« FORTIGATE - Useful CLI commands » : différence entre les versions
De PedroWiki
Aller à la navigationAller à la recherche
imported>Jules Aucun résumé des modifications |
imported>Jules Aucun résumé des modifications |
||
| Ligne 33 : | Ligne 33 : | ||
# diag debug disable | # diag debug disable | ||
== Firewalling == | |||
=== Addresses management === | |||
# config firewall address | |||
# edit "<name_of_object>" | |||
# set subnet <ip> <netmask> | |||
# next | |||
# end | |||
=== Address groups management === | |||
# config firewall addrgrp | |||
# edit "<group_name>" | |||
# set member "<address_object_1>" ... "<address_object_n>" | |||
# set comment "<your_comment>" | |||
# next | |||
# end | |||
=== Custom service management === | |||
# config firewall service custom | |||
# edit "<name_of_custom_service>" | |||
# set comment "<your_comment>" | |||
# set tcp-portrange <portStart>[-<portEnd>] | |||
# next | |||
# end | |||
=== Service group management === | |||
# config firewall service group | |||
# edit "<service_group_name>" | |||
# set member "<member1>" ... "<membern>" | |||
# set comment "<your_comment>" | |||
# next | |||
# end | |||
=== Policy management === | |||
# config firewall policy | |||
# edit 0 | |||
# set srcintf "<name_of_source_itf>" | |||
# set dstintf "<name_of_dest_itf>" | |||
# set srcaddr "all"|"<address_or_group>" | |||
# set dstaddr "<address_or_group>" | |||
# set action accept | |||
# set schedule "always" | |||
# set service "<service_or_servicegroup>" | |||
# set utm-status enable | |||
# set logtraffic all | |||
# set ips-sensor "<ips_configuration_profile>" | |||
# set ssl-ssh-profile "<inspection_configuration_profile>" | |||
# set nat enable|disable | |||
# next | |||
# end | |||
== Routing == | == Routing == | ||
Version du 6 octobre 2022 à 10:20
Introduction
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.
Toolbox
Filter
Any command result can be filtered like in a linux shell, using pipe and grep:
# <command> | grep <pattern>
Show a configuration when configuring
# config <menu> <submenu> <submenu># show
List device interfaces
# show system interface
IPsec tunnel establishment diagnostic
# diag debug application ike -1 # diag debug enable # diag vpn ike log-filter name <name_of_a_IPSec_tunnel>
Indentify tunnel and filter list
# diag vpn ike log-filter list
Debug disable
# diag debug disable
Firewalling
Addresses management
# config firewall address # edit "<name_of_object>" # set subnet <ip> <netmask> # next # end
Address groups management
# config firewall addrgrp # edit "<group_name>" # set member "<address_object_1>" ... "<address_object_n>" # set comment "<your_comment>" # next # end
Custom service management
# config firewall service custom # edit "<name_of_custom_service>" # set comment "<your_comment>" # set tcp-portrange <portStart>[-<portEnd>] # next # end
Service group management
# config firewall service group # edit "<service_group_name>" # set member "<member1>" ... "<membern>" # set comment "<your_comment>" # next # end
Policy management
# config firewall policy # edit 0 # set srcintf "<name_of_source_itf>" # set dstintf "<name_of_dest_itf>" # set srcaddr "all"|"<address_or_group>" # set dstaddr "<address_or_group>" # set action accept # set schedule "always" # set service "<service_or_servicegroup>" # set utm-status enable # set logtraffic all # set ips-sensor "<ips_configuration_profile>" # set ssl-ssh-profile "<inspection_configuration_profile>" # set nat enable|disable # next # end
Routing
See all routes (whatever the protocol being used)
# get router info routing-table all
NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.
See all BGP neighbors
# get router info bgp neighbors
or
# get router info bgp summary
See advertised routes from a neighbor
# get router info bgp neighbors <neighbor_IP> advertised-routes
See received routes from a neighbor
# get router info bgp neighbors <neighbor_IP> received-routes
Enable soft reconfiguration
# config router bgp # edit "<neighbor_IP>" # set soft-reconfiguration enable # next # end
Disable network-import-check
See this article for information on the use case.
# config router bgp # set network-import-check disable
NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.
