Version du 24 octobre 2022 à 14:05

Sommaire

1 Introduction
2 Toolbox

Introduction

This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.

Toolbox

Filter

Any command result can be filtered like in a linux shell, using pipe and grep:

# <command> | grep <pattern>

Show a configuration when configuring

# config <menu> <submenu>
<submenu># show

List device interfaces

# show system interface

IPsec tunnel establishment diagnostic

# diag debug application ike -1
# diag debug enable
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel>

Indentify tunnel and filter list

# diag vpn ike log-filter list

Debug disable

# diag debug disable

Firewalling

Addresses management

# config firewall address
# edit "<name_of_object>"
# set subnet <ip> <netmask>
# next
# end

Address groups management

# config firewall addrgrp
# edit "<group_name>"
# set member "<address_object_1>" ... "<address_object_n>"
# set comment "<your_comment>"
# next
# end

Custom service management

# config firewall service custom
# edit "<name_of_custom_service>"
# set comment "<your_comment>"
# set tcp-portrange <portStart>[-<portEnd>]
# next
# end

Service group management

# config firewall service group
# edit "<service_group_name>"
# set member "<member1>" ... "<membern>"
# set comment "<your_comment>"
# next
# end

Policy management

# config firewall policy
# edit 0
# set srcintf "<name_of_source_itf>"
# set dstintf "<name_of_dest_itf>"
# set srcaddr "all"|"<address_or_group>"
# set dstaddr "<address_or_group>"
# set action accept
# set schedule "always"
# set service "<service_or_servicegroup>"
# set utm-status enable
# set logtraffic all
# set ips-sensor "<ips_configuration_profile>"
# set ssl-ssh-profile "<inspection_configuration_profile>"
# set nat enable|disable
# next
# end

Routing

See all routes (whatever the protocol being used)

# get router info routing-table all

NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.

See all BGP neighbors

# get router info bgp neighbors

or

# get router info bgp summary

See advertised routes from a neighbor

# get router info bgp neighbors <neighbor_IP> advertised-routes

See received routes from a neighbor

# get router info bgp neighbors <neighbor_IP> received-routes

Enable soft reconfiguration

# config router bgp
# edit "<neighbor_IP>"
# set soft-reconfiguration enable
# next
# end

Disable network-import-check

See this article for information on the use case.

# config router bgp
# set network-import-check disable

NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.

Internet Services

Links

Identify an Internet Service ID

# diagnose internet-service id | grep <name_of_service>

List IPs and ports allowed by an Internet Service

# diagnose internet-service id <ID>

Check in which Internet Service an IP address or subnet is involved

# diagnose internet-service match root <ip> <netmask>

@@ Ligne 135 : / Ligne 135 : @@
 === Links ===
+* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].
 * [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].
 * [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].

FORTIGATE - Useful CLI commands : Différence entre versions