Fortinet/CLI: Unterschied zwischen den Versionen
Aus SchnallIchNet
Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ == CLI == === Policy === <pre> config firewall policy edit 81 set srcintf "port1" set dstintf "wan1" set srcaddr "Netz1" "Netz…“) |
Cbs (Diskussion | Beiträge) |
||
| (6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| + | __FORCETOC__ | ||
== CLI == | == CLI == | ||
| + | |||
| + | |||
| + | === Address Objects === | ||
| + | |||
| + | show firewall address | grep -i PATTERN | ||
| + | edit "Hostobject" | ||
| + | set comment "bla" | ||
| + | set associated-interface "wan2" | ||
| + | set subnet 1.2.3.4 255.255.255.255 | ||
| + | next | ||
| + | |||
| + | <pre> | ||
| + | show firewall addrgrp "GRP Name" | ||
| + | config firewall addrgrp | ||
| + | edit "GRP Name" | ||
| + | set member "Hostobject 1" "Hostobject 2" "Hostobject X" ... | ||
| + | next | ||
| + | end | ||
| + | </pre> | ||
| Zeile 43: | Zeile 63: | ||
end | end | ||
</pre> | </pre> | ||
| + | |||
| + | |||
| + | === Show IPSec VPN config === | ||
| + | |||
| + | Phase1: | ||
| + | |||
| + | show vpn ipsec phase1-interface | ||
| + | |||
| + | Phase2: | ||
| + | |||
| + | show vpn ipsec phase2-interface | ||
| + | |||
| + | |||
| + | |||
| + | === Packet Capture === | ||
| + | |||
| + | |||
| + | ==== tcpdump ==== | ||
| + | |||
| + | diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4 | ||
| + | |||
| + | 4 = verbose level (1-6) | ||
| + | |||
| + | [http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/packet_capture.html Fortinet-Docu] | ||
| + | |||
| + | |||
| + | ==== Firewall Session debugging ==== | ||
| + | |||
| + | diag debug enable | ||
| + | diag debug flow filter add <PC1> or diag debug flow filter add <PC2> | ||
| + | diag debug flow show console enable | ||
| + | diag debug flow trace start 100 <== this will display 100 packets for this flow | ||
| + | |||
| + | debugging beenden: | ||
| + | |||
| + | diag debug flow trace stop | ||
| + | |||
| + | |||
| + | One further step is to look at the firewall session. For this, some filters may be used to reduce the output; see the following example: | ||
| + | |||
| + | diag sys session filter src PC1 | ||
| + | diag sys session list | ||
| + | |||
| + | or | ||
| + | |||
| + | diag sys session filter dst PC1 | ||
| + | diag sys session list | ||
| + | |||
| + | |||
| + | To clear all sessions corresponding to a filter: | ||
| + | |||
| + | diag sys session filter dst PC1 | ||
| + | diag sys session clear | ||
| + | |||
| + | [http://kb.fortinet.com/kb/viewContent.do?externalId=FD30038 Fortinet-Docu] | ||
Version vom 12. Juni 2017, 12:18 Uhr
Inhaltsverzeichnis
CLI
Address Objects
show firewall address | grep -i PATTERN
edit "Hostobject"
set comment "bla"
set associated-interface "wan2"
set subnet 1.2.3.4 255.255.255.255
next
show firewall addrgrp "GRP Name"
config firewall addrgrp
edit "GRP Name"
set member "Hostobject 1" "Hostobject 2" "Hostobject X" ...
next
end
Policy
config firewall policy
edit 81
set srcintf "port1"
set dstintf "wan1"
set srcaddr "Netz1" "Netz 2" "Netz ..."
set dstaddr "Netz - DST"
set action ipsec
set schedule "always"
set service "ALL"
set logtraffic all
set natip 10.x.y.0 255.255.255.0
set comments "ACHTUNG NAT-Adresse via CLI hinzugefuegt"
set outbound enable
set natoutbound enable
set vpntunnel "PH1NAME"
next
end
config firewall policy
edit 238
set srcintf "port7"
set dstintf "wan1"
set srcaddr "NETZ SRC"
set dstaddr "Netz DST"
set action ipsec
set schedule "always"
set service "ALL"
set logtraffic all
set natip 10.x.y.0 255.255.255.0
set comments "Outbound NAT! set natip 10.x.y.0 255.255.255.0"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "PH1NAME"
next
end
Show IPSec VPN config
Phase1:
show vpn ipsec phase1-interface
Phase2:
show vpn ipsec phase2-interface
Packet Capture
tcpdump
diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4
4 = verbose level (1-6)
Firewall Session debugging
diag debug enable diag debug flow filter add <PC1> or diag debug flow filter add <PC2> diag debug flow show console enable diag debug flow trace start 100 <== this will display 100 packets for this flow
debugging beenden:
diag debug flow trace stop
One further step is to look at the firewall session. For this, some filters may be used to reduce the output; see the following example:
diag sys session filter src PC1 diag sys session list
or
diag sys session filter dst PC1 diag sys session list
To clear all sessions corresponding to a filter:
diag sys session filter dst PC1 diag sys session clear
