CLI Love
Full Configuration
show full-configuration
q to quit out
Just link linux you can grep through the configuration
show full-configuration | grep interface
show full-configuration | grep ssl
Session clearing
diagnose sys session filter clear for clearing all previously filters.
set a filter with diagnose sys session filter dst 1.2.3.4
execute diagnose sys session clear that clears the sessions defined by the filter.
diagnose sys session filter ?
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Ingress and Egress same logical interface.
Description
This article describes default behavior of how packets are treated by FortiGate once packet should ingress and egress same logical interface.
Solution
By design and by default, if during routing decision is determined that packet which ingress over port1 should egress as well over port1 (with no vlan tag change, no DNAT or no IPSEC encapsulation/decapsulation) packet is send back over port1 and such packet is not checked against firewall policy.
It simplifies the configuration to avoid unnecessary policy creation which will be sourced from interface port1 to destination interface port1.
This behavior is by default enabled, but it can be modified under system global settings.
# config system global
set allow-traffic-redirect enable*|disable <----- Default value.
end
BGP
get router info bgp summary
MNK_FW # get router info bgp summary
BGP router identifier 1.0.1.202, local AS number 64551
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.242.252.242 4 65101 0 0 0 0 0 never Active
10.242.252.252 4 64561 7 6 0 0 0 00:03:30 0
get router info bgp neighbors <neighbor IP> advertised-routes
get router info bgp neighbors <neighbor IP> received-routes
get router info bgp neighbors <neighbor IP> routes
ref;https://kb.fortinet.com/kb/documentLink.do?externalID=FD46630
config neighbor
edit 10.242.252.252
set soft-reconfiguration enable
-----
configure BGP route-maps and neighbors
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/89370/applying-bgp-route-map-to-multiple-bgp-neighbors
System Status
get system status
get system ha status
Tshoot IPS
diag autoupdate versions | grep "IPS Attack" -A 6 # check IPS version
diag ips pme debug enable
diag de en # enable
diag de dis # disbale
diagnose test application ipsmonitor 99 # restart IPS
ref; https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-manually-upgrade-the-IPS-Engine/ta-p/190029
Firewall Policy
show firewall policy
config firewall policy
edit 0 # edit 0 uses the next available rule number
get # show all setting you can set on a policy, more than you see in the GUI
Routing
get router info routing-table details
get router info routing-table details 1.1.1.1
get router info routing-table all
Diagnose
VPN Tshoot
List VPN
diagnose vpn tunnel list
diagnose vpn tunnel list name vpn1
show vpn ipsec phase2-interface dc-vpn
Shut VPN down
execute vpn ipsec tunnel down Shut down the specified IPsec tunnel.
{phase2} Phase2 name.
{phase1} Phase1 name.
{serial} Phase2 serial number.
Phase 1
diagnose debug enable
diagnose vpn ike log filter name FP_VPN
diagnose vpn ike log-filter dst-addr4 10.116.250.133 (vpn end point IP)
diagnose debug app ike 255
diagnose debug disable
if the status of Phase 1 is in established state, then focus on Phase 2. To do so, issue the command:
#diagnose vpn tunnel list name <tunnel-name>
list all ipsec tunnel in vd 0
name=to10.189.0.182 ver=1 serial=2 10.189.0.31:0->10.189.0.182:0
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=534
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to10.189.0.182 proto=0 sa=0 ref=1 serial=4
src: 0:172.16.170.0/255.255.255.0:0
dst: 0:192.168.50.0/255.255.255.0:0
The important field from the particular output is the ‘’sa’’. SA can have three values:
a) sa=0 indicates there is mismatch between selectors or no traffic is being initiated
b) sa=1 indicates IPsec SA is matching and there is traffic between the selectors
c) sa=2 is only visible during IPsec SA rekey
# diagnose vpn ike gateway list (or diagnose vpn ike gateway list name <tunnel-name>)
# diagnose debug console timestamp enable
# diagnose debug application ike -1
# diagnose debug enable
TCPdump / Sniffer
diag sniffer packet <interface> <'filter'> <verbose> <count> a
<interface> can be an interface name or "any" for all interfaces
<'filter'> is a very powerful filter functionality which will be described in more detail
<verbose> means the level of verbosity as described already
<count> the number of packets the sniffer reads before stopping.
a – timestamps the packets with the absolute UTC time
l - (small letter L) timestamps the packets with LOCAL time on the unit
(blank/no letter) – relative to the beginning of the capture
Note: for parallel captures on multiple interfaces/SSH sessions on Fortigate, please use “a” or “l”, do not leave blank
diag sniffer packet <interface> <'filter'> <verbose> <count> a
example
diag sniffer packet wan1 'src host 10.109.16.137 and dst host 172.26.48.21' 1 3
Flush phase 1
diagnose vpn tunnel flush my-phase1-name
TCPdump examples
diagnose sniffer packet <interface> "<filter>"
examples
diagnose sniffer packet any
diagnose sniffer packet any "src 10.1.1.1" 4 0 a (just source , so only one way)
diagnose sniffer packet any "host 10.1.1.1" 4 0 a (both directions)
diagnose sniffer packet any "port 53" 4 0 a (port e.g. DNS)
diagnose sniffer packet any "host 10.1.1.1 and port 80" 6 0 a
diagnose sniffer packet any "host 10.1.1.1 and not port 80" 6 0 a
Config
blah