CLI Love

Full Configuration

show full-configuration

q to quit out

Just link linux you can grep through the configuration

show full-configuration | grep interface

show full-configuration | grep ssl


Ingress and Egress same logical interface.

Description

This article describes default behavior of how packets are treated by FortiGate once packet should ingress and egress same logical interface.

Solution

By design and by default, if during routing decision is determined that packet which ingress over port1 should egress as well over port1 (with no vlan tag change, no DNAT or no IPSEC encapsulation/decapsulation) packet is send back over port1 and such packet is not checked against firewall policy.

It simplifies the configuration to avoid unnecessary policy creation which will be sourced from interface port1 to destination interface port1.

This behavior is by default enabled, but it can be modified under system global settings.

# config system global

set allow-traffic-redirect enable*|disable <----- Default value.

end



BGP

get router info bgp summary

MNK_FW # get router info bgp summary

BGP router identifier 1.0.1.202, local AS number 64551

BGP table version is 1

0 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.242.252.242 4 65101 0 0 0 0 0 never Active

10.242.252.252 4 64561 7 6 0 0 0 00:03:30 0

get router info bgp neighbors <neighbor IP> advertised-routes

get router info bgp neighbors <neighbor IP> received-routes

get router info bgp neighbors <neighbor IP> routes


ref;https://kb.fortinet.com/kb/documentLink.do?externalID=FD46630


config neighbor

edit 10.242.252.252

set soft-reconfiguration enable


-----

configure BGP route-maps and neighbors

https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/89370/applying-bgp-route-map-to-multiple-bgp-neighbors



System Status

get system status

get system ha status


Firewall Policy

show firewall policy

config firewall policy

edit 0 # edit 0 uses the next available rule number

get # show all setting you can set on a policy, more than you see in the GUI



Routing

get router info routing-table details

get router info routing-table details 1.1.1.1

get router info routing-table all


Diagnose


VPN Tshoot


Phase 1

diagnose debug enable

diagnose vpn ike log filter name FP_VPN

diagnose vpn ike log-filter dst-addr4 10.116.250.133 (vpn end point IP)

diagnose debug app ike 255

diagnose debug disable



f the status of Phase 1 is in established state, then focus on Phase 2. To do so, issue the command:

#diagnose vpn tunnel list name <tunnel-name>

list all ipsec tunnel in vd 0

name=to10.189.0.182 ver=1 serial=2 10.189.0.31:0->10.189.0.182:0

bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu

proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=534

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to10.189.0.182 proto=0 sa=0 ref=1 serial=4

src: 0:172.16.170.0/255.255.255.0:0

dst: 0:192.168.50.0/255.255.255.0:0

The important field from the particular output is the ‘’sa’’. SA can have three values:

a) sa=0 indicates there is mismatch between selectors or no traffic is being initiated

b) sa=1 indicates IPsec SA is matching and there is traffic between the selectors

c) sa=2 is only visible during IPsec SA rekey



Config

blah