I'd like to share with you some useful commands for the Fortinet FortiGate Firewall using CLI for troubleshooting purposes.
Simple troubleshooting commands
exec
ping <destination>
exec
ping-options source <origin>
exec
ping6
exec
traceroute <destination>
exec
telnet|ssh <destination>
List network
interfaces - Equivalent to cisco ‘show ip interfaces brief’
diag ip address list
List the
routing table - Equivalent to cisco ‘show ip route’
get router info routing-table all
diag ip route
list
Connect to a
VDOM
config vdom
edit root
Basic
network configuration (using tagged VLAN as well)
config system interfaces
edit port2
set ip
163.7.131.4 255.255.255.248
end
edit vlan.15
set
interface "port5"
set
vlanid 15
set ip
163.7.131.4 255.255.255.248
set vdom
root
end
Setting
static routes and default gateway
config router static
edit 1
set dst
0.0.0.0/0.0.0.0
set gateway
192.168.0.254
set device
vlan.15
end
Disable the
‘more’ at page breaks
config sys console
set output standard
Listing a
firewall rule
show firewall policy 6
Force schedule rule to shut sessions at time (instead of
keep active sessions)
config
firewall policy
edit
2 (whichever is the schedule policy)
set
schedule-timeout enable
end
Clear
configuration (load factory defaults) but retains network interface
configurations
execute factoryreset2
Packet flow debug
diag
debug flow show function enable
diag
debug flow show console enable
diag
debug flow filter addr 10.31.101.22
diag
debug flow filter port 80
diag
debug enable (then disable it)
diag
debug flow trace start 100
Sniffer (Packet capture)
diag
sniffer packet any '!port 22' 4 10 <tsformat>
interfaces=[any] (interface name can be specified)
filters=[!port
22] (none
can be used as well)
level=4
(print interface name and header)
count=10
(packets to dump)
tsformat=l
(none specified then relative time, l-localtime)
Limit the
space allocated for WAN optimization to 20GB
config
wanopt storage
edit
Internal
set
size 20000
end
To reduce
the percentage of space allocated on the Internal disk for web caching to 80%
(resulting in the amount of space for byte caching increasing to 20%)
config
wanopt storage
edit
Internal
set
webcache-storage-percentage 80
end
Display
diagnostic information for the web cache database daemon (wacs).
diag
wacs clear
diag
wacs recents
diag
wacs restart
diag
wacs stats
Specify
amount of disk reserved for log
config
log disk setting
set log-quota 10240
Get
disk logging stats
diag sys
logdisk usage
Show arp
table
diag ip arp list
Show arp
table (transparent mode)
diag netlink
brctl list
diag netlink
brctl domain <bridge_name>
diag netlink
brctl name host <vdom.name>.b
Get dynamic
routing info
get router info bgp network
get router info bgp summary
get router
info bgp neighbors
get router
info ospf status
get router
info ospf summary
In order to
advertise non-local routes to BGP peers, it's required to define them in the
local routing table as blackhole
config router bgp
config network
edit 0
set prefix 10.0.0.0/8
end
end
config router static
edit 0
set dst 10.0.0.0 255.0.0.0
set blackhole enable
next
end
Redistribute
default route (cisco default-information originate | neighbor xxx
default-originate)
config router ospf
set default-information-originate enable
config router bgp
config neighbor
set
capability-default-originate enable
Influence
outbound routing preference
config router map
edit ISP1-pref
config rule
edit 10
set set-local-preference 50
end
end
config router bgp
config neighbor
edit 200.0.0.1
set route-map-out ISP1-pref
end
end
# exec router clear bgp
ip 200.0.0.1 soft out
Display
IPs blocked by Anomalies
diag ips
anomaly list
IPS
information and bypass mode
diag test
application ipsmonitor <number>
1-display
engine information
2-enable/disable
IPS engine
5-Toggle
bypass status
99-restart
IPS engines/monitor
Test authentication
diag test auth ldap <server>
<username> <password>
diag test auth radius <server>
<chap|pap|mschap|mschap2> <username> <password>
Debug VPN
diag vpn tunnel list
diag debug
application ike -1
diag vpn ike log-filter clear
diag vpn ike log-filter dst-addr4 10.0.0.1
diag debug app ike 255
diag debug enable (then disable it)
Get info
Get sys status
Get sys
performance status
Get hardware
status
diag hardware
deviceinfo disk
Get cpu info
and killing (restarting) process
diag sys top
diag sys
top-summary
diag sys kill
11 <pid>
Get mem info
and conserve mode
diag hardware
sysinfo mem
diag hardware
sysinfo shm
0 – no
conserve mode
1 – proxy
2 – system
3 - both
diag firewall
iprope state
Av_break=pass/pass – kernel conserve mode
Get net info
and stats
show sys interface
diag hardware
deviceinfo nic <port>
FGSP
(Session-Sync) Cluster
config system ha
set
group-name “cluster1"
set
password abc123
set hbdev
"port4”
set session-sync-dev
"port5”
set
session-pickup enable
set
session-pickup-connectionless enable
set
session-pickup-expectation enable
set
session-pickup-nat enable
set
standalone-config-sync enable
end
FGCP Cluster
config system ha
set mode
a-p
set
group-name “cluster1"
set
password abc123
set hbdev
"port4” 50
end
Monitor
cluster health and sync
get sys ha status
diag sys ha
cluster-csum
diag sys
session sync
If
something above is wrong, try:
diag sys ha
csum-recalculate
exec ha
synchronize start
Set
session TTL
config
firewall service custom
edit
“SSH”
set
session-ttl 600
Or
config
firewall policy
edit 10
set
session-ttl 300
Reducing
impact on new policy install
config system
settings
set
firewall-session-dirty check-new
It’s possible to load a new firmware without writing to the
flash (just to evaluate it)
connect to serial console,
set up a TFTP server, boot, interrupt it before 3 sec, then get the new
firmware but choose to run it instead of save it
Flow vs
Proxy
In
addition to faster scanning, flow-based scanning can save considerable
resources. Flow-based scans examine files as they pass through while
proxy-based scans require that files are cached as they come in and examined
once complete.
The
problem is that if any proxy-based scan is active, files are
cached.
Flow-based scanning does not support
web content filtering. (strings filter)
Add URLs to the web cache exempt list by going to WAN Opt. & Cache > Cache > URL
Match List and selecting Create New.
Add a URL pattern to be exempt and select Exempt
from Cache.
config
web-proxy url-match
set
cache-exemption enable
set
url-pattern www.example.com
end
To configure the FortiGate unit to
offload SSL encryption and cache HTTPS content
1.Go to System
> Certificates > Local Certificates and select Import to import the web server’s CA.
For Type, select Local Certificate. Select the Browse button to locate the file
Rev_Proxy_Cert_1.crt.
The certificate key size must be 1024 or 2048 bits. 4096-bit
keys are not supported.
2.From the CLI enter the following command to add HTTPS
web caching to the security policy.
Assume the index number of the policy is 5.
config
firewall policy
edit
5
set webcache enable
set
webcache-https ssl-server
end
3.From the CLI, enter the following command to add the
SSL server.
The SSL server ip must match the destination address
of the SSL traffic after being translated by the virtual IP (172.10.20.30) and
the SSL server port must match the destination port of
the SSL traffic (443). The SSL server operates in half mode since it performs a
single-step conversion (HTTPS to HTTP or HTTP to HTTPS).
config
wanopt ssl-server
edit
rev_proxy_server
set
ip 172.10.20.30
set
port 443
set
ssl-mode half
set
ssl-cert Rev_Proxy_Cert_1
end
Replace a
device in FortiManager in case of failure of an active unit. (Remember to
delete the unregistered device first)
execute device replace sn <device_name>
<serial>
execute fgfm reclaim-dev-tunnel
Enable
scheduled scripts in FortiManager
config system admin setting
set show_schedule_script
enable
Archiving
logs from FortiAnalyser to external server
execute backup logs all ftp|sftp|scp
<server> <username> <password>
Then, enable ‘Delete log file older than’ in System
Settings | File Management
