FORTIGATE - Useful CLI commands : Différence entre versions
De PedroWiki
| Ligne 33 : | Ligne 33 : | ||
# diag debug disable | # diag debug disable | ||
| + | |||
| + | == Firewalling == | ||
| + | |||
| + | === Addresses management === | ||
| + | |||
| + | # config firewall address | ||
| + | # edit "<name_of_object>" | ||
| + | # set subnet <ip> <netmask> | ||
| + | # next | ||
| + | # end | ||
| + | |||
| + | === Address groups management === | ||
| + | |||
| + | # config firewall addrgrp | ||
| + | # edit "<group_name>" | ||
| + | # set member "<address_object_1>" ... "<address_object_n>" | ||
| + | # set comment "<your_comment>" | ||
| + | # next | ||
| + | # end | ||
| + | |||
| + | === Custom service management === | ||
| + | |||
| + | # config firewall service custom | ||
| + | # edit "<name_of_custom_service>" | ||
| + | # set comment "<your_comment>" | ||
| + | # set tcp-portrange <portStart>[-<portEnd>] | ||
| + | # next | ||
| + | # end | ||
| + | |||
| + | === Service group management === | ||
| + | |||
| + | # config firewall service group | ||
| + | # edit "<service_group_name>" | ||
| + | # set member "<member1>" ... "<membern>" | ||
| + | # set comment "<your_comment>" | ||
| + | # next | ||
| + | # end | ||
| + | |||
| + | === Policy management === | ||
| + | |||
| + | # config firewall policy | ||
| + | # edit 0 | ||
| + | # set srcintf "<name_of_source_itf>" | ||
| + | # set dstintf "<name_of_dest_itf>" | ||
| + | # set srcaddr "all"|"<address_or_group>" | ||
| + | # set dstaddr "<address_or_group>" | ||
| + | # set action accept | ||
| + | # set schedule "always" | ||
| + | # set service "<service_or_servicegroup>" | ||
| + | # set utm-status enable | ||
| + | # set logtraffic all | ||
| + | # set ips-sensor "<ips_configuration_profile>" | ||
| + | # set ssl-ssh-profile "<inspection_configuration_profile>" | ||
| + | # set nat enable|disable | ||
| + | # next | ||
| + | # end | ||
== Routing == | == Routing == | ||
Version du 6 octobre 2022 à 10:20
Sommaire
Introduction
This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.
Toolbox
Filter
Any command result can be filtered like in a linux shell, using pipe and grep:
# <command> | grep <pattern>
Show a configuration when configuring
# config <menu> <submenu> <submenu># show
List device interfaces
# show system interface
IPsec tunnel establishment diagnostic
# diag debug application ike -1 # diag debug enable # diag vpn ike log-filter name <name_of_a_IPSec_tunnel>
Indentify tunnel and filter list
# diag vpn ike log-filter list
Debug disable
# diag debug disable
Firewalling
Addresses management
# config firewall address # edit "<name_of_object>" # set subnet <ip> <netmask> # next # end
Address groups management
# config firewall addrgrp # edit "<group_name>" # set member "<address_object_1>" ... "<address_object_n>" # set comment "<your_comment>" # next # end
Custom service management
# config firewall service custom # edit "<name_of_custom_service>" # set comment "<your_comment>" # set tcp-portrange <portStart>[-<portEnd>] # next # end
Service group management
# config firewall service group # edit "<service_group_name>" # set member "<member1>" ... "<membern>" # set comment "<your_comment>" # next # end
Policy management
# config firewall policy # edit 0 # set srcintf "<name_of_source_itf>" # set dstintf "<name_of_dest_itf>" # set srcaddr "all"|"<address_or_group>" # set dstaddr "<address_or_group>" # set action accept # set schedule "always" # set service "<service_or_servicegroup>" # set utm-status enable # set logtraffic all # set ips-sensor "<ips_configuration_profile>" # set ssl-ssh-profile "<inspection_configuration_profile>" # set nat enable|disable # next # end
Routing
See all routes (whatever the protocol being used)
# get router info routing-table all
NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.
See all BGP neighbors
# get router info bgp neighbors
or
# get router info bgp summary
See advertised routes from a neighbor
# get router info bgp neighbors <neighbor_IP> advertised-routes
See received routes from a neighbor
# get router info bgp neighbors <neighbor_IP> received-routes
Enable soft reconfiguration
# config router bgp # edit "<neighbor_IP>" # set soft-reconfiguration enable # next # end
Disable network-import-check
See this article for information on the use case.
# config router bgp # set network-import-check disable
NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.
