed_certificate Wikipedia - Certifs autosignés]<br />
* [https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl Générer un certificat auto signé]<br />
* [https://romain.therrat.fr/posts/2020/04/openssl-tester-la-compatibilit%C3%A9-d-une-version-de-tls/ Blog de Romain Therrat, post sur la compatibilité TLS d'openssl]<br />
<br />
= Commandes les plus utiles =<br />
<br />
== Vérifier les versions TLS supportées par un openssl ==<br />
<br />
openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
<br />
Exemple sur un vieux openssl:<br />
<br />
<pre><br />
[root@hostname ~]# openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
[root@hostname ~]# openssl version<br />
OpenSSL 1.0.0-fips 29 Mar 2010<br />
</pre><br />
<br />
Exemple sur un openssl récent:<br />
<br />
<pre><br />
user@hostname:~$ openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
TLSv1<br />
TLSv1.2<br />
TLSv1.3<br />
user@hostname:~$ openssl version<br />
OpenSSL 1.1.1d 10 Sep 2019<br />
</pre><br />
<br />
== Tester la compatibilité d'un service distant avec une version de TLS ==<br />
<br />
openssl s_client -connect google.com:443 -brief -<version_tls><br />
<br />
Exemple:<br />
<br />
<pre><br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_3<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.3<br />
Ciphersuite: TLS_AES_256_GCM_SHA384<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_2<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.2<br />
Ciphersuite: ECDHE-ECDSA-CHACHA20-POLY1305<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Supported Elliptic Curve Point Formats: uncompressed<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
</pre><br />
<br />
== Identifier les protos SSL dispos sur un service web ==<br />
<br />
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do \<br />
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do \<br />
openssl s_client -connect <URL>:443 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"; \<br />
done; \<br />
done<br />
<br />
== Tester un port SSL ==<br />
<br />
openssl s_client -connect <host>:<port><br />
<br />
== Générer un CSR ==<br />
<br />
openssl req -sha256 -nodes -newkey rsa:2048 -keyout www.monsite.com.key -out www.monsite.com.csr<br />
<br />
A partir d'un fichier de détails:<br />
<br />
openssl req -nodes -newkey rsa:2048 -sha256 -keyout monsite.key -out monsite.csr -config <(cat csr_details.txt)<br />
<br />
Format du fichier de détails:<br />
<br />
<pre><br />
[req]<br />
default_bits = 2048<br />
prompt = no<br />
default_md = sha256<br />
req_extensions = req_ext<br />
distinguished_name = dn<br />
<br />
[ dn ]<br />
C=FR<br />
ST=<Une région><br />
L=<Une ville><br />
O=<Une organisation><br />
OU=<Une OU><br />
emailAddress=<Un email de contact><br />
CN = <le CN souhaité, i.e. le nom à couvrir><br />
<br />
[ req_ext ]<br />
subjectAltName = @alt_names<br />
<br />
[ alt_names ]<br />
DNS.1 = <alt_name_1><br />
DNS.2 = <alt_name_2><br />
IP.1 = <IP><br />
<br />
== Lire le contenu d'un CSR ==<br />
<br />
openssl req -noout -text -verify -in mon.domaine.com.csr<br />
<br />
== Vérifier le contenu d'un certificat SSL au format PEM ==<br />
<br />
openssl x509 -in <nom_fichier_certif> -text -noout<br />
<br />
== Convertir DER (.crt .cer .der) au format PEM ==<br />
<br />
openssl x509 -outform der -in certificate.cer -out certificate.der<br />
<br />
openssl x509 -inform der -in certificate.der -out certificate.pem<br />
<br />
== Supprimer la passphrase d'une clé privée ==<br />
<br />
openssl rsa -in /path/to/ssl/032019/withPassPhrase.key -out /path/to/ssl/withoutPassPhrase.key<br />
<br />
Puis en interactif, renseigner la passphrase. Vous pouvez ensuite utiliser la clé sans passphrase pour vos configurations.<br />
<br />
== Vérifier la correspondance CSR/clé privée/clé publique ==<br />
<br />
Obtenir le hash md5 du modulus de chaque fichier et les comparer (ils doivent tous être identiques):<br />
<br />
openssl x509 -in <clépublique> -noout -modulus | openssl md5<br />
openssl rsa -in <cléprivée> -noout -modulus | openssl md5<br />
openssl req -in <csr> -noout -modulus | openssl md5<br />
<br />
== Vérifier le bon ordre des clés publiques dans une chaîne ==<br />
<br />
Logique:<br />
* partir de la clé publique de son certificat.<br />
* avoir 1 fichier par clé publique faisant partie de la chaîne.<br />
* si on considère que la clé publique est tout en haut, il faut en déterminer l'Issuer, et la clé à l'étage du dessous doit avoir un Subject strictement identique.<br />
<br />
openssl x509 -in <clépublique> -text -noout | grep Issuer<br />
<br />
Puis<br />
<br />
openssl x509 -in <unedesclésdelachaine> -text -noout | grep Subject<br />
<br />
La clé de la chaine ayant un Subject égal à l'issuer de la clé précédente vient à la suite.<br />
<br />
Ensuite concaténer toutes ces clés dans un seul et même fichier:<br />
<br />
cat <clépublique> > fullchain.pem<br />
cat <cléAC1> >> fullchain.pem<br />
...<br />
cat <cléACn> >> fullchain.pem<br />
cat <cléRootCA> >> fullchain.pem<br />
<br />
Vérifier qu'il n'y ait pas de mélange des BEGIN et END CERTIFICATE (ex: manque de retour à la ligne dans les fichiers).<br />
<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=OpenSSL_-_Commandes_utiles&diff=854OpenSSL - Commandes utiles2024-01-26T14:05:49Z<p>Jules : /* Générer un CSR */</p>
<hr />
<div>= Introduction =<br />
<br />
Cet article liste les commandes openssl les plus couramment utilisées. Il y a déjà des 100aines de pages sur internet, l'idée de cet article est de capitaliser dans le temps à titre personnel.<br />
<br />
= Liens utiles =<br />
<br />
* [https://www.sslshopper.com/article-most-common-openssl-commands.html Page sur SSLShopper]<br />
* [https://www.tbs-certificats.com/FAQ/fr/192.html Génération de CSR (TBS)]<br />
* [https://en.wikipedia.org/wiki/Self-signed_certificate Wikipedia - Certifs autosignés]<br />
* [https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl Générer un certificat auto signé]<br />
* [https://romain.therrat.fr/posts/2020/04/openssl-tester-la-compatibilit%C3%A9-d-une-version-de-tls/ Blog de Romain Therrat, post sur la compatibilité TLS d'openssl]<br />
<br />
= Commandes les plus utiles =<br />
<br />
== Vérifier les versions TLS supportées par un openssl ==<br />
<br />
openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
<br />
Exemple sur un vieux openssl:<br />
<br />
<pre><br />
[root@hostname ~]# openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
[root@hostname ~]# openssl version<br />
OpenSSL 1.0.0-fips 29 Mar 2010<br />
</pre><br />
<br />
Exemple sur un openssl récent:<br />
<br />
<pre><br />
user@hostname:~$ openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
TLSv1<br />
TLSv1.2<br />
TLSv1.3<br />
user@hostname:~$ openssl version<br />
OpenSSL 1.1.1d 10 Sep 2019<br />
</pre><br />
<br />
== Tester la compatibilité d'un service distant avec une version de TLS ==<br />
<br />
openssl s_client -connect google.com:443 -brief -<version_tls><br />
<br />
Exemple:<br />
<br />
<pre><br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_3<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.3<br />
Ciphersuite: TLS_AES_256_GCM_SHA384<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_2<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.2<br />
Ciphersuite: ECDHE-ECDSA-CHACHA20-POLY1305<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Supported Elliptic Curve Point Formats: uncompressed<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
</pre><br />
<br />
== Identifier les protos SSL dispos sur un service web ==<br />
<br />
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do \<br />
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do \<br />
openssl s_client -connect <URL>:443 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"; \<br />
done; \<br />
done<br />
<br />
== Tester un port SSL ==<br />
<br />
openssl s_client -connect <host>:<port><br />
<br />
== Générer un CSR ==<br />
<br />
openssl req -sha256 -nodes -newkey rsa:2048 -keyout www.monsite.com.key -out www.monsite.com.csr<br />
<br />
A partir d'un fichier de détails:<br />
<br />
openssl req -nodes -newkey rsa:2048 -sha256 -keyout monsite.key -out monsite.csr -config <(cat csr_details.txt)<br />
<br />
Format du fichier de détails:<br />
<br />
<pre><br />
[req]<br />
default_bits = 2048<br />
prompt = no<br />
default_md = sha256<br />
req_extensions = req_ext<br />
distinguished_name = dn<br />
<br />
[ dn ]<br />
C=FR<br />
ST=<Une région><br />
L=<Une ville><br />
O=<Une organisation><br />
OU=<Une OU><br />
emailAddress=<Un email de contact><br />
CN = <le CN souhaité, i.e. le nom à couvrir><br />
<br />
[ req_ext ]<br />
subjectAltName = @alt_names<br />
<br />
[ alt_names ]<br />
DNS.1 = <alt_name_1><br />
DNS.2 = <alt_name_2><br />
IP.1 = <IP><br />
<pre><br />
<br />
== Lire le contenu d'un CSR ==<br />
<br />
openssl req -noout -text -verify -in mon.domaine.com.csr<br />
<br />
== Vérifier le contenu d'un certificat SSL au format PEM ==<br />
<br />
openssl x509 -in <nom_fichier_certif> -text -noout<br />
<br />
== Convertir DER (.crt .cer .der) au format PEM ==<br />
<br />
openssl x509 -outform der -in certificate.cer -out certificate.der<br />
<br />
openssl x509 -inform der -in certificate.der -out certificate.pem<br />
<br />
== Supprimer la passphrase d'une clé privée ==<br />
<br />
openssl rsa -in /path/to/ssl/032019/withPassPhrase.key -out /path/to/ssl/withoutPassPhrase.key<br />
<br />
Puis en interactif, renseigner la passphrase. Vous pouvez ensuite utiliser la clé sans passphrase pour vos configurations.<br />
<br />
== Vérifier la correspondance CSR/clé privée/clé publique ==<br />
<br />
Obtenir le hash md5 du modulus de chaque fichier et les comparer (ils doivent tous être identiques):<br />
<br />
openssl x509 -in <clépublique> -noout -modulus | openssl md5<br />
openssl rsa -in <cléprivée> -noout -modulus | openssl md5<br />
openssl req -in <csr> -noout -modulus | openssl md5<br />
<br />
== Vérifier le bon ordre des clés publiques dans une chaîne ==<br />
<br />
Logique:<br />
* partir de la clé publique de son certificat.<br />
* avoir 1 fichier par clé publique faisant partie de la chaîne.<br />
* si on considère que la clé publique est tout en haut, il faut en déterminer l'Issuer, et la clé à l'étage du dessous doit avoir un Subject strictement identique.<br />
<br />
openssl x509 -in <clépublique> -text -noout | grep Issuer<br />
<br />
Puis<br />
<br />
openssl x509 -in <unedesclésdelachaine> -text -noout | grep Subject<br />
<br />
La clé de la chaine ayant un Subject égal à l'issuer de la clé précédente vient à la suite.<br />
<br />
Ensuite concaténer toutes ces clés dans un seul et même fichier:<br />
<br />
cat <clépublique> > fullchain.pem<br />
cat <cléAC1> >> fullchain.pem<br />
...<br />
cat <cléACn> >> fullchain.pem<br />
cat <cléRootCA> >> fullchain.pem<br />
<br />
Vérifier qu'il n'y ait pas de mélange des BEGIN et END CERTIFICATE (ex: manque de retour à la ligne dans les fichiers).<br />
<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=OpenSSL_-_Commandes_utiles&diff=853OpenSSL - Commandes utiles2023-09-25T14:58:06Z<p>Jules : /* Tester la compatibilité d'un service distant avec une version de TLS */</p>
<hr />
<div>= Introduction =<br />
<br />
Cet article liste les commandes openssl les plus couramment utilisées. Il y a déjà des 100aines de pages sur internet, l'idée de cet article est de capitaliser dans le temps à titre personnel.<br />
<br />
= Liens utiles =<br />
<br />
* [https://www.sslshopper.com/article-most-common-openssl-commands.html Page sur SSLShopper]<br />
* [https://www.tbs-certificats.com/FAQ/fr/192.html Génération de CSR (TBS)]<br />
* [https://en.wikipedia.org/wiki/Self-signed_certificate Wikipedia - Certifs autosignés]<br />
* [https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl Générer un certificat auto signé]<br />
* [https://romain.therrat.fr/posts/2020/04/openssl-tester-la-compatibilit%C3%A9-d-une-version-de-tls/ Blog de Romain Therrat, post sur la compatibilité TLS d'openssl]<br />
<br />
= Commandes les plus utiles =<br />
<br />
== Vérifier les versions TLS supportées par un openssl ==<br />
<br />
openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
<br />
Exemple sur un vieux openssl:<br />
<br />
<pre><br />
[root@hostname ~]# openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
[root@hostname ~]# openssl version<br />
OpenSSL 1.0.0-fips 29 Mar 2010<br />
</pre><br />
<br />
Exemple sur un openssl récent:<br />
<br />
<pre><br />
user@hostname:~$ openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
TLSv1<br />
TLSv1.2<br />
TLSv1.3<br />
user@hostname:~$ openssl version<br />
OpenSSL 1.1.1d 10 Sep 2019<br />
</pre><br />
<br />
== Tester la compatibilité d'un service distant avec une version de TLS ==<br />
<br />
openssl s_client -connect google.com:443 -brief -<version_tls><br />
<br />
Exemple:<br />
<br />
<pre><br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_3<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.3<br />
Ciphersuite: TLS_AES_256_GCM_SHA384<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_2<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.2<br />
Ciphersuite: ECDHE-ECDSA-CHACHA20-POLY1305<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Supported Elliptic Curve Point Formats: uncompressed<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
</pre><br />
<br />
== Identifier les protos SSL dispos sur un service web ==<br />
<br />
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do \<br />
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do \<br />
openssl s_client -connect <URL>:443 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"; \<br />
done; \<br />
done<br />
<br />
== Tester un port SSL ==<br />
<br />
openssl s_client -connect <host>:<port><br />
<br />
== Générer un CSR ==<br />
<br />
openssl req -sha256 -nodes -newkey rsa:2048 -keyout www.monsite.com.key -out www.monsite.com.csr<br />
<br />
A partir d'un fichier de détails:<br />
<br />
openssl req -nodes -newkey rsa:2048 -sha256 -days 3650 -keyout monsite.key -out monsite.csr -config <(cat csr_details.txt)<br />
<br />
Format du fichier de détails:<br />
<br />
<pre><br />
[req]<br />
default_bits = 2048<br />
prompt = no<br />
default_md = sha256<br />
req_extensions = req_ext<br />
distinguished_name = dn<br />
<br />
[ dn ]<br />
C=FR<br />
ST=<Une région><br />
L=<Une ville><br />
O=<Une organisation><br />
OU=<Une OU><br />
emailAddress=<Un email de contact><br />
CN = <le CN souhaité, i.e. le nom à couvrir><br />
<br />
[ req_ext ]<br />
subjectAltName = @alt_names<br />
<br />
[ alt_names ]<br />
DNS.1 = <alt_name_1><br />
DNS.2 = <alt_name_2><br />
IP.1 = <IP><br />
<pre><br />
<br />
== Lire le contenu d'un CSR ==<br />
<br />
openssl req -noout -text -verify -in mon.domaine.com.csr<br />
<br />
== Vérifier le contenu d'un certificat SSL au format PEM ==<br />
<br />
openssl x509 -in <nom_fichier_certif> -text -noout<br />
<br />
== Convertir DER (.crt .cer .der) au format PEM ==<br />
<br />
openssl x509 -outform der -in certificate.cer -out certificate.der<br />
<br />
openssl x509 -inform der -in certificate.der -out certificate.pem<br />
<br />
== Supprimer la passphrase d'une clé privée ==<br />
<br />
openssl rsa -in /path/to/ssl/032019/withPassPhrase.key -out /path/to/ssl/withoutPassPhrase.key<br />
<br />
Puis en interactif, renseigner la passphrase. Vous pouvez ensuite utiliser la clé sans passphrase pour vos configurations.<br />
<br />
== Vérifier la correspondance CSR/clé privée/clé publique ==<br />
<br />
Obtenir le hash md5 du modulus de chaque fichier et les comparer (ils doivent tous être identiques):<br />
<br />
openssl x509 -in <clépublique> -noout -modulus | openssl md5<br />
openssl rsa -in <cléprivée> -noout -modulus | openssl md5<br />
openssl req -in <csr> -noout -modulus | openssl md5<br />
<br />
== Vérifier le bon ordre des clés publiques dans une chaîne ==<br />
<br />
Logique:<br />
* partir de la clé publique de son certificat.<br />
* avoir 1 fichier par clé publique faisant partie de la chaîne.<br />
* si on considère que la clé publique est tout en haut, il faut en déterminer l'Issuer, et la clé à l'étage du dessous doit avoir un Subject strictement identique.<br />
<br />
openssl x509 -in <clépublique> -text -noout | grep Issuer<br />
<br />
Puis<br />
<br />
openssl x509 -in <unedesclésdelachaine> -text -noout | grep Subject<br />
<br />
La clé de la chaine ayant un Subject égal à l'issuer de la clé précédente vient à la suite.<br />
<br />
Ensuite concaténer toutes ces clés dans un seul et même fichier:<br />
<br />
cat <clépublique> > fullchain.pem<br />
cat <cléAC1> >> fullchain.pem<br />
...<br />
cat <cléACn> >> fullchain.pem<br />
cat <cléRootCA> >> fullchain.pem<br />
<br />
Vérifier qu'il n'y ait pas de mélange des BEGIN et END CERTIFICATE (ex: manque de retour à la ligne dans les fichiers).<br />
<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Curl&diff=852TIPS - Curl2023-09-25T14:51:01Z<p>Jules : /* Only request response headers */</p>
<hr />
<div>= Introduction =<br />
<br />
This article lists a few ways to call curl, depending on your need.<br />
<br />
= Curl calls =<br />
<br />
== Curl with verbose result ==<br />
<br />
Curl option: -v (or --verbose).<br />
<br />
== Fake the DNS resolution ==<br />
<br />
Use case:<br />
* your website is behind a WAF and the FQDN resolves to it instead of the web server directly (the origin).<br />
* your website is behind a reverse proxy, but you want to access the underlying web service with appropriate host header in your request.<br />
<br />
curl --resolve <my.domain>:443:<IP> https://<my.domain>[/<my_uri>]<br />
<br />
== Add a request header ==<br />
<br />
Curl option: -H (or --header).<br />
<br />
Sample call:<br />
<br />
curl -IL -H '<header name>:<header value>' https://<URL to curl><br />
<br />
== Only request response headers ==<br />
<br />
Curl option: -I<br />
<br />
See previous sample.<br />
<br />
== Request CORS headers ==<br />
<br />
curl -I -X OPTIONS -H "Origin: http://EXAMPLE.COM" -H 'Access-Control-Request-Method: GET' http://EXAMPLE.COM/SOMETHING 2>&1 | grep 'Access-Control-Allow-Origin'<br />
<br />
== Don't check SSL certificate ==<br />
<br />
This option may be useful in some situations:<br />
* SSL deep inspection on the path, recyphering being done with a self-signed certificate or a cert emitted by a CA not present in your local CA store.<br />
* Test a WAF or reverse proxy configuration not totally ready regarding SSL configuration.<br />
<br />
Curl option: -k (or --insecure).<br />
<br />
Sample:<br />
<br />
curl -k https://<IP> -I -v --header 'Host:<the real hostname your request for>'<br />
<br />
[[Category:Howto]]<br />
[[Category:Linux]]<br />
[[Category:Web]]<br />
[[Category:Troubleshooting]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Curl&diff=851TIPS - Curl2023-09-25T14:44:36Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article lists a few ways to call curl, depending on your need.<br />
<br />
= Curl calls =<br />
<br />
== Curl with verbose result ==<br />
<br />
Curl option: -v (or --verbose).<br />
<br />
== Fake the DNS resolution ==<br />
<br />
Use case:<br />
* your website is behind a WAF and the FQDN resolves to it instead of the web server directly (the origin).<br />
* your website is behind a reverse proxy, but you want to access the underlying web service with appropriate host header in your request.<br />
<br />
curl --resolve <my.domain>:443:<IP> https://<my.domain>[/<my_uri>]<br />
<br />
== Add a request header ==<br />
<br />
Curl option: -H (or --header).<br />
<br />
Sample call:<br />
<br />
curl -IL -H '<header name>:<header value>' https://<URL to curl><br />
<br />
== Only request response headers ==<br />
<br />
Curl option: -I<br />
<br />
See previous sample.<br />
<br />
== Don't check SSL certificate ==<br />
<br />
This option may be useful in some situations:<br />
* SSL deep inspection on the path, recyphering being done with a self-signed certificate or a cert emitted by a CA not present in your local CA store.<br />
* Test a WAF or reverse proxy configuration not totally ready regarding SSL configuration.<br />
<br />
Curl option: -k (or --insecure).<br />
<br />
Sample:<br />
<br />
curl -k https://<IP> -I -v --header 'Host:<the real hostname your request for>'<br />
<br />
[[Category:Howto]]<br />
[[Category:Linux]]<br />
[[Category:Web]]<br />
[[Category:Troubleshooting]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Wget&diff=850TIPS - Wget2023-09-25T14:44:33Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article lists some usage of wget command, depending on the need.<br />
<br />
= Wget calls =<br />
<br />
== Download a website ==<br />
<br />
wget --recursive \<br />
--no-clobber \<br />
--page-requisites \<br />
--html-extension \<br />
--convert-links \<br />
--domains <domain1> <domain2> \<br />
--no-parent \<br />
-e robots=off \<br />
https://<URL of the website to download><br />
<br />
[[Category:Howto]]<br />
[[Category:Linux]]<br />
[[Category:Web]]<br />
[[Category:Troubleshooting]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Wget&diff=849TIPS - Wget2023-09-25T14:40:52Z<p>Jules : Page créée avec « = Introduction = This article lists some usage of wget command, depending on the need. = Wget calls = == Download a website == wget --recursive \ --no-clobber \... »</p>
<hr />
<div>= Introduction =<br />
<br />
This article lists some usage of wget command, depending on the need.<br />
<br />
= Wget calls =<br />
<br />
== Download a website ==<br />
<br />
wget --recursive \<br />
--no-clobber \<br />
--page-requisites \<br />
--html-extension \<br />
--convert-links \<br />
--domains <domain1> <domain2> \<br />
--no-parent \<br />
-e robots=off \<br />
https://<URL of the website to download></div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Curl&diff=848TIPS - Curl2023-09-25T14:34:36Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article lists a few ways to call curl, depending on your need.<br />
<br />
= Curl calls =<br />
<br />
== Curl with verbose result ==<br />
<br />
Curl option: -v (or --verbose).<br />
<br />
== Fake the DNS resolution ==<br />
<br />
Use case:<br />
* your website is behind a WAF and the FQDN resolves to it instead of the web server directly (the origin).<br />
* your website is behind a reverse proxy, but you want to access the underlying web service with appropriate host header in your request.<br />
<br />
curl --resolve <my.domain>:443:<IP> https://<my.domain>[/<my_uri>]<br />
<br />
== Add a request header ==<br />
<br />
Curl option: -H (or --header).<br />
<br />
Sample call:<br />
<br />
curl -IL -H '<header name>:<header value>' https://<URL to curl><br />
<br />
== Only request response headers ==<br />
<br />
Curl option: -I<br />
<br />
See previous sample.<br />
<br />
== Don't check SSL certificate ==<br />
<br />
This option may be useful in some situations:<br />
* SSL deep inspection on the path, recyphering being done with a self-signed certificate or a cert emitted by a CA not present in your local CA store.<br />
* Test a WAF or reverse proxy configuration not totally ready regarding SSL configuration.<br />
<br />
Curl option: -k (or --insecure).<br />
<br />
Sample:<br />
<br />
curl -k https://<IP> -I -v --header 'Host:<the real hostname your request for>'</div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Curl&diff=847TIPS - Curl2023-09-25T14:24:34Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article lists a few ways to call curl, depending on your need.<br />
<br />
= Curl calls =<br />
<br />
== Fake the DNS resolution ==<br />
<br />
Use case:<br />
* your website is behind a WAF and the FQDN resolves to it instead of the web server directly (the origin).<br />
* your website is behind a reverse proxy, but you want to access the underlying web service with appropriate host header in your request.<br />
<br />
curl --resolv <my.domain>:443:<IP> https://<my.domain>[/<my_uri>]<br />
<br />
== Add a request header ==<br />
<br />
Curl option: -H<br />
<br />
Sample call:<br />
<br />
curl -IL -H '<header name>:<header value>' https://<URL to curl></div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=846FORTIGATE - Useful CLI commands2023-08-25T11:19:43Z<p>Jules : /* IPsec tunnel establishment diagnostic */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Useful Resources =<br />
<br />
* [https://www.youtube.com/watch?v=Tf8FEsq_qNc Tutorial for DHCP relay over an IPSec tunnel].<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
To see even default options:<br />
<br />
# show fu<br />
<br />
(for full-configuration)<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
Or [https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 this one from Fortinet Community].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
==== Phase1 ====<br />
<br />
# diag debug application ike -1<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
or<br />
<br />
# diag diagnose vpn ike log-filter dst-addr4 <remote_IP><br />
# diagnose debug app ike 255<br />
<br />
and then<br />
<br />
# diag debug enable<br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# show firewall policy<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=845FORTIGATE - Useful CLI commands2023-08-10T07:57:52Z<p>Jules : /* Debug */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Useful Resources =<br />
<br />
* [https://www.youtube.com/watch?v=Tf8FEsq_qNc Tutorial for DHCP relay over an IPSec tunnel].<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
To see even default options:<br />
<br />
# show fu<br />
<br />
(for full-configuration)<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
Or [https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 this one from Fortinet Community].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# show firewall policy<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=844FORTIGATE - Useful CLI commands2023-08-03T11:35:31Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Useful Resources =<br />
<br />
* [https://www.youtube.com/watch?v=Tf8FEsq_qNc Tutorial for DHCP relay over an IPSec tunnel].<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
To see even default options:<br />
<br />
# show fu<br />
<br />
(for full-configuration)<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# show firewall policy<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=843FORTIGATE - Useful CLI commands2023-08-03T09:51:27Z<p>Jules : /* Show a configuration when configuring */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
To see even default options:<br />
<br />
# show fu<br />
<br />
(for full-configuration)<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# show firewall policy<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=842FORTIGATE - Useful CLI commands2023-08-03T09:10:49Z<p>Jules : /* Policy management */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# show firewall policy<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=841FORTIGATE - Useful CLI commands2023-08-03T08:57:50Z<p>Jules : /* Debug */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
# diag vpn tunnel list name <name_of_tunnel><br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=840FORTIGATE - Useful CLI commands2023-08-03T08:54:11Z<p>Jules : /* Indentify tunnel and filter list */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# get vpn ipsec tunnel summary<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=839SNMP - Configure SNMP service for Linux2023-03-07T15:33:46Z<p>Jules : /* Useful links */</p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* [https://doc.ubuntu-fr.org/snmp Doc UbuntuFr sur le SNMP].<br />
* [https://www.loriotpro.com/ServiceAndSupport/How_to/UCD-SNMP_ConfigSNMPv1-v1.2.php Configuration de l’agent SNMP V3 Unix].<br />
* ...<br />
<br />
= Useful tools =<br />
<br />
* [https://linux.die.net/man/1/snmpwalk snmpwalk].<br />
* [https://www.paessler.com/tools/snmptester Paessler SNMP Tester].<br />
<br />
= Install and configure the service =<br />
<br />
'''Note''': for the moment let's focus on SNMPv3. SNMPv2 should be documented later on.<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
* snmp-mibs-downloader<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
apt-get install snmp-mibs-downloader<br />
<br />
Service stop:<br />
<br />
systemctl stop snmpd.service<br />
<br />
Service configuration:<br />
<br />
vi /etc/snmp/snmpd.conf<br />
...<br />
sysLocation <location description><br />
sysContact <your sysops contact><br />
...<br />
agentaddress 127.0.0.1,[::1],<IP of your server><br />
...<br />
<br />
net-snmp-config --create-snmpv3-user<br />
<br />
'''Note regarding the use of MIBS downloader''': to use it, comment the line in ''/etc/snmp/snmp.conf'':<br />
# mibs :<br />
<br />
'''Note regarding the user creation''': not sure this behavior is systematic but you may have to add such a line to ''/etc/snmp/snmpd.conf'' for your user to be properly created at service restart. This line may be deleted from ''/etc/snmp/snmpd.conf'' after service restart.<br />
<br />
createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]<br />
<br />
Service start:<br />
<br />
systemctl start snmpd.service<br />
<br />
'''Note''': think about allowing flows on the firewall you use on or around the system.<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=838SNMP - Configure SNMP service for Linux2023-03-07T15:29:34Z<p>Jules : /* Ubuntu / Debian */</p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* [https://doc.ubuntu-fr.org/snmp Doc UbuntuFr sur le SNMP].<br />
* ...<br />
<br />
= Useful tools =<br />
<br />
* [https://linux.die.net/man/1/snmpwalk snmpwalk].<br />
* [https://www.paessler.com/tools/snmptester Paessler SNMP Tester].<br />
<br />
= Install and configure the service =<br />
<br />
'''Note''': for the moment let's focus on SNMPv3. SNMPv2 should be documented later on.<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
* snmp-mibs-downloader<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
apt-get install snmp-mibs-downloader<br />
<br />
Service stop:<br />
<br />
systemctl stop snmpd.service<br />
<br />
Service configuration:<br />
<br />
vi /etc/snmp/snmpd.conf<br />
...<br />
sysLocation <location description><br />
sysContact <your sysops contact><br />
...<br />
agentaddress 127.0.0.1,[::1],<IP of your server><br />
...<br />
<br />
net-snmp-config --create-snmpv3-user<br />
<br />
'''Note regarding the use of MIBS downloader''': to use it, comment the line in ''/etc/snmp/snmp.conf'':<br />
# mibs :<br />
<br />
'''Note regarding the user creation''': not sure this behavior is systematic but you may have to add such a line to ''/etc/snmp/snmpd.conf'' for your user to be properly created at service restart. This line may be deleted from ''/etc/snmp/snmpd.conf'' after service restart.<br />
<br />
createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]<br />
<br />
Service start:<br />
<br />
systemctl start snmpd.service<br />
<br />
'''Note''': think about allowing flows on the firewall you use on or around the system.<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=837SNMP - Configure SNMP service for Linux2023-03-07T15:25:51Z<p>Jules : /* Useful links */</p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* [https://doc.ubuntu-fr.org/snmp Doc UbuntuFr sur le SNMP].<br />
* ...<br />
<br />
= Useful tools =<br />
<br />
* [https://linux.die.net/man/1/snmpwalk snmpwalk].<br />
* [https://www.paessler.com/tools/snmptester Paessler SNMP Tester].<br />
<br />
= Install and configure the service =<br />
<br />
'''Note''': for the moment let's focus on SNMPv3. SNMPv2 should be documented later on.<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
<br />
Service stop:<br />
<br />
systemctl stop snmpd.service<br />
<br />
Service configuration:<br />
<br />
vi /etc/snmp/snmpd.conf<br />
...<br />
sysLocation <location description><br />
sysContact <your sysops contact><br />
...<br />
agentaddress 127.0.0.1,[::1],<IP of your server><br />
...<br />
net-snmp-config --create-snmpv3-user<br />
<br />
<br />
'''Note regarding the user creation''': not sure this behavior is systematic but you may have to add such a line to ''/etc/snmp/snmpd.conf'' for your user to be properly created at service restart. This line may be deleted from ''/etc/snmp/snmpd.conf'' after service restart.<br />
<br />
createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]<br />
<br />
Service start:<br />
<br />
systemctl start snmpd.service<br />
<br />
'''Note''': think about allowing flows on the firewall you use on or around the system.<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=836SNMP - Configure SNMP service for Linux2023-03-07T15:23:16Z<p>Jules : /* Install and configure the service */</p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* ...<br />
<br />
= Useful tools =<br />
<br />
* [https://linux.die.net/man/1/snmpwalk snmpwalk].<br />
* [https://www.paessler.com/tools/snmptester Paessler SNMP Tester].<br />
<br />
= Install and configure the service =<br />
<br />
'''Note''': for the moment let's focus on SNMPv3. SNMPv2 should be documented later on.<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
<br />
Service stop:<br />
<br />
systemctl stop snmpd.service<br />
<br />
Service configuration:<br />
<br />
vi /etc/snmp/snmpd.conf<br />
...<br />
sysLocation <location description><br />
sysContact <your sysops contact><br />
...<br />
agentaddress 127.0.0.1,[::1],<IP of your server><br />
...<br />
net-snmp-config --create-snmpv3-user<br />
<br />
<br />
'''Note regarding the user creation''': not sure this behavior is systematic but you may have to add such a line to ''/etc/snmp/snmpd.conf'' for your user to be properly created at service restart. This line may be deleted from ''/etc/snmp/snmpd.conf'' after service restart.<br />
<br />
createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]<br />
<br />
Service start:<br />
<br />
systemctl start snmpd.service<br />
<br />
'''Note''': think about allowing flows on the firewall you use on or around the system.<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=835SNMP - Configure SNMP service for Linux2023-03-07T15:22:16Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* ...<br />
<br />
= Useful tools =<br />
<br />
* [https://linux.die.net/man/1/snmpwalk snmpwalk].<br />
* [https://www.paessler.com/tools/snmptester Paessler SNMP Tester].<br />
<br />
= Install and configure the service =<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
<br />
Service stop:<br />
<br />
systemctl stop snmpd.service<br />
<br />
Service configuration:<br />
<br />
vi /etc/snmp/snmpd.conf<br />
...<br />
sysLocation <location description><br />
sysContact <your sysops contact><br />
...<br />
agentaddress 127.0.0.1,[::1],<IP of your server><br />
...<br />
net-snmp-config --create-snmpv3-user<br />
<br />
<br />
'''Note regarding the user creation''': not sure this behavior is systematic but you may have to add such a line to ''/etc/snmp/snmpd.conf'' for your user to be properly created at service restart. This line may be deleted from ''/etc/snmp/snmpd.conf'' after service restart.<br />
<br />
createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]<br />
<br />
Service start:<br />
<br />
systemctl start snmpd.service<br />
<br />
'''Note''': think about allowing flows on the firewall you use on or around the system.<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=834SNMP - Configure SNMP service for Linux2023-03-07T15:20:19Z<p>Jules : /* Install and configure the service */</p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* ...<br />
<br />
= Install and configure the service =<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
<br />
Service stop:<br />
<br />
systemctl stop snmpd.service<br />
<br />
Service configuration:<br />
<br />
vi /etc/snmp/snmpd.conf<br />
...<br />
sysLocation <location description><br />
sysContact <your sysops contact><br />
...<br />
agentaddress 127.0.0.1,[::1],<IP of your server><br />
...<br />
net-snmp-config --create-snmpv3-user<br />
<br />
<br />
'''Note regarding the user creation''': not sure this behavior is systematic but you may have to add such a line to ''/etc/snmp/snmpd.conf'' for your user to be properly created at service restart. This line may be deleted from ''/etc/snmp/snmpd.conf'' after service restart.<br />
<br />
createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]<br />
<br />
Service start:<br />
<br />
systemctl start snmpd.service<br />
<br />
'''Note''': think about allowing flows on the firewall you use on or around the system.<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=SNMP_-_Configure_SNMP_service_for_Linux&diff=833SNMP - Configure SNMP service for Linux2023-03-07T15:13:50Z<p>Jules : Page créée avec « = Introduction = SNMP configuration on Linux may be complex. Many documentation exist on Internet but they describe so many different methods it makes it difficult to id... »</p>
<hr />
<div>= Introduction =<br />
<br />
SNMP configuration on Linux may be complex.<br />
<br />
Many documentation exist on Internet but they describe so many different methods it makes it difficult to identify THE best way to do it.<br />
<br />
This article will try to identify a kind of procedure to install and configure the service.<br />
<br />
= Useful links =<br />
<br />
* [https://www.sugarbug.fr/atelier/techniques/monitoring_lan/snmp/ SNMP et la supervision].<br />
* [https://manpages.ubuntu.com/manpages/xenial/man1/snmpusm.1.html snmpusm man page].<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04 Configure an SNMP daemon and client on Ubuntu 18.04].<br />
* [https://net-snmp.sourceforge.io/docs/README.snmpv3.html net-snmp documentation on SourceForge].<br />
* ...<br />
<br />
= Install and configure the service =<br />
<br />
== Ubuntu / Debian ==<br />
<br />
Useful packages:<br />
* snmp<br />
* snmpd<br />
* libsnmp-dev<br />
<br />
Dependencies:<br />
* libsnmp-base<br />
* libsnmp35:amd64<br />
<br />
Packages installation:<br />
<br />
apt-get install snmp<br />
apt-get install snmpd<br />
apt-get install libsnmp-dev<br />
<br />
Service configuration:<br />
<br />
systemctl stop snmpd.service<br />
net-snmp-config --create-snmpv3-user<br />
systemctl start snmpd.service<br />
<br />
[[Category:Howto]]<br />
[[Category:SNMP]]<br />
[[Category:Monitoring]]<br />
[[Category:Linux]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=LINUX_-_Add_certificates_to_CA_file&diff=832LINUX - Add certificates to CA file2023-03-06T12:32:28Z<p>Jules : /* Environment variable */</p>
<hr />
<div>= Introduction =<br />
<br />
You may need, at some point, to manually add some certs to the system CA store.<br />
<br />
Use cases:<br />
* self signed certs for instance,<br />
* or certs associated to a local/internal PKI,<br />
* or CA certs not known by default by your system.<br />
* ...<br />
<br />
= How to add cert? =<br />
<br />
== Ubuntu ==<br />
<br />
See [https://manpages.ubuntu.com/manpages/focal/man8/update-ca-certificates.8.html this manpage about update-ca-certificate command].<br />
<br />
=== CA Cert ===<br />
<br />
Steps:<br />
* get the cert(s) you want to add, and create files<br />
<br />
vi mycert.pem<br />
<br />
* put those files in a subfolder of ''/usr/share/ca-certificates/''<br />
<br />
mkdir /usr/share/ca-certificates/mysubfolder<br />
mv mycert.pem /usr/share/ca-certificates/mysubfolder/<br />
<br />
* edit ''/etc/ca-certificates.conf'' and add 1 line per new cert at the end of the file<br />
<br />
mysubfolder/mycert.pem<br />
<br />
* finally, update the CA store with the appropriate command:<br />
<br />
root@mymachine:/usr/share/ca-certificates/manitou# update-ca-certificates<br />
Updating certificates in /etc/ssl/certs...<br />
...<br />
1 added, 0 removed; done.<br />
Running hooks in /etc/ca-certificates/update.d...<br />
done.<br />
<br />
=== Local cert ===<br />
<br />
* If needed rename your cert(s) file(s) with a .crt extension.<br />
* Then place it in ''/usr/share/local/ca-certificates/''.<br />
* Finally update the store<br />
<br />
update-ca-certificates [[--fresh]]<br />
<br />
=== Environment variable ===<br />
<br />
You may have to set an environment variable for some third party apps to properly work with this CA store (Ansible, Python...):<br />
<br />
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt<br />
<br />
Think about adding this environment variable to your ''.bashrc'' file for instance.<br />
<br />
[[Category:SSL]]<br />
[[Category:Linux]]<br />
[[Category:Howto]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=LINUX_-_Add_certificates_to_CA_file&diff=831LINUX - Add certificates to CA file2023-03-06T12:31:59Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
You may need, at some point, to manually add some certs to the system CA store.<br />
<br />
Use cases:<br />
* self signed certs for instance,<br />
* or certs associated to a local/internal PKI,<br />
* or CA certs not known by default by your system.<br />
* ...<br />
<br />
= How to add cert? =<br />
<br />
== Ubuntu ==<br />
<br />
See [https://manpages.ubuntu.com/manpages/focal/man8/update-ca-certificates.8.html this manpage about update-ca-certificate command].<br />
<br />
=== CA Cert ===<br />
<br />
Steps:<br />
* get the cert(s) you want to add, and create files<br />
<br />
vi mycert.pem<br />
<br />
* put those files in a subfolder of ''/usr/share/ca-certificates/''<br />
<br />
mkdir /usr/share/ca-certificates/mysubfolder<br />
mv mycert.pem /usr/share/ca-certificates/mysubfolder/<br />
<br />
* edit ''/etc/ca-certificates.conf'' and add 1 line per new cert at the end of the file<br />
<br />
mysubfolder/mycert.pem<br />
<br />
* finally, update the CA store with the appropriate command:<br />
<br />
root@mymachine:/usr/share/ca-certificates/manitou# update-ca-certificates<br />
Updating certificates in /etc/ssl/certs...<br />
...<br />
1 added, 0 removed; done.<br />
Running hooks in /etc/ca-certificates/update.d...<br />
done.<br />
<br />
=== Local cert ===<br />
<br />
* If needed rename your cert(s) file(s) with a .crt extension.<br />
* Then place it in ''/usr/share/local/ca-certificates/''.<br />
* Finally update the store<br />
<br />
update-ca-certificates [[--fresh]]<br />
<br />
=== Environment variable ===<br />
<br />
You may have to set an environment variable for some third party apps to properly work with this CA store (Ansible, Python...):<br />
<br />
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt<br />
<br />
[[Category:SSL]]<br />
[[Category:Linux]]<br />
[[Category:Howto]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=LINUX_-_Add_certificates_to_CA_file&diff=830LINUX - Add certificates to CA file2023-03-06T11:12:41Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
You may need, at some point, to manually add some certs to the system CA store.<br />
<br />
Use cases:<br />
* self signed certs for instance,<br />
* or certs associated to a local/internal PKI,<br />
* or CA certs not known by default by your system.<br />
* ...<br />
<br />
= How to add cert? =<br />
<br />
== Ubuntu ==<br />
<br />
See [https://manpages.ubuntu.com/manpages/focal/man8/update-ca-certificates.8.html this manpage about update-ca-certificate command].<br />
<br />
=== CA Cert ===<br />
<br />
Steps:<br />
* get the cert(s) you want to add, and create files<br />
<br />
vi mycert.pem<br />
<br />
* put those files in a subfolder of ''/usr/share/ca-certificates/''<br />
<br />
mkdir /usr/share/ca-certificates/mysubfolder<br />
mv mycert.pem /usr/share/ca-certificates/mysubfolder/<br />
<br />
* edit ''/etc/ca-certificates.conf'' and add 1 line per new cert at the end of the file<br />
<br />
mysubfolder/mycert.pem<br />
<br />
* finally, update the CA store with the appropriate command:<br />
<br />
root@mymachine:/usr/share/ca-certificates/manitou# update-ca-certificates<br />
Updating certificates in /etc/ssl/certs...<br />
...<br />
1 added, 0 removed; done.<br />
Running hooks in /etc/ca-certificates/update.d...<br />
done.<br />
<br />
=== Local cert ===<br />
<br />
* If needed rename your cert(s) file(s) with a .crt extension.<br />
* Then place it in ''/usr/share/local/ca-certificates/''.<br />
* Finally update the store<br />
<br />
update-ca-certificates [[--fresh]]<br />
<br />
[[Category:SSL]]<br />
[[Category:Linux]]<br />
[[Category:Howto]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=LINUX_-_Add_certificates_to_CA_file&diff=829LINUX - Add certificates to CA file2023-03-06T10:50:50Z<p>Jules : Page créée avec « = Introduction = You may need, at some point, to manually add some certs (self signed certs for instance, or certs associated to a local/internal PKI) to the system CA st... »</p>
<hr />
<div>= Introduction =<br />
<br />
You may need, at some point, to manually add some certs (self signed certs for instance, or certs associated to a local/internal PKI) to the system CA store.<br />
<br />
= How to add cert? =<br />
<br />
== Ubuntu ==<br />
<br />
See [https://manpages.ubuntu.com/manpages/focal/man8/update-ca-certificates.8.html this manpage about update-ca-certificate command].<br />
<br />
Steps:<br />
* get the cert(s) you want to add, and create files<br />
<br />
vi mycert.pem<br />
<br />
* put those files in a subfolder of ''/usr/share/ca-certificates/''<br />
<br />
mkdir /usr/share/ca-certificates/mysubfolder<br />
mv mycert.pem /usr/share/ca-certificates/mysubfolder/<br />
<br />
* edit ''/etc/ca-certificates.conf'' and add 1 line per new cert at the end of the file<br />
<br />
mysubfolder/mycert.pem<br />
<br />
* finally, update the CA store with the appropriate command:<br />
<br />
root@mymachine:/usr/share/ca-certificates/manitou# update-ca-certificates<br />
Updating certificates in /etc/ssl/certs...<br />
...<br />
1 added, 0 removed; done.<br />
Running hooks in /etc/ca-certificates/update.d...<br />
done.<br />
<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=PYTHON_-_Determine_CA_cert_file_in_use&diff=828PYTHON - Determine CA cert file in use2023-03-06T10:20:40Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
In some cases (let's say when there's some deep inspection on your firewalls, and you use an internal PKI cert to re cypher flows) any SSL access made through Python application may fail with such errors:<br />
<br />
<pre><br />
root@mymachine:~# ansible-galaxy collection init<br />
usage: ansible-galaxy collection init [-h] [-s API_SERVER] [--api-key API_KEY] [-c] [-v] [-f]<br />
[--init-path INIT_PATH]<br />
[--collection-skeleton COLLECTION_SKELETON]<br />
collection_name<br />
ansible-galaxy collection init: error: the following arguments are required: collection_name<br />
root@mymachine:~# ansible-galaxy collection install azure.azcollection<br />
Process install dependency map<br />
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)><br />
</pre><br />
<br />
= How to check with CA file is in use? =<br />
<br />
Open a Python console:<br />
<br />
<pre><br />
root@man-jpe:~# python3<br />
Python 3.8.10 (default, Nov 14 2022, 12:59:47)<br />
[GCC 9.4.0] on linux<br />
Type "help", "copyright", "credits" or "license" for more information.<br />
>>><br />
</pre><br />
<br />
Import certifi and request the file in use:<br />
<br />
<pre><br />
>>> import certifi<br />
>>> certifi.where()<br />
'/etc/ssl/certs/ca-certificates.crt'<br />
</pre><br />
<br />
[[Category:Python]]<br />
[[Category:Language]]<br />
[[Category:Scripting]]<br />
[[Category:Devops]]<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=PYTHON_-_Les_bases&diff=827PYTHON - Les bases2023-03-06T10:20:13Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
Cet article sert de bloc note lors de mon apprentissage du langage Python.<br />
Il a plus vocation à être un pense bête qu'un vrai support de formation.<br />
<br />
= Liens utiles =<br />
<br />
* [https://www.python.org/about/gettingstarted/ Python pour les débutants].<br />
* [https://www.learnpython.org/ Learn Python].<br />
* [https://github.com/gto76/python-cheatsheet Python CheatSheet].<br />
<br />
= Généralités =<br />
<br />
* Langage fortement objet.<br />
* Non typé.<br />
* Pas de déclaration des variables nécessaire.<br />
* Indentation "standard" python: 4 espaces.<br />
<br />
= Le couteau suisse: Print =<br />
<br />
* La BASE: Commande d'affichage.<br />
<br />
Usage:<br />
print("chaine de caractère")<br />
ou<br />
print(variable)<br />
<br />
* Affichage d'une variable en forçant le type:<br />
<br />
Usage:<br />
stringVar = "toto"<br />
print("String: %s" % stringVar)<br />
intVar = 1<br />
print("Int: %d" % intVar)<br />
floatVar = 15.0<br />
print("Float: %f" % floatVar)<br />
<br />
= Variables =<br />
<br />
== Affectation ==<br />
<br />
Simple:<br />
myvar = value<br />
print(myvar)<br />
<br />
Multiple:<br />
varA, varB = 1, 2<br />
print(varA)<br />
print(varB)<br />
<br />
== Chaînes de caractères / strings ==<br />
<br />
=== Généralités ===<br />
<br />
* Délimitées par des simples quotes ' ou des doubles quotes ".<br />
* L'utilité des doubles quotes est de pouvoir inclure des apostrophes dans ses chaînes.<br />
<br />
=== Opérateurs ===<br />
<br />
* On peut utiliser l'opérateur '''+''' pour concaténer des chaines.<br />
<br />
string = "Hello" + " " + "world"<br />
<br />
* On peut utiliser l'opérateur '''*''' pour "multiplier" une chaîne.<br />
<br />
string = "Hello" * 5<br />
<br />
=== Formatage ===<br />
<br />
* Python utilise une syntaxe de formatage de chaînes de caractère similaire à celle du langage C, pour générer de nouvelles chaînes basées sur:<br />
** Une chaîne de formatage, mélangeant du texte et des spécifieurs d'arguments (%s, %d...)<br />
** Un opérateur '''%''' qui va instancier les variables d'un tuple à la place des spécifieux d'arguments.<br />
<br />
nom = "Jules"<br />
age = 46<br />
print("Hello %s!" % nom)<br />
print("Are we sure %s is %d?" % (nom,age))<br />
<br />
* '''NB:''' on peut utiliser le spécifieur %s sur un object de type liste. L'affichage fait alors appel à la méthode repr de l'objet liste pour l'afficher sous forme de chaine.<br />
<br />
myList = [1,2]<br />
print("Ma liste: %s" % myList)<br />
<br />
* les spécifieurs d'arguments les plus basiques sont:<br />
** '''%s''': Une chaîne ou n'importe quel objet ayant une représentation de type chaîne.<br />
** '''%d''': Un entier.<br />
** '''%f''': Un flottant.<br />
** '''%.<number of digits>f''': Un flottant avec un nombre fixe de chiffres après la virgule.<br />
** '''%x/%X''': Représentation Hexadécimale d'un entier (minuscule/majuscule).<br />
<br />
== Nombres ==<br />
<br />
=== Integers ===<br />
<br />
number1 = 1<br />
print(number1)<br />
<br />
=== Floats ===<br />
<br />
number2 = float(7)<br />
number3 = 7.2<br />
print(number2)<br />
print(number3)<br />
<br />
= Structures de données =<br />
<br />
== Listes ==<br />
<br />
<u>Généralités:</u><br />
* Les listes sont assez similaire à des tableaux.<br />
* Les listes peuvent contenir tout type de variable.<br />
* Les listes peuvent contenir autant d'item qu'on le souhaite.<br />
* L'accès à un index qui n'existe pas provoque une erreur/une exception.<br />
* On peut utiliser l'opérateur '''+''' pour concaténer 2 listes.<br />
<br />
list1 = [1,2,3]<br />
list2 = [4,5,6]<br />
print(list1 + list2)<br />
<br />
* On peut utiliser l'opérateur '''*''' pour "multiplier" une liste.<br />
<br />
list = [1,2,3]<br />
print(list * 3)<br />
<br />
<u>Syntaxe:</u><br />
<br />
Initialisation:<br />
AList = []<br />
ou<br />
AList = [1,2,3]<br />
<br />
Méthode d'ajout d'un élément dans la liste:<br />
AList.append(<element>)<br />
<br />
Accès à un élément:<br />
print(AList[0])<br />
<br />
Exception sur accès à un index inexistant:<br />
IndexError: list index out of range<br />
<br />
Longueur d'une liste:<br />
len(AList)<br />
<br />
Méthode de comptage d'occurence d'un élément dans une liste:<br />
x = object()<br />
x_list = [x] * 10<br />
if x_list.count(x) == 10:<br />
print("La liste contient 10 éléments x")<br />
<br />
= Operators =<br />
<br />
== Comparaison ==<br />
<br />
* Opérateur: '''=='''<br />
<br />
== Sum / Concatenation ==<br />
<br />
* Opérateur: '''+'''<br />
<br />
<u>Example:</u><br />
one = 1<br />
two = 2<br />
three = one + two<br />
print(three)<br />
ou<br />
str1 = "Hello"<br />
str2 = "World"<br />
strFull = str1 + " " + str2<br />
print(strFull)<br />
<br />
* '''ATTENTION''' cela implique qu'on ne peut pas mélanger les variables numbers et strings lors de l'usage de cet opérateur.<br />
<br />
<u>Example non fonctionnel:</u><br />
one = 1<br />
two = 2<br />
string = "chaine"<br />
print(one + two + string)<br />
<br />
== Logical AND ==<br />
<br />
* Opérateur: '''and'''<br />
<br />
== Opérateurs arithmétiques ==<br />
<br />
* Somme: '''+'''<br />
<br />
number = 1 + 2<br />
<br />
* Produit: '''*'''<br />
<br />
number = 2 * 3<br />
<br />
* Puissance/power: '''**'''<br />
<br />
number = 2 ** 3<br />
<br />
* Division: '''/'''<br />
<br />
number = 4 / 2<br />
<br />
* [https://fr.wikipedia.org/wiki/Modulo_(op%C3%A9ration) Modulo]: '''%'''<br />
<br />
number = 11 % 3<br />
<br />
* '''ATTENTION:''' ces opérateurs ont une priorité d'évaluation entre eux.<br />
<br />
= Structures de contrôle =<br />
<br />
== If ==<br />
<br />
<u>Usage:</u><br />
if (condition):<br />
action<br />
<br />
<u>Example:</u><br />
if stringVar == "Value":<br />
print("Chaine: %s" % stringVar)<br />
<br />
<u>Conditions multiples:</u><br />
numVar = 3<br />
if isinstance(numVar, int) and numVar == 3:<br />
print("Valeur numérique: %d" % numVar)<br />
<br />
== For ==<br />
<br />
<u>Usage:</u><br />
for x in <values>:<br />
print x<br />
<br />
<u>Example:</u><br />
AList = []<br />
AList.append(1)<br />
AList.append(2)<br />
AList.append(3)<br />
for x in AList:<br />
print(x)<br />
<br />
[[Category:Python]]<br />
[[Category:Language]]<br />
[[Category:Scripting]]<br />
[[Category:Devops]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=PYTHON_-_Determine_CA_cert_file_in_use&diff=826PYTHON - Determine CA cert file in use2023-03-06T10:18:42Z<p>Jules : Page créée avec « = Introduction = In some cases (let's say when there's some deep inspection on your firewalls, and you use an internal PKI cert to re cypher flows) any SSL access made th... »</p>
<hr />
<div>= Introduction =<br />
<br />
In some cases (let's say when there's some deep inspection on your firewalls, and you use an internal PKI cert to re cypher flows) any SSL access made through Python application may fail with such errors:<br />
<br />
<pre><br />
root@mymachine:~# ansible-galaxy collection init<br />
usage: ansible-galaxy collection init [-h] [-s API_SERVER] [--api-key API_KEY] [-c] [-v] [-f]<br />
[--init-path INIT_PATH]<br />
[--collection-skeleton COLLECTION_SKELETON]<br />
collection_name<br />
ansible-galaxy collection init: error: the following arguments are required: collection_name<br />
root@mymachine:~# ansible-galaxy collection install azure.azcollection<br />
Process install dependency map<br />
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)><br />
</pre><br />
<br />
= How to check with CA file is in use? =<br />
<br />
Open a Python console:<br />
<br />
<pre><br />
root@man-jpe:~# python3<br />
Python 3.8.10 (default, Nov 14 2022, 12:59:47)<br />
[GCC 9.4.0] on linux<br />
Type "help", "copyright", "credits" or "license" for more information.<br />
>>><br />
</pre><br />
<br />
Import certifi and request the file in use:<br />
<br />
<pre><br />
>>> import certifi<br />
>>> certifi.where()<br />
'/etc/ssl/certs/ca-certificates.crt'<br />
</pre><br />
<br />
[[Category:Python]]<br />
[[Category:Scripting]]<br />
[[Category:Devops]]<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=AZURE_-_Links&diff=825AZURE - Links2023-02-21T14:31:38Z<p>Jules : Page créée avec « = Introduction = This article is a link page to resources around Azure public cloud. = Links = == Architecture == * [https://learn.microsoft.com/en-us/azure/architectu... »</p>
<hr />
<div>= Introduction =<br />
<br />
This article is a link page to resources around Azure public cloud.<br />
<br />
= Links =<br />
<br />
== Architecture ==<br />
<br />
* [https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli Hub and spoke].<br />
<br />
== Azure CLI ==<br />
<br />
* [https://learn.microsoft.com/fr-fr/cli/azure/ Entry point for Azure CLI].<br />
<br />
== Azure Cloud Shell ==<br />
<br />
* [https://edyoung.github.io/blog/install_tools_locally/ Install tools locally].<br />
<br />
== Aztfy ==<br />
<br />
* [https://azure.github.io/aztfy/ Azure Terrafy].<br />
* [https://www.sivamuthukumar.com/blog/azure-terrafy Blog page about Azure Terrafy].<br />
* [https://techcommunity.microsoft.com/t5/azure-tools-blog/announcing-azure-terrafy-and-azapi-terraform-provider-previews/bc-p/3297808 Azure Terrafy and Azapi].<br />
* [https://github.com/Azure/aztfy Aztfy Project Page].<br />
* [https://github.com/Azure/aztfy/releases Aztfy Project releases].<br />
<br />
== Azure services ==<br />
<br />
=== Azure Event Hub ===<br />
<br />
* [https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-create Event hub creation].<br />
* [https://learn.microsoft.com/fr-fr/azure/event-hubs/event-hubs-service-endpoints Event hub service endpoints].<br />
* [https://learn.microsoft.com/en-us/azure-stack/user/event-hubs-overview?view=azs-2206 Event hub in Azure stack].<br />
<br />
[[Category:Azure]]<br />
[[Category:Cloud]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=AZURE_-_Azure_CLI&diff=824AZURE - Azure CLI2023-02-21T14:07:46Z<p>Jules : Page créée avec « = Introduction = This article will be a kind of cheatsheet regarding the usage of Azure CLI (az). = Account Management = See [https://learn.microsoft.com/en-us/cli/azur... »</p>
<hr />
<div>= Introduction =<br />
<br />
This article will be a kind of cheatsheet regarding the usage of Azure CLI (az).<br />
<br />
= Account Management =<br />
<br />
See [https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest this page].<br />
<br />
== Authenticate ==<br />
<br />
See [https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli this page].<br />
<br />
Interactive method:<br />
<br />
az login<br />
<br />
== Show your actual account configuration ==<br />
<br />
See [https://learn.microsoft.com/fr-fr/cli/azure/account?view=azure-cli-latest#az-account-show this page].<br />
<br />
az account show<br />
<br />
Example:<br />
<br />
$ az account show<br />
{<br />
"environmentName": "AzureCloud",<br />
"homeTenantId": "********-****-****-****-************",<br />
"id": "********-****-****-****-************",<br />
"isDefault": true,<br />
"managedByTenants": [<br />
{<br />
"tenantId": "********-****-****-****-************"<br />
}<br />
],<br />
"name": "name-of-subscription",<br />
"state": "Enabled",<br />
"tenantId": "********-****-****-****-************",<br />
"user": {<br />
"name": "account@organisation.com",<br />
"type": "user"<br />
}<br />
}<br />
<br />
== Switch subscription ==<br />
<br />
See [https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-set this page].<br />
<br />
az account set -s name-of-subscription<br />
<br />
= Resource group management =<br />
<br />
== List your resource group in actual subscription ==<br />
<br />
See [https://learn.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest#az-group-list this page].<br />
<br />
az group list<br />
<br />
[[Category:Cloud]]<br />
[[Category:Azure]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=BASH_-_Liens&diff=823BASH - Liens2023-02-20T14:02:08Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This page will be dedicated to store useful links regarding bash (syntax, techniques and so on).<br />
<br />
= Links =<br />
<br />
== If ==<br />
<br />
* [https://devconnected.com/bash-if-else-syntax-with-examples/ If syntax with examples].<br />
* ...<br />
<br />
== Array ==<br />
<br />
* [https://www.baeldung.com/linux/reading-output-into-array Reading the output of a command in an array].<br />
* [https://www.cyberciti.biz/faq/bash-for-loop-array/ Loop on an array].<br />
* ...<br />
<br />
== Misc ==<br />
<br />
* [https://www.baeldung.com/linux/bash-script-counter Counter in bash].<br />
* ...<br />
<br />
[[Category:Bash]]<br />
[[Category:Scripting]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=BASH_-_Liens&diff=822BASH - Liens2023-02-20T13:56:01Z<p>Jules : /* Links */</p>
<hr />
<div>= Introduction =<br />
<br />
This page will be dedicated to store useful links regarding bash (syntax, techniques and so on).<br />
<br />
= Links =<br />
<br />
== If ==<br />
<br />
* [https://devconnected.com/bash-if-else-syntax-with-examples/ If syntax with examples].<br />
* ...<br />
<br />
== Array ==<br />
<br />
* [https://www.baeldung.com/linux/reading-output-into-array Reading the output of a command in an array].<br />
* [https://www.cyberciti.biz/faq/bash-for-loop-array/ Loop on an array].<br />
* ...<br />
<br />
[[Category:Bash]]<br />
[[Category:Scripting]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=BASH_-_Liens&diff=821BASH - Liens2023-02-20T13:37:19Z<p>Jules : /* Array */</p>
<hr />
<div>= Introduction =<br />
<br />
This page will be dedicated to store useful links regarding bash (syntax, techniques and so on).<br />
<br />
= Links =<br />
<br />
== Array ==<br />
<br />
* [https://www.baeldung.com/linux/reading-output-into-array Reading the output of a command in an array].<br />
* [https://www.cyberciti.biz/faq/bash-for-loop-array/ Loop on an array].<br />
* ...<br />
<br />
[[Category:Bash]]<br />
[[Category:Scripting]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=BASH_-_Liens&diff=820BASH - Liens2023-02-20T13:19:56Z<p>Jules : Page créée avec « = Introduction = This page will be dedicated to store useful links regarding bash (syntax, techniques and so on). = Links = == Array == * [https://www.baeldung.com/lin... »</p>
<hr />
<div>= Introduction =<br />
<br />
This page will be dedicated to store useful links regarding bash (syntax, techniques and so on).<br />
<br />
= Links =<br />
<br />
== Array ==<br />
<br />
* [https://www.baeldung.com/linux/reading-output-into-array Reading the output of a command in an array].<br />
* ...<br />
<br />
[[Category:Bash]]<br />
[[Category:Scripting]]<br />
[[Category:A MODIFIER]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=OpenSSL_-_Commandes_utiles&diff=819OpenSSL - Commandes utiles2023-02-13T09:18:57Z<p>Jules : /* Liens utiles */</p>
<hr />
<div>= Introduction =<br />
<br />
Cet article liste les commandes openssl les plus couramment utilisées. Il y a déjà des 100aines de pages sur internet, l'idée de cet article est de capitaliser dans le temps à titre personnel.<br />
<br />
= Liens utiles =<br />
<br />
* [https://www.sslshopper.com/article-most-common-openssl-commands.html Page sur SSLShopper]<br />
* [https://www.tbs-certificats.com/FAQ/fr/192.html Génération de CSR (TBS)]<br />
* [https://en.wikipedia.org/wiki/Self-signed_certificate Wikipedia - Certifs autosignés]<br />
* [https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl Générer un certificat auto signé]<br />
* [https://romain.therrat.fr/posts/2020/04/openssl-tester-la-compatibilit%C3%A9-d-une-version-de-tls/ Blog de Romain Therrat, post sur la compatibilité TLS d'openssl]<br />
<br />
= Commandes les plus utiles =<br />
<br />
== Vérifier les versions TLS supportées par un openssl ==<br />
<br />
openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
<br />
Exemple sur un vieux openssl:<br />
<br />
<pre><br />
[root@hostname ~]# openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
[root@hostname ~]# openssl version<br />
OpenSSL 1.0.0-fips 29 Mar 2010<br />
</pre><br />
<br />
Exemple sur un openssl récent:<br />
<br />
<pre><br />
user@hostname:~$ openssl ciphers -v| awk '{ print $2 }'|sort|uniq<br />
SSLv3<br />
TLSv1<br />
TLSv1.2<br />
TLSv1.3<br />
user@hostname:~$ openssl version<br />
OpenSSL 1.1.1d 10 Sep 2019<br />
</pre><br />
<br />
== Tester la compatibilité d'un service distant avec une version de TLS ==<br />
<br />
openssl s_client -connect google.com:443 -brief -<version_tls><br />
<br />
Exemple:<br />
<br />
<pre><br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_3<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.3<br />
Ciphersuite: TLS_AES_256_GCM_SHA384<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
user@hotname:~$ echo "Q" | openssl s_client -connect google.com:443 -brief -tls1_2<br />
CONNECTION ESTABLISHED<br />
Protocol version: TLSv1.2<br />
Ciphersuite: ECDHE-ECDSA-CHACHA20-POLY1305<br />
Peer certificate: CN = *.google.com<br />
Hash used: SHA256<br />
Signature type: ECDSA<br />
Verification: OK<br />
Supported Elliptic Curve Point Formats: uncompressed<br />
Server Temp Key: X25519, 253 bits<br />
DONE<br />
</pre><br />
<br />
== Tester un port SSL ==<br />
<br />
openssl s_client -connect <host>:<port><br />
<br />
== Générer un CSR ==<br />
<br />
openssl req -sha256 -nodes -newkey rsa:2048 -keyout www.monsite.com.key -out www.monsite.com.csr<br />
<br />
A partir d'un fichier de détails:<br />
<br />
openssl req -nodes -newkey rsa:2048 -sha256 -days 3650 -keyout monsite.key -out monsite.csr -config <(cat csr_details.txt)<br />
<br />
Format du fichier de détails:<br />
<br />
<pre><br />
[req]<br />
default_bits = 2048<br />
prompt = no<br />
default_md = sha256<br />
req_extensions = req_ext<br />
distinguished_name = dn<br />
<br />
[ dn ]<br />
C=FR<br />
ST=<Une région><br />
L=<Une ville><br />
O=<Une organisation><br />
OU=<Une OU><br />
emailAddress=<Un email de contact><br />
CN = <le CN souhaité, i.e. le nom à couvrir><br />
<br />
[ req_ext ]<br />
subjectAltName = @alt_names<br />
<br />
[ alt_names ]<br />
DNS.1 = <alt_name_1><br />
DNS.2 = <alt_name_2><br />
IP.1 = <IP><br />
<pre><br />
<br />
== Lire le contenu d'un CSR ==<br />
<br />
openssl req -noout -text -verify -in mon.domaine.com.csr<br />
<br />
== Vérifier le contenu d'un certificat SSL au format PEM ==<br />
<br />
openssl x509 -in <nom_fichier_certif> -text -noout<br />
<br />
== Convertir DER (.crt .cer .der) au format PEM ==<br />
<br />
openssl x509 -outform der -in certificate.cer -out certificate.der<br />
<br />
openssl x509 -inform der -in certificate.der -out certificate.pem<br />
<br />
== Supprimer la passphrase d'une clé privée ==<br />
<br />
openssl rsa -in /path/to/ssl/032019/withPassPhrase.key -out /path/to/ssl/withoutPassPhrase.key<br />
<br />
Puis en interactif, renseigner la passphrase. Vous pouvez ensuite utiliser la clé sans passphrase pour vos configurations.<br />
<br />
== Vérifier la correspondance CSR/clé privée/clé publique ==<br />
<br />
Obtenir le hash md5 du modulus de chaque fichier et les comparer (ils doivent tous être identiques):<br />
<br />
openssl x509 -in <clépublique> -noout -modulus | openssl md5<br />
openssl rsa -in <cléprivée> -noout -modulus | openssl md5<br />
openssl req -in <csr> -noout -modulus | openssl md5<br />
<br />
== Vérifier le bon ordre des clés publiques dans une chaîne ==<br />
<br />
Logique:<br />
* partir de la clé publique de son certificat.<br />
* avoir 1 fichier par clé publique faisant partie de la chaîne.<br />
* si on considère que la clé publique est tout en haut, il faut en déterminer l'Issuer, et la clé à l'étage du dessous doit avoir un Subject strictement identique.<br />
<br />
openssl x509 -in <clépublique> -text -noout | grep Issuer<br />
<br />
Puis<br />
<br />
openssl x509 -in <unedesclésdelachaine> -text -noout | grep Subject<br />
<br />
La clé de la chaine ayant un Subject égal à l'issuer de la clé précédente vient à la suite.<br />
<br />
Ensuite concaténer toutes ces clés dans un seul et même fichier:<br />
<br />
cat <clépublique> > fullchain.pem<br />
cat <cléAC1> >> fullchain.pem<br />
...<br />
cat <cléACn> >> fullchain.pem<br />
cat <cléRootCA> >> fullchain.pem<br />
<br />
Vérifier qu'il n'y ait pas de mélange des BEGIN et END CERTIFICATE (ex: manque de retour à la ligne dans les fichiers).<br />
<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:SSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=818FORTIGATE - Useful CLI commands2023-02-10T12:56:03Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== Debug ==<br />
<br />
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].<br />
<br />
=== IPsec tunnel establishment diagnostic ===<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
=== Indentify tunnel and filter list ===<br />
<br />
# diag vpn ike log-filter list<br />
<br />
=== Debug disable ===<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=WSL_-_Reset_user_password&diff=817WSL - Reset user password2022-11-25T08:51:27Z<p>Jules : Page créée avec « = Introduction = If you loose or forget your basic account in WSL, this article describes how to reset it quickly. = Reset the password = == Turn the defaut user to roo... »</p>
<hr />
<div>= Introduction =<br />
<br />
If you loose or forget your basic account in WSL, this article describes how to reset it quickly.<br />
<br />
= Reset the password =<br />
<br />
== Turn the defaut user to root ==<br />
<br />
* Open a CMD prompt.<br />
* Call your WSL distribution executable with appropriate parameters:<br />
<br />
debian.exe config --default-user root<br />
<br />
== Launch a new WSL instance and reset the password ==<br />
<br />
* your new instance should start with user root.<br />
* type:<br />
<br />
passwd <your_username><br />
<br />
* set the password to a value you will store somewhere.<br />
<br />
== Set the default user to it's original value ==<br />
<br />
debian.exe config --default-user <your_username><br />
<br />
[[Category:Howto]]<br />
[[Category:Linux]]<br />
[[Category:Systeme]]<br />
[[Category:Windows]]<br />
[[Category:WSL]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=TIPS_-_Curl&diff=816TIPS - Curl2022-10-26T15:11:32Z<p>Jules : Page créée avec « = Introduction = This article lists a few ways to call curl, depending on your need. = Curl calls = == Fake the DNS resolution == Use case: * your website is behind a... »</p>
<hr />
<div>= Introduction =<br />
<br />
This article lists a few ways to call curl, depending on your need.<br />
<br />
= Curl calls =<br />
<br />
== Fake the DNS resolution ==<br />
<br />
Use case:<br />
* your website is behind a WAF and the FQDN resolves to it instead of the web server directly (the origin).<br />
* your website is behind a reverse proxy, but you want to access the underlying web service with appropriate host header in your request.<br />
<br />
curl --resolv <my.domain>:443:<IP> https://<my.domain>[/<my_uri>]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=815FORTIGATE - Useful CLI commands2022-10-24T14:32:36Z<p>Jules : /* Links */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=814FORTIGATE - Useful CLI commands2022-10-24T14:24:25Z<p>Jules : /* Internet Services */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
=== Check if flow for some protocols are opened to some destination IPs ===<br />
<br />
# diagnose internet-service info root <proto> <port> <IP><br />
<br />
Proto:<br />
* 17: UDP<br />
* 6: TCP<br />
<br />
Result if found:<br />
<br />
Internet Service: <ID and name of the service><br />
<br />
Result if not found: <br />
<br />
Can not find Internet Service ID and name. ret=-1<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=813FORTIGATE - Useful CLI commands2022-10-24T14:05:11Z<p>Jules : /* Internet Services */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=812FORTIGATE - Useful CLI commands2022-10-24T14:04:00Z<p>Jules : /* Internet Services */</p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Links ===<br />
<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].<br />
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=811FORTIGATE - Useful CLI commands2022-10-24T13:55:30Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
== Internet Services ==<br />
<br />
=== Identify an Internet Service ID ===<br />
<br />
# diagnose internet-service id | grep <name_of_service><br />
<br />
=== List IPs and ports allowed by an Internet Service ===<br />
<br />
# diagnose internet-service id <ID><br />
<br />
=== Check in which Internet Service an IP address or subnet is involved ===<br />
<br />
# diagnose internet-service match root <ip> <netmask><br />
<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=810FORTIGATE - Useful CLI commands2022-10-06T10:20:14Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Firewalling ==<br />
<br />
=== Addresses management ===<br />
<br />
# config firewall address<br />
# edit "<name_of_object>"<br />
# set subnet <ip> <netmask><br />
# next<br />
# end<br />
<br />
=== Address groups management ===<br />
<br />
# config firewall addrgrp<br />
# edit "<group_name>"<br />
# set member "<address_object_1>" ... "<address_object_n>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Custom service management ===<br />
<br />
# config firewall service custom<br />
# edit "<name_of_custom_service>"<br />
# set comment "<your_comment>"<br />
# set tcp-portrange <portStart>[-<portEnd>]<br />
# next<br />
# end<br />
<br />
=== Service group management ===<br />
<br />
# config firewall service group<br />
# edit "<service_group_name>"<br />
# set member "<member1>" ... "<membern>"<br />
# set comment "<your_comment>"<br />
# next<br />
# end<br />
<br />
=== Policy management ===<br />
<br />
# config firewall policy<br />
# edit 0<br />
# set srcintf "<name_of_source_itf>"<br />
# set dstintf "<name_of_dest_itf>"<br />
# set srcaddr "all"|"<address_or_group>"<br />
# set dstaddr "<address_or_group>"<br />
# set action accept<br />
# set schedule "always"<br />
# set service "<service_or_servicegroup>"<br />
# set utm-status enable<br />
# set logtraffic all<br />
# set ips-sensor "<ips_configuration_profile>"<br />
# set ssl-ssh-profile "<inspection_configuration_profile>"<br />
# set nat enable|disable<br />
# next<br />
# end<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=809FORTIGATE - Useful CLI commands2022-10-05T10:33:38Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
=== Disable network-import-check ===<br />
<br />
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case.<br />
<br />
# config router bgp<br />
# set network-import-check disable<br />
<br />
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=808FORTIGATE - Useful CLI commands2022-10-05T10:26:23Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
<br />
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.<br />
<br />
=== See all BGP neighbors ===<br />
<br />
# get router info bgp neighbors<br />
<br />
or<br />
<br />
# get router info bgp summary<br />
<br />
=== See advertised routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> advertised-routes<br />
<br />
=== See received routes from a neighbor ===<br />
<br />
# get router info bgp neighbors <neighbor_IP> received-routes<br />
<br />
=== Enable soft reconfiguration ===<br />
<br />
# config router bgp<br />
# edit "<neighbor_IP>"<br />
# set soft-reconfiguration enable<br />
# next<br />
# end<br />
<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Juleshttps://wiki.pedrono.fr/index.php?title=FORTIGATE_-_Useful_CLI_commands&diff=807FORTIGATE - Useful CLI commands2022-10-05T10:13:05Z<p>Jules : </p>
<hr />
<div>= Introduction =<br />
<br />
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.<br />
<br />
= Toolbox =<br />
<br />
== Filter ==<br />
<br />
Any command result can be filtered like in a linux shell, using pipe and grep:<br />
<br />
# <command> | grep <pattern><br />
<br />
== Show a configuration when configuring ==<br />
<br />
# config <menu> <submenu><br />
<submenu># show<br />
<br />
== List device interfaces ==<br />
<br />
# show system interface<br />
<br />
== IPsec tunnel establishment diagnostic ==<br />
<br />
# diag debug application ike -1<br />
# diag debug enable<br />
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel><br />
<br />
== Indentify tunnel and filter list ==<br />
<br />
# diag vpn ike log-filter list<br />
<br />
== Debug disable ==<br />
<br />
# diag debug disable<br />
<br />
== Routing ==<br />
<br />
=== See all routes (whatever the protocol being used) ===<br />
<br />
# get router info routing-table all<br />
[[Category:Fortigate]]<br />
[[Category:Commande]]<br />
[[Category:Howto]]<br />
[[Category:Reseau]]<br />
[[Category:Réseau]]<br />
[[Category:Network]]</div>Jules