##Google Analz## ##Microsoft## ##Googel## Swanand: Fortinet Firewall CLI Commands

Thursday, 9 October 2014

Fortinet Firewall CLI Commands

**********************
Fortinet Firewall Commands
**********************

// Health and Status
show [enter]               //Note that output is only non-default values.
show full-configuration   // Show all configurations on the device.
show system interface wan1 | grep -A2 ip // Show WAN and interface information.
get system info admin status // Show logged in users
get system status            // Show system hardware/software update versions
get hardware status          // Detailed hardware model information
get system performance status
get system performance top
show system interface // Interface Configuration
diagnose hardware deviceinfo nic // Interface Statistics/Settings
diagnose hardware sysinfo memory
diag debug crashlog read
diag hardware sysinfo shm     // Device should be in 0, if (>0) then conservemode
get system global | grep -i timer    // Show tcp and udp timers for halfopen and idle
get system session-ttl     // System default tcp-idle session timeout
execute ha manage <devid>    // send heartbeat accross management link.
get hardware nic
diagnose ip address list
get system interface physical
// ARP
diagnose ip arp list
// Track and Troubleshoot
get system session status      // Connection count for ingress/egress
get system session-info full-stat    // Displays session status with breakdown by state
get system session list       // Session list, protocol, expire, src nat, dst nat
diag sys session              // Basic output with no filters of diag sys session
diag sys session filter <option> <value>      // Capture filter based on src, dst, duraction, policy id, vd
// Packet capture
diag debug info     // Displays active debug
diag debug enable     // Enable debug
#diagnose debug flow filter (shows what filters are configured)
#diagnose debug flow filter clear (clear all filter)
#diagnose debug flow filter <options> <value> (configures the filter)
#diagnose debug flow show con enable <show output on console>
#diagnose debug flow show fun enable <show functions>
#diagnose debug flow trace start <number of lines> (to start the trace)
#diagnose debug flow trace stop (to stop the trace)
Example:
diagnose debug reset
diagnose debug enable
diagnose debug flow filter clear
diagnose debug flow filter saddr 192.168.10.1
diagnose debug flow filter dport 80
diagnose debug flow show con enable
diagnose debug flow show fun enable
diagnose debug flow trace start 20
diagnose sniffer packet <interface or ANY> ‘<arguments>’ <level 1-6>
example:
diagnose sniffer packet ANY ‘net 192.168.10.0/24 and not host 192.168.10.1 and port 80 and TCP’ 6
Syn packets only:
diag sniffer packet internal ‘tcp[13] == 2′
to stop:
diagnose debug reset
diagnose debug disable
// Enable packet capture in GUI
System -> Config -> Advanced
Setup packet capture filter, Check box to start, Uncheck to stop.
Download Debug Log
// Show identified devices
diag user device list
// Routes
Interface Up -> Multiple: Select lowest distance -> Dynamic: If same distance choose lowest metric -> Dynamic: If multiple have same distance/metric, depends on protocol -> All “Best Routes” places in table. Match goes to most exact subnet -> Policy routing applied before table lookups.
Route lookups are only for the first packet of each session.
All packets will use same path.
After topology change, routes are flushed and sessions relearned.
get system arp          // ARP Table
get router info routing-table all       // All routing table entries
get router info routing-table details <ip>         // Shows if custom static ordynamic routes exist for dest.
get router info kernel             // Raw kernel routing table
show router static    // Display static routes
// Restore image
execute restore image <firmware_file_name> <TFTP server_ipaddress>    // Restore an image from TFTP
// Provisioning
config system settings        // Configure for layer-3
set opmode nat
end
config system settings       // Configure transparent
set opmode transparent
end
config system global         // Set port for admin if VPN is sharing
set admin-sport 8443
set sslvpn-sport 443
end
config system global        // Enable SCP
set admin-scp enable
cofng system ntp            // Setup NTP
config ntpserver
edit 1
set server 10.0.0.0
end
edit 2
set server 10.0.0.1
end
set ntpsync enable
end
execute time
config system dns          // Setup DNS
set primary  0.0.0.0
set secondary 0.0.00
config log syslogd(2|3) setting     // Enable syslog
set status enable
set server <IP address>
set port 514
set facility user
end
diagnose log test     // Test logging
config system interface          // Setup IP Address
edit wan1
set mode static
set ip 172.16.0.0 255.255.255.0
set vlan id 50
end
config system interface          // LACP port aggregation
edit aggr1
set member “port8″ “port9″
end
config system zone             // Add interfaces to zone
edit outside
set interface internal1 internal 2
enable intrazone traffic
set intrazone allow
end
config router static       // Add default route
edit 1
set gateway 172.16.0.0
end
config router static       // Static route
edit2
set device port1
set dst 10.0.0.0 255.0.0.0
set gateway 10.0.1.1
// Vendor Notes
http://docs.fortinet.com/fgt.html
http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-cli-40-mr3.pdf
http://docs.fortinet.com/fgt50.html

1 comment:

Featured post

Vicidial With WebRTC

Vicidial With WebRTC VICIDial is well known open source call center software. It has been in use by many small to large scaled con...