Fortinet/CLI: Unterschied zwischen den Versionen
Aus SchnallIchNet
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) |
||
(4 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 5: | Zeile 5: | ||
=== Address Objects === | === Address Objects === | ||
+ | |||
+ | show firewall address | grep -i PATTERN | ||
+ | edit "Hostobject" | ||
+ | set comment "bla" | ||
+ | set associated-interface "wan2" | ||
+ | set subnet 1.2.3.4 255.255.255.255 | ||
+ | next | ||
<pre> | <pre> | ||
Zeile 56: | Zeile 63: | ||
end | end | ||
</pre> | </pre> | ||
+ | |||
+ | |||
+ | === policy routes === | ||
+ | |||
+ | <pre> | ||
+ | show router policy | ||
+ | ... | ||
+ | edit 76 | ||
+ | set input-device "port7" | ||
+ | set src "1.2.3.4/255.255.255.255" | ||
+ | set dst "192.168.0.0/255.255.0.0" | ||
+ | set output-device "port1" | ||
+ | next | ||
+ | edit 77 | ||
+ | set input-device "port7" | ||
+ | set src "1.2.3.4/255.255.255.255" | ||
+ | set dst "0.0.0.0/0.0.0.0" | ||
+ | set gateway 4.3.2.1 | ||
+ | set output-device "wan2" | ||
+ | next | ||
+ | end | ||
+ | </pre> | ||
+ | |||
+ | to set new policies, pick a new number and use: | ||
+ | |||
+ | config router policy | ||
+ | |||
+ | |||
+ | |||
+ | === Show IPSec VPN config === | ||
+ | |||
+ | Phase1: | ||
+ | |||
+ | show vpn ipsec phase1-interface | ||
+ | |||
+ | Phase2: | ||
+ | |||
+ | show vpn ipsec phase2-interface | ||
+ | |||
=== Packet Capture === | === Packet Capture === | ||
+ | |||
+ | |||
+ | ==== tcpdump ==== | ||
diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4 | diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4 | ||
Zeile 65: | Zeile 114: | ||
[http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/packet_capture.html Fortinet-Docu] | [http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/packet_capture.html Fortinet-Docu] | ||
+ | |||
+ | |||
+ | ==== Firewall Session debugging ==== | ||
+ | |||
+ | diag debug enable | ||
+ | diag debug flow filter add <PC1> or diag debug flow filter add <PC2> | ||
+ | diag debug flow show console enable | ||
+ | diag debug flow trace start 100 <== this will display 100 packets for this flow | ||
+ | |||
+ | debugging beenden: | ||
+ | |||
+ | diag debug flow trace stop | ||
+ | |||
+ | |||
+ | One further step is to look at the firewall session. For this, some filters may be used to reduce the output; see the following example: | ||
+ | |||
+ | diag sys session filter src PC1 | ||
+ | diag sys session list | ||
+ | |||
+ | or | ||
+ | |||
+ | diag sys session filter dst PC1 | ||
+ | diag sys session list | ||
+ | |||
+ | |||
+ | To clear all sessions corresponding to a filter: | ||
+ | |||
+ | diag sys session filter dst PC1 | ||
+ | diag sys session clear | ||
+ | |||
+ | [http://kb.fortinet.com/kb/viewContent.do?externalId=FD30038 Fortinet-Docu] |
Aktuelle Version vom 26. Juni 2017, 07:26 Uhr
Inhaltsverzeichnis
CLI
Address Objects
show firewall address | grep -i PATTERN edit "Hostobject" set comment "bla" set associated-interface "wan2" set subnet 1.2.3.4 255.255.255.255 next
show firewall addrgrp "GRP Name" config firewall addrgrp edit "GRP Name" set member "Hostobject 1" "Hostobject 2" "Hostobject X" ... next end
Policy
config firewall policy edit 81 set srcintf "port1" set dstintf "wan1" set srcaddr "Netz1" "Netz 2" "Netz ..." set dstaddr "Netz - DST" set action ipsec set schedule "always" set service "ALL" set logtraffic all set natip 10.x.y.0 255.255.255.0 set comments "ACHTUNG NAT-Adresse via CLI hinzugefuegt" set outbound enable set natoutbound enable set vpntunnel "PH1NAME" next end config firewall policy edit 238 set srcintf "port7" set dstintf "wan1" set srcaddr "NETZ SRC" set dstaddr "Netz DST" set action ipsec set schedule "always" set service "ALL" set logtraffic all set natip 10.x.y.0 255.255.255.0 set comments "Outbound NAT! set natip 10.x.y.0 255.255.255.0" set inbound enable set outbound enable set natoutbound enable set vpntunnel "PH1NAME" next end
policy routes
show router policy ... edit 76 set input-device "port7" set src "1.2.3.4/255.255.255.255" set dst "192.168.0.0/255.255.0.0" set output-device "port1" next edit 77 set input-device "port7" set src "1.2.3.4/255.255.255.255" set dst "0.0.0.0/0.0.0.0" set gateway 4.3.2.1 set output-device "wan2" next end
to set new policies, pick a new number and use:
config router policy
Show IPSec VPN config
Phase1:
show vpn ipsec phase1-interface
Phase2:
show vpn ipsec phase2-interface
Packet Capture
tcpdump
diag sniffer packet "<interface-name|any>" "host <IP> and port 3389" 4
4 = verbose level (1-6)
Firewall Session debugging
diag debug enable diag debug flow filter add <PC1> or diag debug flow filter add <PC2> diag debug flow show console enable diag debug flow trace start 100 <== this will display 100 packets for this flow
debugging beenden:
diag debug flow trace stop
One further step is to look at the firewall session. For this, some filters may be used to reduce the output; see the following example:
diag sys session filter src PC1 diag sys session list
or
diag sys session filter dst PC1 diag sys session list
To clear all sessions corresponding to a filter:
diag sys session filter dst PC1 diag sys session clear