Fortinet/CLI: Unterschied zwischen den Versionen
Aus SchnallIchNet
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) |
||
(Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
Zeile 78: | Zeile 78: | ||
=== Packet Capture === | === Packet Capture === | ||
+ | |||
+ | |||
+ | ==== tcpdump ==== | ||
diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4 | diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4 | ||
Zeile 84: | Zeile 87: | ||
[http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/packet_capture.html Fortinet-Docu] | [http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/packet_capture.html Fortinet-Docu] | ||
+ | |||
+ | |||
+ | ==== Firewall Session debugging ==== | ||
+ | |||
+ | diag debug enable | ||
+ | diag debug flow filter add <PC1> or diag debug flow filter add <PC2> | ||
+ | diag debug flow show console enable | ||
+ | diag debug flow trace start 100 <== this will display 100 packets for this flow | ||
+ | |||
+ | debugging beenden: | ||
+ | |||
+ | diag debug flow trace stop | ||
+ | |||
+ | |||
+ | One further step is to look at the firewall session. For this, some filters may be used to reduce the output; see the following example: | ||
+ | |||
+ | diag sys session filter src PC1 | ||
+ | diag sys session list | ||
+ | |||
+ | or | ||
+ | |||
+ | diag sys session filter dst PC1 | ||
+ | diag sys session list | ||
+ | |||
+ | |||
+ | To clear all sessions corresponding to a filter: | ||
+ | |||
+ | diag sys session filter dst PC1 | ||
+ | diag sys session clear | ||
+ | |||
+ | [http://kb.fortinet.com/kb/viewContent.do?externalId=FD30038 Fortinet-Docu] |
Version vom 12. Juni 2017, 12:18 Uhr
Inhaltsverzeichnis
CLI
Address Objects
show firewall address | grep -i PATTERN edit "Hostobject" set comment "bla" set associated-interface "wan2" set subnet 1.2.3.4 255.255.255.255 next
show firewall addrgrp "GRP Name" config firewall addrgrp edit "GRP Name" set member "Hostobject 1" "Hostobject 2" "Hostobject X" ... next end
Policy
config firewall policy edit 81 set srcintf "port1" set dstintf "wan1" set srcaddr "Netz1" "Netz 2" "Netz ..." set dstaddr "Netz - DST" set action ipsec set schedule "always" set service "ALL" set logtraffic all set natip 10.x.y.0 255.255.255.0 set comments "ACHTUNG NAT-Adresse via CLI hinzugefuegt" set outbound enable set natoutbound enable set vpntunnel "PH1NAME" next end config firewall policy edit 238 set srcintf "port7" set dstintf "wan1" set srcaddr "NETZ SRC" set dstaddr "Netz DST" set action ipsec set schedule "always" set service "ALL" set logtraffic all set natip 10.x.y.0 255.255.255.0 set comments "Outbound NAT! set natip 10.x.y.0 255.255.255.0" set inbound enable set outbound enable set natoutbound enable set vpntunnel "PH1NAME" next end
Show IPSec VPN config
Phase1:
show vpn ipsec phase1-interface
Phase2:
show vpn ipsec phase2-interface
Packet Capture
tcpdump
diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4
4 = verbose level (1-6)
Firewall Session debugging
diag debug enable diag debug flow filter add <PC1> or diag debug flow filter add <PC2> diag debug flow show console enable diag debug flow trace start 100 <== this will display 100 packets for this flow
debugging beenden:
diag debug flow trace stop
One further step is to look at the firewall session. For this, some filters may be used to reduce the output; see the following example:
diag sys session filter src PC1 diag sys session list
or
diag sys session filter dst PC1 diag sys session list
To clear all sessions corresponding to a filter:
diag sys session filter dst PC1 diag sys session clear