FORTIGATE - Useful CLI commands
De PedroWiki
Révision datée du 25 août 2023 à 11:19 par Jules (discussion | contributions) (→IPsec tunnel establishment diagnostic)
Sommaire
Introduction
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.
Useful Resources
Toolbox
Filter
Any command result can be filtered like in a linux shell, using pipe and grep:
# <command> | grep <pattern>
Show a configuration when configuring
# config <menu> <submenu> <submenu># show
To see even default options:
# show fu
(for full-configuration)
List device interfaces
# show system interface
Debug
Or this one from Fortinet Community.
# diag vpn tunnel list name <name_of_tunnel>
IPsec tunnel establishment diagnostic
Phase1
# diag debug application ike -1 # diag vpn ike log-filter name <name_of_a_IPSec_tunnel>
or
# diag diagnose vpn ike log-filter dst-addr4 <remote_IP> # diagnose debug app ike 255
and then
# diag debug enable
Indentify tunnel and filter list
# get vpn ipsec tunnel summary
# diag vpn ike log-filter list
Debug disable
# diag debug disable
Firewalling
Addresses management
# config firewall address # edit "<name_of_object>" # set subnet <ip> <netmask> # next # end
Address groups management
# config firewall addrgrp # edit "<group_name>" # set member "<address_object_1>" ... "<address_object_n>" # set comment "<your_comment>" # next # end
Custom service management
# config firewall service custom # edit "<name_of_custom_service>" # set comment "<your_comment>" # set tcp-portrange <portStart>[-<portEnd>] # next # end
Service group management
# config firewall service group # edit "<service_group_name>" # set member "<member1>" ... "<membern>" # set comment "<your_comment>" # next # end
Policy management
# show firewall policy
# config firewall policy # edit 0 # set srcintf "<name_of_source_itf>" # set dstintf "<name_of_dest_itf>" # set srcaddr "all"|"<address_or_group>" # set dstaddr "<address_or_group>" # set action accept # set schedule "always" # set service "<service_or_servicegroup>" # set utm-status enable # set logtraffic all # set ips-sensor "<ips_configuration_profile>" # set ssl-ssh-profile "<inspection_configuration_profile>" # set nat enable|disable # next # end
Routing
See all routes (whatever the protocol being used)
# get router info routing-table all
NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.
See all BGP neighbors
# get router info bgp neighbors
or
# get router info bgp summary
See advertised routes from a neighbor
# get router info bgp neighbors <neighbor_IP> advertised-routes
See received routes from a neighbor
# get router info bgp neighbors <neighbor_IP> received-routes
Enable soft reconfiguration
# config router bgp # edit "<neighbor_IP>" # set soft-reconfiguration enable # next # end
Disable network-import-check
See this article for information on the use case.
# config router bgp # set network-import-check disable
NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.
Internet Services
Links
- Fortinet Docs Policy with Internet Service.
- Protocol numbers.
- Community article on how to search ISDB using IP.
- Community article on ISDB.
Identify an Internet Service ID
# diagnose internet-service id | grep <name_of_service>
List IPs and ports allowed by an Internet Service
# diagnose internet-service id <ID>
Check in which Internet Service an IP address or subnet is involved
# diagnose internet-service match root <ip> <netmask>
Check if flow for some protocols are opened to some destination IPs
# diagnose internet-service info root <proto> <port> <IP>
Proto:
- 17: UDP
- 6: TCP
Result if found:
Internet Service: <ID and name of the service>
Result if not found:
Can not find Internet Service ID and name. ret=-1