Fortigate Basic CLI

 Fortinet’s operating system, FortiOS, is the foundation of the Fortinet Security Fabric, consolidating many technologies and use cases into a simplified, single policy and management framework.

Basic

1. To check all configuration.
# show full-configuration
# show full-configuration | grep XXXX
# show full-configuration | grep -f XXXX (Display tree view)

2. To check NTP status.
# execute time
# get system ntp
# diagnose sys ntp status

3. Save configuration & exit.
# end

4. Don't save configuration & exit.
# abort

5. How to delete security policy.
# config firwall policy
# delete 1 
# end

6. How to delete router.
# config router static
# delete 1
# end

7. To check help.
# ?

8. To ping IP.
# execute ping 192.168.0.1

9. To traceroute IP.
# execute traceroute 192.168.1.1

10. To access using telnet.
# execute telnet 192.168.0.10
# execute telnet 192.168.0.1 22

11. To access using ssh.
# execute ssh user@192.168.0.10
# execute ssh user@192.168.0.10 23

12. To shutdown system.
# execute shutdown
[]

Interface | CPU | Memory 

1. To check hardware information.
# get hardware status

2. To check version, BIOS, firmware, hostname, serial number, device name, HA status etc.
# get system status

3. To check CPU / memory / line usage.
# get system performance status

4. To check of NTP server.
# get system ntp

5. To check interfaces status , up or down.
# get system interface physical

# config system interface
(interface) # show
(interface) # end

6. To check of ARP table.
# get system arp
[]

Security Policy

1. To check security policy.
# show firewall policy
# show firewall policy XXXX

# config firewall policy
(policy) # show

config firewall policy
  edit 123
    set name "test1"
    set srcintf "vlan11"
    set dstintf "port 5"
    set srcadr "xxxx"  "xxxx"  "xxx"
    set action accept
    set schedule "always"
    set servie "HTTP" "ICMP_ANY"
end
[]

Debug | Troubleshooting

1. To execute command like tcpdump.
Note: tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface. It is available under most of the Linux/Unix-based operating systems.
# diagnose sniffer packet any 'host ss.ss.ss.ss or host dd.dd.dd.dd'
# diagnose sniffer packet any 'udp port 80 or tcp port 80'
# diagnose sniffer packet any 'host xx.xx.xx.xx and tcp port 22'
# diagnose sniffer packet port1 ← Interface Port1
# diagnose sniffer packet any 'host xx.xx.xx.xx'
# diagnose sniffer packet port1 'host xx.xx.xx.xx'

2. To clear arp table.
# execute clear system arp table

3. To check live traffic and debug. Enter filter if your network uses IPv4. Enter filter6 if your network uses IPv6.
# diagnose debug flow {filter | filter6} <option>

Options for debug. 
1. addr IPv4 or IPv6 address
2. clear clear filter
3. daddr destination IPv4 or IPv6 address
4. dport destination port
5. negate inverse IPv4 or IPv6 filter
6. port port
7. proto protocol number
8. saddr source address
9. sport source port
10. vd index of virtual domain; -1 matches all

To start flow monitoring with a specific number of packets:
# diagnose debug flow trace start <N>

Comment: SYN packet received:
id=20085 trace_id=209 func=resolve_ip_tuple_fast
line=2700 msg="vd-root received a packet(proto=6,
192.168.3.221:1487->203.160.224.97:80) from port5."

SYN sent and a new session is allocated:
id=20085 trace_id=209 func=resolve_ip_tuple line=2799
msg="allocate a new session-00000e90"

Lookup for next-hop gateway address:
id=20085 trace_id=209 func=vf_ip4_route_input line=1543
msg="find a route: gw-192.168.11.254 via port6"

Source NAT, lookup next available port:
id=20085 trace_id=209 func=get_new_addr line=1219
msg="find SNAT: IP-192.168.11.59, port-31925"
direction“

Matched security policy. Check to see which policy this session matches:
id=20085 trace_id=209 func=fw_forward_handler line=317
msg="Allowed by Policy-3: SNAT"

Apply source NAT:
id=20085 trace_id=209 func=__ip_session_run_tuple
line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

SYN ACK received:
id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2700
msg="vd-root received a packet(proto=6, 203.160.224.97:80-
>192.168.11.59:31925) from port6."

Found existing session ID. Identified as the reply direction:
id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2727
msg="Find an existing session, id-00000e90, reply direction"

Apply destination NAT to inverse source NAT action:
id=20085 trace_id=210 func=__ip_session_run_tuple
line=1516 msg="DNAT 192.168.11.59:31925-
>192.168.3.221:1487"

Lookup for next-hop gateway address for reply traffic:
id=20085 trace_id=210 func=vf_ip4_route_input line=1543
msg="find a route: gw-192.168.3.221 via port5"

ACK received:
id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2700
msg="vd-root received a packet(proto=6,
192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:
id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2727
msg="Find an existing session, id-00000e90, original
direction"

Apply source NAT:
id=20085 trace_id=211 func=__ip_session_run_tuple
line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from client:
id=20085 trace_id=212 func=resolve_ip_tuple_fast
line=2700 msg="vd-root received a packet(proto=6,
192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:
id=20085 trace_id=212 func=resolve_ip_tuple_fast
line=2727 msg="Find an existing session, id-00000e90,
original direction"

Apply source NAT:
id=20085 trace_id=212 func=__ip_session_run_tuple
line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from server:
id=20085 trace_id=213 func=resolve_ip_tuple_fast
line=2700 msg="vd-root received a packet(proto=6,
203.160.224.97:80->192.168.11.59:31925) from port6."

Match existing session in reply direction:
id=20085 trace_id=213 func=resolve_ip_tuple_fast
line=2727 msg="Find an existing session, id-00000e90,
reply direction"

Apply destination NAT to inverse source NAT action:
id=20085 trace_id=213 func=__ip_session_run_tuple
line=1516 msg="DNAT 192.168.11.59:31925-
>192.168.3.221:1487"

Sample output: IPsec (policy-based)
id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal."
id=20085 trace_id=1 msg="allocate a new session-00001cd3"
id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1"
id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt"
id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1"
id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226"
id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“
id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal."
id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"
id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1"
id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"

Example :
# diag debug flow trace start 100
# diag debug enable

The start 100 argument in the above list of commands will limit the output to 100 packets from the flow. This is useful for looking at the flow without flooding your log or displaying too much information.

To stop all other debug activities, enter the command:
# diag debug flow trace stop
[]

High Availability

1. To check HA status.
# get system ha status

2. To check HA configuration.
# get system ha
# show system ha

[]

Routing | Networking

1. To check routing and table.
# get router info routing-table detail
# show router static

# config router static
(static) # show
(static) # end
[]

VDOM

Virtual Domains is a method for logical division of single firewall unit into two or more virtual instances and it function as multiple individual firewall unit. Each VDOMS are allowed to maintain its on separate zones, user authentication, security policies, routing, and VPN configurations.

1. Split-task VDOM mode
In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (firewall-traffic).

2. Multi VDOM mode
In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used to manage global settings.

To create the VDOMs with the CLI:
# config vdom
# edit <VDOM-A>
# next
# edit <VDOM-B>
# next
# end

[]

Thanks

Comments

Post a Comment

Popular posts from this blog

IPv4 IPv6 Address Type

Image
Let begging about deference between IPv6 and IPv4. 1: Length IPv4: 32 Bit IPv6: 128 Bit 2: Number of header fields IPv4: 12 fields IPv6: 8 fields 3: Checksum IPv4: Has checksum fields IPv6: Does not have checksum fields 4: Examples IPv4: 1.1.1.1 150.50.0.1 192.168.10.1 224.0.0.5 127.0.0.1 IPv6: ::1 2001:0db8:0000:0000:0000:ff00:0042:7879 fec0:0:0:ffff::2 fe80::89b4:75f6:816:55ac 2001:4860:4860::8888 5: Type of Addresses IPv4: Unicast, broadcast, and multicast. IPv6: Unicast, multicast, and anycast. 6:Number of classes IPv4: IPv4 offers five different classes of IP Address. Class A to E. IPv6: IPv6 allows storing an unlimited number of IP Address. 7: VLSM support IPv4: IPv4 support VLSM (variable length subnet mask). IPv6: IPv6 does not offer support for VLSM. 8: Network Configuration IPv4: Networks need to be configured either manually or with DHCP. IPv4 had several overlays to handle Internet growth, which require more maintenance efforts. IPv6: IPv6 support autoconfigur
Read more

REST API

Image
REST API is an architectural style for an application program interface (API) that uses HTTP requests to access and use data. A request is sent from client to server in the form of a web URL as HTTP GET or POST or PUT or DELETE request. GET: The HTTP GET method is used to read (or retrieve) a representation of a resource. Example GET: Request for all Students. HTTP GET:/api/students POST: The POST verb is most often utilized to create new resources. Example POST: Request for Posting/Creating/Inserting Data HTTP POST:/api/students {“name”:”Aditya”} PUT: It is used for updating the capabilities. However, PUT can also be used to create a resource in the case where the resource ID is chosen by the client instead of by the server. PATCH: It is used to modify capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. Example PUT or PATCH: Request for Updating Data at id=1 HTTP PUT or PATCH:/api/students/1 {“name”:”Rahul”}
Read more