FORTIGATE - Useful CLI commands : Différence entre versions

De PedroWiki
(Internet Services)
(IPsec tunnel establishment diagnostic)
 
(9 révisions intermédiaires par le même utilisateur non affichées)
Ligne 2 : Ligne 2 :
  
 
This article will gather  some useful CLI commands for Fortigate firewalls configuration and diagnostic.
 
This article will gather  some useful CLI commands for Fortigate firewalls configuration and diagnostic.
 +
 +
= Useful Resources =
 +
 +
* [https://www.youtube.com/watch?v=Tf8FEsq_qNc Tutorial for DHCP relay over an IPSec tunnel].
  
 
= Toolbox =
 
= Toolbox =
Ligne 15 : Ligne 19 :
 
  # config <menu> <submenu>
 
  # config <menu> <submenu>
 
  <submenu># show
 
  <submenu># show
 +
 +
To see even default options:
 +
 +
# show fu
 +
 +
(for full-configuration)
  
 
== List device interfaces ==
 
== List device interfaces ==
Ligne 20 : Ligne 30 :
 
  # show system interface
 
  # show system interface
  
== IPsec tunnel establishment diagnostic ==
+
== Debug ==
 +
 
 +
See [https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc this debug cheatsheet].
 +
 
 +
Or [https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 this one from Fortinet Community].
 +
 
 +
# diag vpn tunnel list name <name_of_tunnel>
 +
 
 +
=== IPsec tunnel establishment diagnostic ===
 +
 
 +
==== Phase1 ====
  
 
  # diag debug application ike -1
 
  # diag debug application ike -1
 +
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel>
 +
 +
or
 +
 +
# diag vpn ike log-filter dst-addr4 <remote_IP>
 +
# diag debug app ike 255
 +
 +
and then
 +
 
  # diag debug enable
 
  # diag debug enable
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel>
 
  
== Indentify tunnel and filter list ==
+
=== Indentify tunnel and filter list ===
 +
 
 +
# get vpn ipsec tunnel summary
  
 
  # diag vpn ike log-filter list
 
  # diag vpn ike log-filter list
  
== Debug disable ==
+
=== Debug disable ===
  
 
  # diag debug disable
 
  # diag debug disable
Ligne 72 : Ligne 102 :
  
 
=== Policy management ===
 
=== Policy management ===
 +
 +
# show firewall policy
  
 
  # config firewall policy
 
  # config firewall policy
Ligne 136 : Ligne 168 :
  
 
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].
 
* [https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/849970/policy-with-internet-service Fortinet Docs Policy with Internet Service].
 +
* [https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number Protocol numbers].
 
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].
 
* [https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-search-ISDB-using-IP-address/ta-p/193111?externalID=FD46122 Community article on how to search ISDB using IP].
 
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].
 
* [https://community.fortinet.com/t5/FortiGate/Technical-Note-Internet-Service-Database-List-of-services-IP/ta-p/192757?externalID=FD40491 Community article on ISDB].

Version actuelle datée du 28 février 2024 à 10:24

Introduction

This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.

Useful Resources

Toolbox

Filter

Any command result can be filtered like in a linux shell, using pipe and grep:

# <command> | grep <pattern>

Show a configuration when configuring

# config <menu> <submenu>
<submenu># show

To see even default options:

# show fu

(for full-configuration)

List device interfaces

# show system interface

Debug

See this debug cheatsheet.

Or this one from Fortinet Community.

# diag vpn tunnel list name <name_of_tunnel>

IPsec tunnel establishment diagnostic

Phase1

# diag debug application ike -1
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel>

or

# diag vpn ike log-filter dst-addr4 <remote_IP>
# diag debug app ike 255

and then

# diag debug enable

Indentify tunnel and filter list

# get vpn ipsec tunnel summary
# diag vpn ike log-filter list

Debug disable

# diag debug disable

Firewalling

Addresses management

# config firewall address
# edit "<name_of_object>"
# set subnet <ip> <netmask>
# next
# end

Address groups management

# config firewall addrgrp
# edit "<group_name>"
# set member "<address_object_1>" ... "<address_object_n>"
# set comment "<your_comment>"
# next
# end

Custom service management

# config firewall service custom
# edit "<name_of_custom_service>"
# set comment "<your_comment>"
# set tcp-portrange <portStart>[-<portEnd>]
# next
# end

Service group management

# config firewall service group
# edit "<service_group_name>"
# set member "<member1>" ... "<membern>"
# set comment "<your_comment>"
# next
# end

Policy management

# show firewall policy
# config firewall policy
# edit 0
# set srcintf "<name_of_source_itf>"
# set dstintf "<name_of_dest_itf>"
# set srcaddr "all"|"<address_or_group>"
# set dstaddr "<address_or_group>"
# set action accept
# set schedule "always"
# set service "<service_or_servicegroup>"
# set utm-status enable
# set logtraffic all
# set ips-sensor "<ips_configuration_profile>"
# set ssl-ssh-profile "<inspection_configuration_profile>"
# set nat enable|disable
# next
# end

Routing

See all routes (whatever the protocol being used)

# get router info routing-table all

NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.

See all BGP neighbors

# get router info bgp neighbors

or

# get router info bgp summary

See advertised routes from a neighbor

# get router info bgp neighbors <neighbor_IP> advertised-routes

See received routes from a neighbor

# get router info bgp neighbors <neighbor_IP> received-routes

Enable soft reconfiguration

# config router bgp
# edit "<neighbor_IP>"
# set soft-reconfiguration enable
# next
# end

Disable network-import-check

See this article for information on the use case.

# config router bgp
# set network-import-check disable

NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.

Internet Services

Links

Identify an Internet Service ID

# diagnose internet-service id | grep <name_of_service>

List IPs and ports allowed by an Internet Service

# diagnose internet-service id <ID>

Check in which Internet Service an IP address or subnet is involved

# diagnose internet-service match root <ip> <netmask>

Check if flow for some protocols are opened to some destination IPs

# diagnose internet-service info root <proto> <port> <IP>

Proto:

  • 17: UDP
  • 6: TCP

Result if found:

Internet Service: <ID and name of the service>

Result if not found:

Can not find Internet Service ID and name. ret=-1