Fortigate show routing table cli

Fortigate show routing table cli DEFAULT

router {static | static6}

Use this command to add, edit, or delete static routes. Use for IPv4 and for IPv6.

You add static routes to manually control traffic exiting the FortiGate unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.

You can adjust the administrative distance of a route to indicate preference when more than one route to the same destination is available. The lower the administrative distance, the greater the preferability of the route. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate unit forwarding table. Any ties are resolved by comparing the routes’ priority, with lowest priority being preferred. As a result, the FortiGate unit forwarding table only contains routes having the lowest distances to every possible destination. If both administrative distance and priority are tied for two or more routes, an equal cost multi-path (ECMP) situation occurs. ECMP is available to static and OSPF routing. By default in ECMP, a source IP address hash will be used to determine the selected route. This hash value is based on the pre-NATed source IP address. This method results in all traffic originating from the same source IP address always using the same path. This is the Source based ECMP option, with Weighted, and Spill-over being the other two optional methods. The option is determined by the CLI command in. Source Based is the default method. Weighted ECMP uses the weight field to direct more traffic to routes with larger weights. In spill-over or usage-based ECMP, the FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. For more information on ECMP, see system settings.

History

The following table shows all newly added, changed, or removed entries as of FortiOS

Configure OSPF support for multiple virtual routing and forwarding (VRFs). Set the value between FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

This entry is only available when is set to .

set bfd {enable | disable}

Enable or disable (by default) Bidirectional Forwarding Detection (BFD) for IPv4 and/or IPv6 static routes to configure routing failover based on remote path failure detection. BFD removes a static route from the routing table if the FortiGate can't reach the route's destination and returns the route to the routing table if the route's destination is restored.

This entry is not available when is set to .

Set an IPv4 source prefix, allowing FortiGate to differentiate between multiple default routes.

This is necessary only for static routes in transparent mode.

set virtual-wan-link {enable | disable}

Enable or disable egress traffic through the virtual-wan-link.
config router static edit {seq-num} # Configure IPv4 static routing tables. set seq-num {integer} Sequence number. range[] set status {enable | disable} Enable/disable this static route. set dst {ipv4 classnet} Destination IP and mask for this route. set src {ipv4 classnet} Source prefix for this route. set gateway {ipv4 address} Gateway IP for this route. set distance {integer} Administrative distance (1 - ). range[] set weight {integer} Administrative weight (0 - ). range[] set priority {integer} Administrative priority (0 - ). range[] set device {string} Gateway out interface or tunnel. size[35] - datasource(s): system.interface.name set comment {string} Optional comments. size[] set blackhole {enable | disable} Enable/disable black hole. set dynamic-gateway {enable | disable} Enable use of dynamic gateway retrieved from a DHCP or PPP server. set virtual-wan-link {enable | disable} Enable/disable egress through the virtual-wan-link. set dstaddr {string} Name of firewall address or address group. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set internet-service {integer} Application ID in the Internet service database. range[] - datasource(s): firewall.internet-service.id set internet-service-custom {string} Application name in the Internet service custom database. size[64] - datasource(s): firewall.internet-service-custom.name set link-monitor-exempt {enable | disable} Enable/disable withdrawing this route when link monitor or health check is down. set vrf {integer} Virtual Routing Forwarding ID. range[] set bfd {enable | disable} Enable/disable Bidirectional Forwarding Detection (BFD). next end config router static6 edit {seq-num} # Configure IPv6 static routing tables. set seq-num {integer} Sequence number. range[] set status {enable | disable} Enable/disable this static route. set dst {ipv6 network} Destination IPv6 prefix. set gateway {ipv6 address} IPv6 address of the gateway. set device {string} Gateway out interface or tunnel. size[35] - datasource(s): system.interface.name set devindex {integer} Device index (0 - ). range[] set distance {integer} Administrative distance (1 - ). range[] set priority {integer} Administrative priority (0 - ). range[] set comment {string} Optional comments. size[] set blackhole {enable | disable} Enable/disable black hole. set virtual-wan-link {enable | disable} Enable/disable egress through the virtual-wan-link. set bfd {enable | disable} Enable/disable Bidirectional Forwarding Detection (BFD). next end

Additional information

The following section is for those options that require additional explanation.

blackhole

Enable or disable dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route.

device

Note: This field is available when is disabled.

Enter the name of the interface through which to route traffic.

distance

Enter the administrative distance for the route. The distance value may influence route preference in the FortiGate unit routing table. The range is an integer from See also under system interface.

dst

Enter the destination IPv4 address and network mask for this route.

You can enter to create a new static default route.

dynamic-gateway

When enabled, dynamic-gateway hides the gateway variable for a dynamic interface, such as a DHCP or PPPoE interface. When the interface connects or disconnects, the corresponding routing entries are updated to reflect the change.

edit

Enter a sequence number for the static route. The sequence number may influence routing priority in the FortiGate unit forwarding table.

gateway

Note: This field is available when is disabled.

Enter the IP address of the next-hop router to which traffic is forwarded.

priority

The administrative priority value is used to resolve ties in route selection. In the case where both routes have the same priority, such as equal cost multi-path (ECMP), the IP source hash (based on the pre-NATed IP address) for the routes will be used to determine which route is selected.The priority range is an integer from 0 to Lower priority routes are preferred routes.

This field is only accessible through the CLI.

weight

Note: This option is available when the field of the command is set to weight-based, see system settings.

Enter weights for ECMP routes. More traffic is directed to routes with higher weights.

Sours: https://docs.fortinet.com/document/fortigate//cli-reference//router-static-static6

&#;

I configure/support Fortigate firewalls on a daily basis, the baby 60DSL&#;s, the  A&#;s, but mostly the big B&#;s.

Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I&#;ll share the commands I use often.

Monitoring commands:

show

  • Show global or vdom config

sh system interface

  • Equivalent to show run interface

diagnose hardware deviceinfo nic

  • Equivalent to show interface

get system status

sh firewall policy 6

  • show firewall rule numer 6

sh router policy

  • Show Policy Routing rules

diagnose system session list

  • Show the excisting translations

diagnose system session clear

  • Clears all xlate/translations

diagnose ip arp list

  • Shows the arp table of connected hosts

get router info routing-table all

  • Equivalent to &#;show ip route&#;

diagnose system top

  • Show System Processes running with PIDs

diagnose system kill 9 <id>

diag test auth ldap <server_name> <username> <password>

  • Ldap test query from the Forti to the AD

Published by Ruhann

Just another Network Engineer. View all posts by Ruhann

Published

Sours: https://routing-bits.com//10/09/fortigate-commands/
  1. Sony headphones not turning on
  2. Wet seal coupon in store
  3. Dynasty league rookie mock draft
  4. 18 round wood tray
  5. Snapdragon 845 vs 865

How to verify the contents of the routing table (in NAT mode)

How to verify the contents of the routing table (in NAT mode)

When you have some connectivity, or possibly none at all a good place to look for information is the routing table. The routing table is where all the currently used routes are stored for both static and dynamic protocols. If a route is in the routing table, it saves the time and resources of a lookup. If a route is not used for a while and a new route needs to be added, the oldest least used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. If your FortiGate unit is in Transparent mode, you are unable to perform this step.

If the FortiGate is running in NAT mode, verify that all desired routes are in the routing table: local subnets, default routes, specific static routes, and dynamic routing protocols.

To check the routing table in the web-based manager, use the Routing Monitor by going to Router > Monitor > Routing Monitor.

 

In the CLI, use the command get router info routing-table all. Sample output:

FGT# get router info routing-table all

Codes:

K &#; kernel, C &#; connected, S &#; static, R &#; RIP, B &#; BGP O &#; OSPF, IA &#; OSPF inter area

N1 &#; OSPF NSSA external type 1, N2 &#; OSPF NSSA external type 2

E1 &#; OSPF external type 1, E2 &#; OSPF external type 2

i &#; IS-IS, L1 &#; IS-IS level-1, L2 &#; IS-IS level-2, ia &#; IS-IS inter area

* &#; candidate default

S* /0 [10/0] via , wan1

C /24 is directly connected, internal

C /24 is directly connected, wan1


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Sours: https://www.fortinetguru.com//01/how-to-verify-the-contents-of-the-routing-table-in-nat-mode/
Fortigate - How to configure Policy Based Routing - Eve-NG lab

TravelingPacket &#; A blog of network musings

This entry details how to create a static route in both the GUI and CLI of the Fortigate firewall. Specifically I am using FortiOS but its pretty much been the same for years.

Lets start by talking through the things that will be needed to create the static route.

&#; Subnet &#; this is what we want to route to, for a default route its /0 but if we wanted a more specific route, lets say to /

&#; Destination Interface &#; Next hop interface we want to send traffic out of.

&#; Gateway address &#; Directly connected interface neighbor that we want the next hop for /24 to be.

&#; Administrative Distance&#; is a feature used by routers to select the best path to a destination when multiple paths to the same destination are present. Lowest AD wins and will be placed in the routing table.

Advanced option &#; Priority &#; To build on AD definition &#; What if two routes exist in the routing table to the same destination with the same AD? This is where Priority comes in. Lowest priority wins. By selecting a priority you can have multiple routes to the same destination in the routing table, but one would be preferred over the other. This comes in very hand for Reverse Path forwarding issues.

So after all that&#;s said, we need to route /24 to our LAN interface with a next hop of

First lets create this in the GUI. Navigate to network &#; static routes &#; and create a new one.

Create-new.

Now we will just insert the needed info. I am leaving the AD at 10 &#; which is default.

Route-Create

Press OK &#; and Bam! route created. We can check that the route has been created and is the routing table by going to monitor &#; routing monitor.

filter

Next lets do the same thing in CLI.

First route creation. When you create the route edit the next available sequence number. In this case its

CLI-creation

You can see if your route is in the routing table in CLI by running the command &#;get router info routing-table all&#; but in this case I am using the static option, and grepping just what I need to see.

grep

Like this:

LikeLoading

FortigateFGT, Static route

← Finding vlan settings on HP Procurve switchHow to find NPS client Radius Shared Secret Key →

Sours: https://travelingpacket.com//07/07/creating-a-static-route-in-fortios/

Routing table cli fortigate show

Viewing the routing table in the CLI

Viewing the routing table in the CLI

In the CLI, you can easily view the static routing table just as in the web-based manager or you can view the full routing table.

When viewing the list of static routes using the CLI command get route static, it is the configured static routes that are displayed. When viewing the routing table using the CLI command get router info routing-table all, it is the entire routing table information that is displayed including configured and learned routes of all types. The two are different information in different formats.

If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must be performed within a VDOM and not in the global context.

 

To view the routing table

# get router info routing-table all

Codes: K &#; kernel, C &#; connected, S &#; static, R &#; RIP, B &#; BGP O &#; OSPF, IA &#; OSPF inter area

N1 &#; OSPF NSSA external type 1, N2 &#; OSPF NSSA external type 2

E1 &#; OSPF external type 1, E2 &#; OSPF external type 2

i &#; IS-IS, L1 &#; IS-IS level-1, L2 &#; IS-IS level-2, ia &#; IS-IS inter area

* &#; candidate default

S* /0 [10/0] via , port2

S   /8 [10/0] via , port2

S  /8 [10/0] via , port2

C  /23 is directly connected, port3

B  /23 [20/0] via , port3, 2d18h02m

C /23 is directly connected, port2

 

Examining an entry:

B /23 [20/0] via , port3, 2d18h02m

B                                                  BGP. The routing protocol used.

10..0.0/23                              The destination of this route including netmask.

[20/0]                                           20 indicates and administrative distance of 20 out of a range of 0 to

0 is an additional metric associated with this route, such as in OSPF

10..0.74                                 The gateway, or next hop.

port3                                           The interface used by this route.

2d18h02m                                  How old this route is, in this case almost three days old.

 

To view the kernel routing table

# get router info kernel

tab= vf=0 scope= type=1 proto=2 prio=0 //0->/24 pref= gwy= dev=5(external1)

tab= vf=0 scope= type=1 proto=2 prio=0 //0->/24 pref= gwy= dev=6(internal)

The parts of the routing table entry are:

 

tab                                               Table number. This will be either (unicast) or (multicast).

vf                                                 Virtual domain of the firewall. This is the vdom index number. If vdoms are not enabled, this number will be 0.

type                                             Type of routing connection. Valid values include:

0 &#; unspecific

1 &#; unicast

2 &#; local

3 &#; broadcast

4 &#; anycast

5 &#; multicast

6 &#; blackhole

7 &#; unreachable

8 &#; prohibited

Type of installation. This indicates where the route came from. Valid values include:

proto

0 &#; unspecific

2 &#; kernel

11 &#; ZebOS routing module

14 &#; FortiOS

15 &#; HA

16 &#; authentication based

17 &#; HA1

prio                                             Priority of the route. Lower priorities are preferred.

&#;>10.11..0/24

(->x.x.x.x/mask)

The IP address and subnet mask of the destination

pref                                             Preferred next hop along this route

gwy                                             Gateway &#; the address of the gateway this route will use

dev                                              Outgoing interface index. This number is associated with the interface for this route, and if VDOMs are enabled the VDOM will be included here as well. If an interface alias is set for this interface it will also be displayed here.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Sours: https://www.fortinetguru.com//06/viewing-the-routing-table-in-the-cli/
- Routing Part 2 - Static Route - Fortigate Admin Crash Course

This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time.

Coming from Cisco, everything is &#;show&#;. With Fortinet you have the confusion between show | get | diagnose | execute. Not that easy to remember. It is &#;get router info6 routing-table&#; to show the routing table but &#;diagnose firewall proute6 list&#; for the PBF rules. Likewise the sys | system keyword. It is always &#;diagnose sys&#; but &#;execute system&#;.

Entering the correct vdom/gobal config

Remember to enter the correct vdom or global configuration tree before configuring anything:

config global

config vdom

edit<vdom-name>

To execute any &#;show&#; command from any context use the sudo keyword with the global/vdom-name context followed by the normal commands (except &#;config&#;) such as:

sudo{global|<vdom-name>}{diagnose|execute|show|get}

 

sudo global show system admin

sudo root getsystem interfacephysical

Show running-config & grep & scp

To show the running configuration (such as &#;show run&#; on Cisco) simply type:

To show the entire running configuration with default values use:

1

show full-configuration

When you are in a config submenu you can list the subsequent configuration options with all further submenus with:

For example:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

fg2(ntp)# tree

--<ntp>--ntpsync

         |-type

         |-syncinterval        (1,)

         |-[ntpserver]--*id   (0,)

                        |-server       (64)

                        |-ntpv3

                        |-authentication

                        |-key

                        |-key-id       (0,)

                        |-interface-select-method

                        +-interface    (16)

         |-source-ip

         |-source-ip6

         |-server-mode

         |-authentication

         |-key-type

         |-key

         |-key-id      (0,)

         +-[interface]--*interface-name       (80)

To omit the &#;&#;More&#;&#; stops when displaying many lines, you can set the terminal output to the following, which will display all lines at once. This is similar to &#;terminal length 0&#; from Cisco. Be careful with it, because this command is persistent. Set it to default after usage!

config system console

  set output standard

end

To find a CLI command within the configuration, you can use the pipe sign &#;|&#; with &#;grep&#; (similar to &#;include&#; on Cisco devices). Note the &#;-f&#; flag to show the whole config tree in which the keywords was found, e.g.:

show|grep-fipv6

show full-configuration|grep-fipv6

Example with grep but WITHOUT the -f option (which makes no sense at all):

FGT90D# show | grep ipv6

    set gui-ipv6 enable

        config ipv6

        config ipv6

        config ipv6

                set ipvdbcafe

Now with the -f option. Note the &#;<&#;&#; at the end of every line that has the &#;ipv6&#; keyword in it, while the full configuration part around it is listed.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

FGT90D# show | grep -f ipv6

config system global

    set admin-sport

    set admintimeout

    set alias"FGT90D"

    set compliance-check disable

    set disk-usage log

    set gui-certificates enable

    set gui-device-latitude""

    set gui-device-longitude""

    set gui-ipv6 enable<

    set gui-lines-per-page

    set gui-wireless-opensecurity enable

    set hostname"FGT90D"

    set switch-controller enable

    set timezone26

end

config system interface

    edit"wan1"

        set vdom"root"

        set mode dhcp

        set allowaccess ping https ssh

        set typephysical

        set role wan

        set snmp-index1

        config ipv6<

            set ip6-mode dhcp

            set ip6-allowaccess ping https ssh

            set dhcp6-prefix-delegation enable

        end

    next

    edit"internal"

        set vdom"root"

        set ip

        set allowaccess ping https ssh

        set typehard-switch

        set stp enable

        set device-identification enable

        set snmp-index5

        config ipv6<

            set ip6-mode delegated

            set ip6-allowaccess ping https ssh

            set ip6-send-adv enable

            set ip6-upstream-interface"wan1"

            set ip6-subnet/64

        end

    next

    edit"internal2-soft"

        set vdom"root"

        set ip

        set allowaccess ping https ssh

        set typeswitch

        set device-identification enable

        set fortiheartbeat enable

        set snmp-index6

        config ipv6<

            set ip6-mode delegated

            set ip6-allowaccess ping https ssh

            set ip6-send-adv enable

            set ip6-upstream-interface"wan1"

            set ip6-subnet/64

        end

    next

end

config system dns-database

    edit"weberforti.rocks"

        set domain"weberforti.rocks"

        config dns-entry

            edit1

                set typeAAAA

                set hostname"knoppix"

                set ipvdbcafe<

            next

        end

        set primary-name"forti.weberlab.de"

        set contact"[email protected]"

    next

end

You can even extend your grepping by using multiple expressions to grep, wrapped into single quotes and \|, such as: (Thanks to Ulrich&#;s comment!)

show|grep-f'internal\|wan'

diag vpn tunnel list|grep'name\|esp\|ah'

 

In order to copy the configuration via SCP from a backup server you must first enable the SCP protocol for the admin:

config system global

    set admin-scp enable

end

before you can grab it from the backup server, e.g. Linux with:

scp<username>@<FortiGate-ip/name>:sys_config<destination>

scp [email protected]_config~/fortigate-configtxt

 

To save your config through the CLI in order to have it in the GUI under <username> -> Configuration -> Revisions, use:

1

execute backup config flash

Even better, you should enable the following feature which saves a backup of your configuration after each logout automatically:

config system global

    set revision-backup-on-logout enable

end

 

General Information

The very basics:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

getsystem interfacephysical       #overview of hardware interfaces

gethardware nic<nic-name>         #details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name>

fnsysctl ifconfig<nic-name>        #kind of hidden command to see more interface stats such as errors

getsystem status                   #==show version

getsystem performance status       #CPU and network usage

execute sensor list                 #power supply, temperature, fans

execute sensor detail

diagnose sys top                    #top with all forked processed

diagnose sys top-summary            #top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever

execute dhcp lease-list

getsystem arp

diagnose ip arp list

diagnose ipv6 address list

diagnose ipv6 neighbor-cache list

diagnose sys ntp status

diagnose autoupdate versions        #lists the attack definition versions, last update, etc.

diagnose log test                   #generated all possibe log entries

diagnose testapplication dnsproxy6    #shows the IP addresses of FQDN objects

diagnose debug crashlog read        #shows crashlog, a status of 0 indicates a normal close of a process!

 

After rebooting a fresh device which is already licensed, it takes some time until it is &#;green&#; at the dashboard. The following commands can troubleshoot and start the &#;get license&#; process. Use the first three to enable debugging and start the process, while the last one disables the debugging again:

diag debug app update-1

diag debug enable

exec update-now

diag debug disable

To reboot your device, use:

 

General Network Troubleshooting

Which is basically ping and traceroute. Unluckily it is shitty difficult to use those commands since you need a couple of subcommands to source pings from a different interface, and so on. Furthermore, the traceroute for IPv6 uses its options on the CLI directly such as &#;-i <interface>&#;, while traceroute for IPv4 uses the &#;traceroute-options &#;&#; subcommands:

execute ping6-options?

execute ping6-options source<source-interface-IP>

execute ping6<hostname|ip>

 

execute ping-options?

execute ping-options source<source-interface-IP>

execute ping<hostname|ip>

 

execute tracert6<hostname|ip>

 

execute traceroute<hostname|ip>

execute traceroute-options?

To view the current &#;-options, use this:

execute ping-options view-settings

execute ping6-options view-settings

execute traceroute-options view-settings

 

Routing

Routing table, RIB, FIB, policy routes, routing protocols, route cache, and much more. ;) Note the differences between IPv6 and legacy IP.

getrouter info6 routing-table      #routing table = active routes

getrouter info routing-table all   #IPv4 needs an "all" at the end

 

getrouter info6 routing-table database  #Routing Information Base WITH inactive routes

getrouter info routing-table database

 

getrouter info6 kernel             #Forwarding Information Base

getrouter info kernel

 

diagnose firewall proute6 list      #Policy Routes + WAN Load Balancing

diagnose firewall proute list

 

getrouter<routing-protocol>       #basic information about the enabled routing protocol

diagnose ip rtcache list            #route cache = current sessions w/ routing information

High Availability

Diagnose and managing: (Just another **** example on how &#;get | diagnose | execute&#; is mixed along with &#;sys | system&#;.)

getsystem ha status

diagnose sys ha status

execute ha manage?                 #switch to the CLI of a secondary unit

execute ha manage<device-index>

diagnose sys ha checksum show       #verify the checksum of all synchronized peers

Manually test a failover by decreasing the priority of the current master (since highest priority wins):

1

execute ha set-priority<serial-number><new-priority>

Don&#;t forget to restore the priority value to your original one!

Start a sync at a secondary device to (from?) the master: (Honestly, I am not sure what &#;synchronize&#; means in this command. I would like to decide which config to push to the other device. The Fortinet documentation reads: &#;Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.&#;)

1

executehasynchronize{start|stop}

 

Session Table

Display the current active sessions:

getsystem session list             #rough view with NAT, only IPv4

 

diagnose sys session filter clear

diagnose sys session filter?

diagnose sys session filter dst

diagnose sys session filter dport53

diagnose sys session list           #show the session table with the filter just set

 

Remote Server Authentication Test

In order to test user credentials against some (remote) authentication servers such as LDAP or RADIUS or even local:

diagnose testauthserver ldap<server_name><username><password>

diagnose testauthserver radius<server_name><chap|pap|mschap|mschap2><username><password>

diagnose testauthserver local<group_name><username><password>

 

FSSO User Authentication

When you&#;re using some kind of Fortinet single sign-on (FSSO) features such as the agentless/agent polling mode to a Windows AD you can use the following commands to get some information about the recognized users and agent servers:

diagnose debug authd fsso list

diagnose debug authd fsso server-status

diagnose firewall auth list

The first one shows all monitored users with details concerning their LDAP groups:

fg# diagnose debug authd fsso list

FSSO logons

IP  User:weberjoh  Groups:CN=CONT_APPLIKATION_A,OU=CONTAINER,DC=fortinetz,DC=intern+CN=ROLE_IT_SECURITY,OU=ROLES,DC=fortinetz,DC=intern+CN=Benutzer,CN=Builtin,DC=fortinetz,DC=intern  Workstation:  MemberOf:FSSO_ROLE_IT_SECURITY

IP  User:hochmuth  Groups:CN=ROLE_IT_SECURITY,OU=ROLES,DC=fortinetz,DC=intern+CN=Benutzer,CN=Builtin,DC=fortinetz,DC=intern  Workstation:  MemberOf:FSSO_ROLE_IT_SECURITY

IP  User:Administrator  Groups:CN=Benutzer,CN=Builtin,DC=fortinetz,DC=intern+CN=Administratoren,CN=Builtin,DC=fortinetz,DC=intern  Workstation:

Total number of logons listed:3,filtered:0

endof FSSO logons

while the last one shows the users with their corresponding FortiGate user groups and traffic counters:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

fg# diagnose firewall auth list

 

,weberjoh

        type:fsso,id:0,duration,idled

        server:Local FSSO Agent

        packets:inout,bytes:inout

        group_id:2

        group_name:FSSO_ROLE_IT_SECURITY

 

,hochmuth

        type:fsso,id:0,duration,idled

        server:Local FSSO Agent

        packets:inout,bytes:inout

        group_id:2

        group_name:FSSO_ROLE_IT_SECURITY

 

,Administrator

        type:fsso,id:0,duration,idled

        server:Local FSSO Agent

        packets:inout,bytes:inout

 

listed,0filtered

If you need further debugging messages you can enable it for the Fortigate non-blocking auth daemon and the FSSO daemon:

diagnose debug enable

diagnose debug application fnbamd

diagnose debug application fssod

 

Sniffer / Packet Capture

Sniff packets like tcpdump does. (Only if the built-in packet capture feature in the GUI does not meet your requirements.) This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.

1

diagnose sniffer packet<interface|any>'<tcpdump-filter>'<verbose><count><time-format>

with:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name <<<<<< good default choice
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples: (Thanks to the comment from Ulrich for the IPv6 example)

diagnose sniffer packet any'host '44l

diagnose sniffer packet any'host and dst port 53'a

diagnose sniffer packet wan1'dst port (80 or )'l

diagnose sniffer packet any'net db/32'l

Here are two more examples on how to show LLDP or CDP packets in order to reveal the connected layer 2 ports from switches. Kudos to Joachim Schwierzeck.

LLDP:

diagnose sniffer packet port1'ether proto 0x88cc'41a

CDP:

diagnose sniffer packet port1'ether[] == 0x'61a

 

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

diagnose debug reset

diagnose debug flow filter?

diagnose debug flow filter saddr

diagnose debug flow filter daddr

diagnose debug flow show function-name enable

diagnose debug enable

#display the next 10 packets:

diagnose debug flow trace start10

diagnose debug disable

Example:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

fg2# diagnose debug reset

 

fg2# diagnose debug flow filter daddr

 

fg2# diagnose debug flow show function-name enable

show functionname

 

fg2# diagnose debug enable

 

fg2# diagnose debug flow trace start 10

 

fg2#

id=trace_id=func=print_pkt_detail line=msg="vd-root received a packet(proto=17, >) from local. "

id=trace_id=func=resolve_ip_tuple_fast line=msg="Find an existing session, iddb4, original direction"

id=trace_id=func=__ip_session_run_tuple line=msg="run helper-dns-udp(dir=original)"

id=trace_id=func=print_pkt_detail line=msg="vd-root received a packet(proto=17, >) from internal. "

id=trace_id=func=init_ip_session_common line=msg="allocate a new sessiona"

id=trace_id=func=vf_ip4_route_input line=msg="find a route: flags= gw via wan1"

id=trace_id=func=fw_forward_handler line=msg="Allowed by Policy AV"

id=trace_id=func=ids_receive line=msg="send to ips"

id=trace_id=func=av_receive line=msg="send to application layer"

id=trace_id=func=print_pkt_detail line=msg="vd-root received a packet(proto=17, >) from local. "

id=trace_id=func=resolve_ip_tuple_fast line=msg="Find an existing session, ida, original direction"

id=trace_id=func=__ip_session_run_tuple line=msg="run helper-dns-udp(dir=original)"

id=trace_id=func=print_pkt_detail line=msg="vd-root received a packet(proto=17, >) from local. "

id=trace_id=func=resolve_ip_tuple_fast line=msg="Find an existing session, iddb4, original direction"

id=trace_id=func=__ip_session_run_tuple line=msg="run helper-dns-udp(dir=original)"

 

fg2# diagnose debug disable

 

VPN

To show details about IKE/IPsec connections, use these commands:

getvpn ike gateway<name>

getvpn ipsec tunnel name<name>

getvpn ipsec tunnel details

diagnose vpn tunnel list

diagnose vpn ipsec status           #shows all crypto devices with counters that are used by the VPN

getrouter info routing-table all

To debug IKE/IPsec sessions, use the VPN debug:

diagnose debug reset

diagnose vpn ike log-filter clear

diagnose vpn ike log-filter?

diagnose vpn ike log-filter dst-addr

diagnose debug app ike          #shows phase 1 and phase 2 output

diagnose debug enable               #after enough output, disable the debug:

diagnose debug disable

To reset a certain VPN connection, use this (Credit):

1

diag vpn tunnel reset<phase1 name>

 

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

execute log filter reset

execute log filter category event

execute log filter field            #press enter for options

execute log filter field dstport

Sours: https://weberblog.net/cli-commands-for-troubleshooting-fortigate-firewalls/

You will also like:

Its two slits were like two wide open and reddened craters. Grant walked up to Miranda from the front. She just collapsed exhaustedly to the floor.



3253 3254 3255 3256 3257