CLI Love

Full Configuration

show full-configuration

q to quit out

Just link linux you can grep through the configuration

show full-configuration | grep interface

show full-configuration | grep ssl


Ingress and Egress same logical interface.

Description

This article describes default behavior of how packets are treated by FortiGate once packet should ingress and egress same logical interface.

Solution

By design and by default, if during routing decision is determined that packet which ingress over port1 should egress as well over port1 (with no vlan tag change, no DNAT or no IPSEC encapsulation/decapsulation) packet is send back over port1 and such packet is not checked against firewall policy.

It simplifies the configuration to avoid unnecessary policy creation which will be sourced from interface port1 to destination interface port1.

This behavior is by default enabled, but it can be modified under system global settings.

# config system global

set allow-traffic-redirect enable*|disable <----- Default value.

end



BGP

get router info bgp summary

MNK_FW # get router info bgp summary

BGP router identifier 1.0.1.202, local AS number 64551

BGP table version is 1

0 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.242.252.242 4 65101 0 0 0 0 0 never Active

10.242.252.252 4 64561 7 6 0 0 0 00:03:30 0

get router info bgp neighbors <neighbor IP> advertised-routes

get router info bgp neighbors <neighbor IP> received-routes

get router info bgp neighbors <neighbor IP> routes


ref;https://kb.fortinet.com/kb/documentLink.do?externalID=FD46630


config neighbor

edit 10.242.252.252

set soft-reconfiguration enable


-----

configure BGP route-maps and neighbors

https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/89370/applying-bgp-route-map-to-multiple-bgp-neighbors



System Status

get system status

get system ha status


Tshoot IPS


diag autoupdate versions | grep "IPS Attack" -A 6 # check IPS version

diag ips pme debug enable

diag de en # enable

diag de dis # disbale

diagnose test application ipsmonitor 99 # restart IPS


ref; https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-manually-upgrade-the-IPS-Engine/ta-p/190029



Firewall Policy

show firewall policy

config firewall policy

edit 0 # edit 0 uses the next available rule number

get # show all setting you can set on a policy, more than you see in the GUI



Routing

get router info routing-table details

get router info routing-table details 1.1.1.1

get router info routing-table all


Diagnose


VPN Tshoot


List VPN

diagnose vpn tunnel list

diagnose vpn tunnel list name vpn1


show vpn ipsec phase2-interface dc-vpn


Shut VPN down

execute vpn ipsec tunnel down Shut down the specified IPsec tunnel.

{phase2} Phase2 name.

{phase1} Phase1 name.

{serial} Phase2 serial number.


Phase 1

diagnose debug enable

diagnose vpn ike log filter name FP_VPN

diagnose vpn ike log-filter dst-addr4 10.116.250.133 (vpn end point IP)

diagnose debug app ike 255

diagnose debug disable



if the status of Phase 1 is in established state, then focus on Phase 2. To do so, issue the command:

#diagnose vpn tunnel list name <tunnel-name>

list all ipsec tunnel in vd 0

name=to10.189.0.182 ver=1 serial=2 10.189.0.31:0->10.189.0.182:0

bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu

proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=534

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to10.189.0.182 proto=0 sa=0 ref=1 serial=4

src: 0:172.16.170.0/255.255.255.0:0

dst: 0:192.168.50.0/255.255.255.0:0

The important field from the particular output is the ‘’sa’’. SA can have three values:

a) sa=0 indicates there is mismatch between selectors or no traffic is being initiated

b) sa=1 indicates IPsec SA is matching and there is traffic between the selectors

c) sa=2 is only visible during IPsec SA rekey




# diagnose vpn ike gateway list (or diagnose vpn ike gateway list name <tunnel-name>)

# diagnose debug console timestamp enable

# diagnose debug application ike -1

# diagnose debug enable


TCPdump / Sniffer


diag sniffer packet <interface> <'filter'> <verbose> <count> a

<interface> can be an interface name or "any" for all interfaces

<'filter'> is a very powerful filter functionality which will be described in more detail

<verbose> means the level of verbosity as described already

<count> the number of packets the sniffer reads before stopping.

a – timestamps the packets with the absolute UTC time

l - (small letter L) timestamps the packets with LOCAL time on the unit

(blank/no letter) – relative to the beginning of the capture


Note: for parallel captures on multiple interfaces/SSH sessions on Fortigate, please use “a” or “l”, do not leave blank

diag sniffer packet <interface> <'filter'> <verbose> <count> a

example

diag sniffer packet wan1 'src host 10.109.16.137 and dst host 172.26.48.21' 1 3



Flush phase 1

diagnose vpn tunnel flush my-phase1-name




TCPdump examples

diagnose sniffer packet <interface> "<filter>"

examples

diagnose sniffer packet any

diagnose sniffer packet any "src 10.1.1.1" 4 0 a (just source , so only one way)

diagnose sniffer packet any "host 10.1.1.1" 4 0 a (both directions)

diagnose sniffer packet any "port 53" 4 0 a (port e.g. DNS)

diagnose sniffer packet any "host 10.1.1.1 and port 80" 6 0 a

diagnose sniffer packet any "host 10.1.1.1 and not port 80" 6 0 a


Config

blah