Quantcast
Channel: Network – Weberblog.net
Viewing all articles
Browse latest Browse all 253

CLI Commands for Troubleshooting FortiGate Firewalls

$
0
0
CLI Commands for FortiGate Firewalls

This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff.

Coming from Cisco, everything is “show”. With Fortinet, you have the choice between “show | get | diagnose | execute“. Not that easy to remember. Likewise the “sys | system” keyword. It is always “diagnose sys” but “execute system”. 😉

Entering the correct vdom/gobal Config

Remember to enter the correct vdom or global configuration tree before configuring anything:

config global
config vdom
	edit <vdom-name>

To show the running configuration (such as “show run”), simply type in:

show

To show the entire running configuration with default values, use:

show full-configuration

 

General Information

The very basics:

get system interface physical	#overview of hardware interfaces
get hardware nic <nic-name>		#details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name>
get system status				#==show version
get system performance status	#CPU and network usage
diagnose sys top				#top with all forked processed
diagnose sys top-summary		#top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever
execute dhcp lease-list
diagnose ip arp list
diagnose ipv6 address list
diagnose ipv6 neighbor-cache list
diagnose sys ntp status
diagnose autoupdate versions	#lists the attack definition versions, last update, etc.
diagnose log test				#generated all possibe log entries
diagnose test application dnsproxy 6	#shows the IP addresses of FQDN objects
diagnose debug crashlog read	#shows crashlog, a status of 0 indicates a normal close of a process!

 

General Network Troubleshooting

Which is basically ping and traceroute:

execute ping-options ?
execute ping-options source <ip-address-of-the-interface>
execute ping <hostname|ip>
execute ping6-options ?
execute ping6 <hostname|ip>
execute traceroute <hostname|ip>
execute tracert6 <hostname|ip>

 

Routing

get router info routing-table all	#routing table
get router info6 routing-table		#IPv6 without the "all" keyword
get router info kernel				#Forwarding Information Base
get router info6 kernel
get router <routing-protocol>		#basic information about the enabled routing protocol
diagnose firewall proute list		#policy-based routing
diagnose firewall proute6 list
diagnose ip rtcache list			#route cache = current sessions w/ routing information

 

High Availability

diagnose sys ha status
execute ha manage ?					#switch to the CLI of a secondary unit
execute ha manage <device-index>
diagnose sys ha showcsum			#verify the checksum of all synchronized peers

 

Session Table

Display the current active sessions:

get system session list				#rough view with NAT, only IPv4
diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter dport 53
diagnose sys session list

 

Sniffer

Sniff packets like tcpdump does. This can be used for investigating connection problems between two hosts. (There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for anaysis about firewall policies, etc.)

diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-format>

with:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples:

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l

 

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.27.148
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10	#display the next 10 packets, after that, disable the flow:
diagnose debug disable

Example:

fd-wv-fw04 # diagnose debug reset

fd-wv-fw04 # diagnose debug flow filter daddr 8.8.8.8

fd-wv-fw04 # diagnose debug flow show console enable
show trace messages on console

fd-wv-fw04 # diagnose debug enable

fd-wv-fw04 # diagnose debug flow trace start 20
id=20085 trace_id=11 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=17, 192.168.160.10:55859->8.8.8.8:53) from fg-trust. "
id=20085 trace_id=11 func=init_ip_session_common line=4569 msg="allocate a new session-0001f004"
id=20085 trace_id=11 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.16.1.1 via wan1"
id=20085 trace_id=11 func=fw_forward_handler line=671 msg="Allowed by Policy-16:"
id=20085 trace_id=11 func=__ip_session_run_tuple line=2601 msg="run helper-dns-udp(dir=original)"
id=20085 trace_id=12 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=17, 192.168.160.10:63624->8.8.8.8:53) from fg-trust. "
id=20085 trace_id=12 func=init_ip_session_common line=4569 msg="allocate a new session-0001f005"
id=20085 trace_id=12 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.16.1.1 via wan1"
id=20085 trace_id=12 func=fw_forward_handler line=671 msg="Allowed by Policy-16:"
id=20085 trace_id=12 func=__ip_session_run_tuple line=2601 msg="run helper-dns-udp(dir=original)"

fd-wv-fw04 # diagnose debug disable

 

VPN

To show details about IKE/IPsec connections, use these commands:

get vpn ike gateway <name>
get vpn ipsec tunnel name <name>
get vpn ipsec tunnel details
diagnose vpn tunnel list
get router info routing-table all

And to debug IKE/IPsec sessions, use the VPN debug:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter ?
diagnose vpn ike log-filter dst-addr4 1.2.3.4
diagnose debug app ike 255		#shows phase 1 and phase 2 output
diagnose debug enable			#after enough output, disable the debug:
diagnose debug disable

 

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

execute log filter reset
execute log filter category event
execute log filter field			#press enter for options
execute log filter field dstport 8001
execute log filter view-lines 1000
execute log filter start-line 1
execute log display

 

Links


Viewing all articles
Browse latest Browse all 253

Trending Articles