Fortigate: Difference between revisions
Jump to navigation
Jump to search
(Created page with "fortigate") |
No edit summary |
||
(36 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Fortigate= | |||
== Command Cheet sheet == | |||
Cheet sheet created by By Frederic Kasmirczak (http://www.frederick.lu), I just simply converted it to a wiki for copy and paste easiness. | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Main Command Structure | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
| show || Display changes to the default configuration | |||
|- | |||
| get || List the configuration of the current object or table | |||
|- | |||
| edit || Create or edit a table in the current object | |||
|- | |||
| edit 0 || will use the next ID available in a sequence number | |||
|- | |||
| set || Set a filed / Reset a field to the default value | |||
|- | |||
| end || Save the current changes | |||
|- | |||
| abort || Exit commands without saving the fields | |||
|- | |||
| delete || Remove a table from the current object | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Basic | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|get sys status || Show status summary | |||
|- | |||
|get sys perf stat || Show Fortigate ressources summary | |||
|- | |||
|execute ping || Ping something | |||
|- | |||
|execute shutdown || Shutdown the device/reboot with reboot | |||
|- | |||
|get sys arp || Show the current arp table | |||
|- | |||
|execute date/time || Show the current date / time | |||
|- | |||
|delete || Remove a table from the current object | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Interface | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|show sys int || Show interfaces status <br>Sh sys int ? will show a summary | |||
|- | |||
|config sys interface<br>edit port1<br>set ip x.x.x.x/y.y<br>set allowaccess ssh ping<br>end || Basic interface ip configuration | |||
|- | |||
|diag netlink device list || Show interfaces statistics (errors) | |||
|- | |||
|get hardware nic port1 || Show interfaces statistics | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Disk | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|diag hard deviceinfo disk || Show disks and partitions usage | |||
|- | |||
|diag sys flash list || Show partitions status | |||
|- | |||
|execute setnextreboot ||Select partition for the next reboot | |||
|- | |||
|execute factoryreset || Reset to factory default (2 to keep network) | |||
|- | |||
|execute formatlogdisk ||Format log disk | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Static Routing | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|config router static<br>edit 0<br>set device internal<br>Set dst x.x.x.x/y.y<br>set gateway z.z.z.z<br>end<br> || Add a static route | |||
|- | |||
|get router info routingtable details x.x.x.x || Display the route used to reach the IP x.x.x.x<br>Default gw will show Network not in table | |||
|- | |||
| get router info routingtable database || Display the current routing table | |||
|- | |||
|diag ip route list || Display the kernel routing table | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Backup / Restore | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|exe restore conf || Backup Fortigate configuration | |||
|- | |||
|exe backup config || Restore Fortigate configuration | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | High availability | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|get sys ha status<br>diag sys ha status || Show HA conf summary | |||
|- | |||
|diag deb en<br>diag deb console timestamp<br>en<br>diag deb app hatalk 1<br>diag deb app hasync 1 || Troubleshoot HA synchronization issue | |||
|- | |||
|diag sys ha showcsum <int> || Show the config file checksum (can be execute on both members to compare) | |||
|- | |||
|exec ha synchronize all || Synchronize all parts of the configuration | |||
|- | |||
|diag sys ha resetuptime ||Reset ha uptime criteria | |||
|- | |||
|diag sniffer packet haint 'ether[12:2]=0x8890' 6 || Sniffer on heartbeat ports (here haint) | |||
|- | |||
|exec ha manage <id> || Connect on a subordonate device | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Debug | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|diag debug enable<br>diag debug flow show console enable<br>diag debug flow show functionname en<br>diag debug flow filter saddr x.x.x.x<br>diag debug flow filter daddr y.y.y.y<br>diag debug flow filter dport z<br>diag debug flow trace start 100 || Debug flow | |||
|- | |||
|diag sniffer packet <interface> <filter> <verbose> <count> <a><br><interface> physical, virtual, any <filter> functionality using filter <verbose> there are six verbose levels:<br>1print header of packets<br>2print header and data from the IP header of the packets<br>3print header and data from the Ethernet header of the packets<br>4print header of packets with interface name 5print header and data from ip of packets with interface name<br>6print header and data from thernet of packets with interface name <count> the number of packets <a> to enable absolute timestamp|| Packet capture | |||
|- | |||
|diag sys session filter dst x.x.x.x<br>diag sys session filter src y.y.y.y<br>diag sys session filter proto Z<br>diag sys session list || Show session table | |||
|- | |||
|diag sys session filter src x.x.x.x<br>diag sys session filter proto zdiag sys session filter dport y diag sys session clear || Clear session table | |||
|- | |||
|diag debug crashlog read || Show crashlog | |||
|- | |||
|diag debug report || Collect lots of information<br>(show tech Cisco like) | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! colspan="2" | VPN | |||
|- | |||
! | Command | |||
! | Description | |||
|- | |||
|diag vpn ike gateway list || Show phase 1 | |||
|- | |||
|diag vpn tunnel list || Show phase 2 | |||
|- | |||
|diag vpn ike gateway flush name <phase1> || Flush a phase 1 | |||
|- | |||
|diag vpn tunnel up <phase2> || Bring up a phase 2 | |||
|- | |||
|diag debug app ike 1<br>diag debug enable || Troubleshoot VPN issue | |||
|- | |||
|} | |||
== CLI Commands == | |||
=== HA === | |||
==== Show HA Status ==== | |||
<pre>get system ha status</pre> | |||
==== Show HA Checksum ==== | |||
Depending on version it will be either of the below: | |||
<pre>check ha checksum | |||
diagnose sys ha checksum show</pre> | |||
==== Start HA Sync ==== | |||
<pre>exec ha synchronize start</pre> | |||
==== Force failover ==== | |||
<pre>diagnose sys ha reset-uptime</pre> | |||
=== Factory reset === | |||
This will wipe the unit and restore it to factory defaults, ensure you have a backup before continuing. | |||
<pre>execute factoryreset</pre> | |||
=== Syslog === | |||
==== Configure Syslog ==== | |||
<pre> | |||
config log syslogd setting | |||
set status enable | |||
set reliable enable | |||
set facility local0 | |||
set source-ip <ip> | |||
set server <ip> | |||
set port 514 | |||
end | |||
</pre> | |||
[[Category:Fortinet]] | |||
[[Category:Fortigate]] | |||
[[Category:Firewall]] | |||
<comments /> |
Latest revision as of 08:25, 20 March 2022
Fortigate
Command Cheet sheet
Cheet sheet created by By Frederic Kasmirczak (http://www.frederick.lu), I just simply converted it to a wiki for copy and paste easiness.
Main Command Structure | |
---|---|
Command | Description |
show | Display changes to the default configuration |
get | List the configuration of the current object or table |
edit | Create or edit a table in the current object |
edit 0 | will use the next ID available in a sequence number |
set | Set a filed / Reset a field to the default value |
end | Save the current changes |
abort | Exit commands without saving the fields |
delete | Remove a table from the current object |
Basic | |
---|---|
Command | Description |
get sys status | Show status summary |
get sys perf stat | Show Fortigate ressources summary |
execute ping | Ping something |
execute shutdown | Shutdown the device/reboot with reboot |
get sys arp | Show the current arp table |
execute date/time | Show the current date / time |
delete | Remove a table from the current object |
Interface | |
---|---|
Command | Description |
show sys int | Show interfaces status Sh sys int ? will show a summary |
config sys interface edit port1 set ip x.x.x.x/y.y set allowaccess ssh ping end |
Basic interface ip configuration |
diag netlink device list | Show interfaces statistics (errors) |
get hardware nic port1 | Show interfaces statistics |
Disk | |
---|---|
Command | Description |
diag hard deviceinfo disk | Show disks and partitions usage |
diag sys flash list | Show partitions status |
execute setnextreboot | Select partition for the next reboot |
execute factoryreset | Reset to factory default (2 to keep network) |
execute formatlogdisk | Format log disk |
Static Routing | |
---|---|
Command | Description |
config router static edit 0 set device internal Set dst x.x.x.x/y.y set gateway z.z.z.z end |
Add a static route |
get router info routingtable details x.x.x.x | Display the route used to reach the IP x.x.x.x Default gw will show Network not in table |
get router info routingtable database | Display the current routing table |
diag ip route list | Display the kernel routing table |
Backup / Restore | |
---|---|
Command | Description |
exe restore conf | Backup Fortigate configuration |
exe backup config | Restore Fortigate configuration |
High availability | |
---|---|
Command | Description |
get sys ha status diag sys ha status |
Show HA conf summary |
diag deb en diag deb console timestamp en diag deb app hatalk 1 diag deb app hasync 1 |
Troubleshoot HA synchronization issue |
diag sys ha showcsum <int> | Show the config file checksum (can be execute on both members to compare) |
exec ha synchronize all | Synchronize all parts of the configuration |
diag sys ha resetuptime | Reset ha uptime criteria |
diag sniffer packet haint 'ether[12:2]=0x8890' 6 | Sniffer on heartbeat ports (here haint) |
exec ha manage <id> | Connect on a subordonate device |
Debug | |
---|---|
Command | Description |
diag debug enable diag debug flow show console enable diag debug flow show functionname en diag debug flow filter saddr x.x.x.x diag debug flow filter daddr y.y.y.y diag debug flow filter dport z diag debug flow trace start 100 |
Debug flow |
diag sniffer packet <interface> <filter> <verbose> <count> <a> <interface> physical, virtual, any <filter> functionality using filter <verbose> there are six verbose levels: 1print header of packets 2print header and data from the IP header of the packets 3print header and data from the Ethernet header of the packets 4print header of packets with interface name 5print header and data from ip of packets with interface name 6print header and data from thernet of packets with interface name <count> the number of packets <a> to enable absolute timestamp |
Packet capture |
diag sys session filter dst x.x.x.x diag sys session filter src y.y.y.y diag sys session filter proto Z diag sys session list |
Show session table |
diag sys session filter src x.x.x.x diag sys session filter proto zdiag sys session filter dport y diag sys session clear |
Clear session table |
diag debug crashlog read | Show crashlog |
diag debug report | Collect lots of information (show tech Cisco like) |
VPN | |
---|---|
Command | Description |
diag vpn ike gateway list | Show phase 1 |
diag vpn tunnel list | Show phase 2 |
diag vpn ike gateway flush name <phase1> | Flush a phase 1 |
diag vpn tunnel up <phase2> | Bring up a phase 2 |
diag debug app ike 1 diag debug enable |
Troubleshoot VPN issue |
CLI Commands
HA
Show HA Status
get system ha status
Show HA Checksum
Depending on version it will be either of the below:
check ha checksum diagnose sys ha checksum show
Start HA Sync
exec ha synchronize start
Force failover
diagnose sys ha reset-uptime
Factory reset
This will wipe the unit and restore it to factory defaults, ensure you have a backup before continuing.
execute factoryreset
Syslog
Configure Syslog
config log syslogd setting set status enable set reliable enable set facility local0 set source-ip <ip> set server <ip> set port 514 end
<comments />