« FORTIGATE - Useful CLI commands » : différence entre les versions
De PedroWiki
Aller à la navigationAller à la recherche
imported>Jules Aucun résumé des modifications |
imported>Jules |
||
| (16 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 2 : | Ligne 2 : | ||
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic. | This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic. | ||
= Useful Resources = | |||
* [https://www.youtube.com/watch?v=Tf8FEsq_qNc Tutorial for DHCP relay over an IPSec tunnel]. | |||
= Toolbox = | = Toolbox = | ||
| Ligne 15 : | Ligne 19 : | ||
# config <menu> <submenu> | # config <menu> <submenu> | ||
<submenu># show | <submenu># show | ||
To see even default options: | |||
# show fu | |||
(for full-configuration) | |||
== List device interfaces == | == List device interfaces == | ||
| Ligne 20 : | Ligne 30 : | ||
# show system interface | # show system interface | ||
== IPsec tunnel establishment diagnostic == | == Debug == | ||
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet]. | |||
Or [https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 this one from Fortinet Community]. | |||
# diag vpn tunnel list name <name_of_tunnel> | |||
=== IPsec tunnel establishment diagnostic === | |||
==== Phase1 ==== | |||
# diag debug application ike -1 | # diag debug application ike -1 | ||
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel> | |||
or | |||
# diag vpn ike log-filter dst-addr4 <remote_IP> | |||
# diag debug app ike 255 | |||
and then | |||
# diag debug enable | # diag debug enable | ||
== Indentify tunnel and filter list == | === Indentify tunnel and filter list === | ||
# get vpn ipsec tunnel summary | |||
# diag vpn ike log-filter list | # diag vpn ike log-filter list | ||
== Debug disable == | === Debug disable === | ||
# diag debug disable | # diag debug disable | ||
== Firewalling == | |||
=== Addresses management === | |||
# config firewall address | |||
# edit "<name_of_object>" | |||
# set subnet <ip> <netmask> | |||
# next | |||
# end | |||
=== Address groups management === | |||
# config firewall addrgrp | |||
# edit "<group_name>" | |||
# set member "<address_object_1>" ... "<address_object_n>" | |||
# set comment "<your_comment>" | |||
# next | |||
# end | |||
=== Custom service management === | |||
# config firewall service custom | |||
# edit "<name_of_custom_service>" | |||
# set comment "<your_comment>" | |||
# set tcp-portrange <portStart>[-<portEnd>] | |||
# next | |||
# end | |||
=== Service group management === | |||
# config firewall service group | |||
# edit "<service_group_name>" | |||
# set member "<member1>" ... "<membern>" | |||
# set comment "<your_comment>" | |||
# next | |||
# end | |||
=== Policy management === | |||
# show firewall policy | |||
# config firewall policy | |||
# edit 0 | |||
# set srcintf "<name_of_source_itf>" | |||
# set dstintf "<name_of_dest_itf>" | |||
# set srcaddr "all"|"<address_or_group>" | |||
# set dstaddr "<address_or_group>" | |||
# set action accept | |||
# set schedule "always" | |||
# set service "<service_or_servicegroup>" | |||
# set utm-status enable | |||
# set logtraffic all | |||
# set ips-sensor "<ips_configuration_profile>" | |||
# set ssl-ssh-profile "<inspection_configuration_profile>" | |||
# set nat enable|disable | |||
# next | |||
# end | |||
== Routing == | == Routing == | ||
| Ligne 39 : | Ligne 127 : | ||
# get router info routing-table all | # get router info routing-table all | ||
'''NB:''' you can replace "all" with "bgp" or "static" or "ospf" to list only those routes. | |||
=== See all BGP neighbors === | |||
# get router info bgp neighbors | |||
or | |||
# get router info bgp summary | |||
=== See advertised routes from a neighbor === | |||
# get router info bgp neighbors <neighbor_IP> advertised-routes | |||
=== See received routes from a neighbor === | |||
# get router info bgp neighbors <neighbor_IP> received-routes | |||
=== Enable soft reconfiguration === | |||
# config router bgp | |||
# edit "<neighbor_IP>" | |||
# set soft-reconfiguration enable | |||
# next | |||
# end | |||
=== Disable network-import-check === | |||
See [https://community.fortinet.com/t5/Fortinet-Forum/Advertising-BGP-routes/m-p/203989 this article] for information on the use case. | |||
# config router bgp | |||
# set network-import-check disable | |||
'''NB:''' this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device. | |||
== Internet Services == | |||
=== Links === | |||
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service]. | |||
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers]. | |||
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP]. | |||
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB]. | |||
=== Identify an Internet Service ID === | |||
# diagnose internet-service id | grep <name_of_service> | |||
=== List IPs and ports allowed by an Internet Service === | |||
# diagnose internet-service id <ID> | |||
=== Check in which Internet Service an IP address or subnet is involved === | |||
# diagnose internet-service match root <ip> <netmask> | |||
=== Check if flow for some protocols are opened to some destination IPs === | |||
# diagnose internet-service info root <proto> <port> <IP> | |||
Proto: | |||
* 17: UDP | |||
* 6: TCP | |||
Result if found: | |||
Internet Service: <ID and name of the service> | |||
Result if not found: | |||
Can not find Internet Service ID and name. ret=-1 | |||
[[Category:Fortigate]] | [[Category:Fortigate]] | ||
[[Category:Commande]] | [[Category:Commande]] | ||
Dernière version du 28 février 2024 à 10:24
Introduction
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.
Useful Resources
Toolbox
Filter
Any command result can be filtered like in a linux shell, using pipe and grep:
# <command> | grep <pattern>
Show a configuration when configuring
# config <menu> <submenu> <submenu># show
To see even default options:
# show fu
(for full-configuration)
List device interfaces
# show system interface
Debug
Or this one from Fortinet Community.
# diag vpn tunnel list name <name_of_tunnel>
IPsec tunnel establishment diagnostic
Phase1
# diag debug application ike -1 # diag vpn ike log-filter name <name_of_a_IPSec_tunnel>
or
# diag vpn ike log-filter dst-addr4 <remote_IP> # diag debug app ike 255
and then
# diag debug enable
Indentify tunnel and filter list
# get vpn ipsec tunnel summary
# diag vpn ike log-filter list
Debug disable
# diag debug disable
Firewalling
Addresses management
# config firewall address # edit "<name_of_object>" # set subnet <ip> <netmask> # next # end
Address groups management
# config firewall addrgrp # edit "<group_name>" # set member "<address_object_1>" ... "<address_object_n>" # set comment "<your_comment>" # next # end
Custom service management
# config firewall service custom # edit "<name_of_custom_service>" # set comment "<your_comment>" # set tcp-portrange <portStart>[-<portEnd>] # next # end
Service group management
# config firewall service group # edit "<service_group_name>" # set member "<member1>" ... "<membern>" # set comment "<your_comment>" # next # end
Policy management
# show firewall policy
# config firewall policy # edit 0 # set srcintf "<name_of_source_itf>" # set dstintf "<name_of_dest_itf>" # set srcaddr "all"|"<address_or_group>" # set dstaddr "<address_or_group>" # set action accept # set schedule "always" # set service "<service_or_servicegroup>" # set utm-status enable # set logtraffic all # set ips-sensor "<ips_configuration_profile>" # set ssl-ssh-profile "<inspection_configuration_profile>" # set nat enable|disable # next # end
Routing
See all routes (whatever the protocol being used)
# get router info routing-table all
NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.
See all BGP neighbors
# get router info bgp neighbors
or
# get router info bgp summary
See advertised routes from a neighbor
# get router info bgp neighbors <neighbor_IP> advertised-routes
See received routes from a neighbor
# get router info bgp neighbors <neighbor_IP> received-routes
Enable soft reconfiguration
# config router bgp # edit "<neighbor_IP>" # set soft-reconfiguration enable # next # end
Disable network-import-check
See this article for information on the use case.
# config router bgp # set network-import-check disable
NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.
Internet Services
Links
- Fortinet Docs Policy with Internet Service.
- Protocol numbers.
- Community article on how to search ISDB using IP.
- Community article on ISDB.
Identify an Internet Service ID
# diagnose internet-service id | grep <name_of_service>
List IPs and ports allowed by an Internet Service
# diagnose internet-service id <ID>
Check in which Internet Service an IP address or subnet is involved
# diagnose internet-service match root <ip> <netmask>
Check if flow for some protocols are opened to some destination IPs
# diagnose internet-service info root <proto> <port> <IP>
Proto:
- 17: UDP
- 6: TCP
Result if found:
Internet Service: <ID and name of the service>
Result if not found:
Can not find Internet Service ID and name. ret=-1
