Fortigate
From Federal Burro of Information
Jump to navigationJump to search
some quick ref command i ncluding debugging packet flow. http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_appendix_diags.html
HE ipv6 tunnel with foritgate https://www.sixxs.net/wiki/Fortigate
http://docs.fortinet.com/uploaded/files/1587/fortigate-ipv6.pdf
Supplementary Recipes http://docs-legacy.fortinet.com/supplement.html
Fortigate ipv6 http://docs.fortinet.com/uploaded/files/1587/fortigate-ipv6.pdf
Loading FortiGate firmware image using TFTP
Troubleshooting / Diag
what process?
diag sys top
other stuff
get sys stat get sys perf stat diag hardware sysinfo shm diag hardware sysinfo mem diag hardware sysinfo slab diag debug crashlog read diag sys top-summary (leave running for ~20-30 seconds, then press 'q' to stop the output)
Is IPS your problem?
what nic?
diag hardware deviceinfo nic <name>
or
get hardware nic port <name>
get logs at console
Deluxe # execute log filter category Available categories: 0: traffic 1: event 2: utm-virus 3: utm-webfilter 4: utm-ips 5: utm-emailfilter 7: anomaly 8: voip 9: utm-dlp 10: utm-app-ctrl 11: netscan Deluxe # execute log filter category 2 Deluxe # execute log filter view-lines 100
# diag test application ipsmonitor IPS Engine Test Usage: (Values for > 1: Display IPS engine information 2: Toggle IPS engine enable/disable status 3: Display restart log 4: Clear restart log 5: Toggle bypass status 6: Submit attack characteristics now 97: Start all IPS engines 98: Stop all IPS engines 99: Restart all IPS engines and monitor
clear a session
http://alstechcorner.blogspot.ca/2013/05/howto-clear-session-on-fortigate.html
packet capute via web interface
do it here:
https://[firewall mgmt IP]/p/firewall/sniffer/
packet capture , command line
diagnose sniffer packet any "host 10.67.2.82 or host 10.67.0.164" 4
diagnose sniffer packet any "host 192.168.1.98 and not tcp port 22" 4
working with netscan
netscan Use this command to start and stop the network vulnerability scanner and perform related functions. Syntax execute netscan import execute netscan list execute netscan start scan execute netscan status execute netscan stop Variable Description import Import hosts discovered on the last asset discovery scan. list List the hosts discovered on the last asset discover scan. start scan Start configured vulnerability scan. status Display the status of the current network vulnerability scan. stop Stop the current network vulnerability scan.
Syslog setup
logging
(v5.0,build0271 (GA Patch 6))
# config log syslogd setting<enter>
# show
config log syslogd setting
set status enable
set server "192.169.1.135"
set source-ip 192.168.1.99
end
# set server "192.169.1.98"
# end
turn off paging
config system console set output more end
Expect Script to grab a config
./get_foritgate_config.expect
#!/usr/bin/expect set timeout 60 set device [lindex $argv 0] set user [lindex $argv 1] set password [lindex $argv 2] spawn ssh "$user@$device" expect "*password: " send "$password\n" expect "* #" send "show full-configuration\n" expect "$device #" send "exit\n"
use it like this:
./get_foritgate_config.expect mit-hwfw-01 admin XXX > my.cfg
Note: the host's hostname must match the name you used to connect to it.
examining vpn
diag debug reset diag debug disable diag debug application ike -1
examine flow
diagnose debug disable diagnose debug flow trace stop diagnose debug flow filter clear diagnose debug reset
diagnose debug flow filter addr x.x.x.x diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug console timestamp enable diagnose debug flow trace start 999 diagnose debug enable
for ipv6:
diag debug flow filter6 addr XXXXX
Internal interface for ipv6
config system interface
# your internal interface name may be different
edit "internal"
...
config ipv6
set ip6-allowaccess ping https ssh snmp
set ip6-address "first IPv6/mask in the routed/64 prefix from HE portal (e.g. 2001:470:890a:bcd::1/64)"
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit "routed/64 IPv6 prefix from HE portal e.g. 2001:470:890a:bcd::/64"
set autonomous-flag disable
set onlink-flag enable
next
end
end
next
end
from: http://firewall-tutorial.blogspot.ca/2014/02/configure-ipv6-sit-tunnel-in-fortigate.html
examine icmp for ipv6
diag sniffer packet HE "icmp6" 4
working with local storage
tuxedo # diagnose hardware deviceinfo disk Device S0 7.5 GB ref: 0 FORTINET FGT60C (Unknown) [FLASH] partition 1 39.1 MB ref: n/a label: [ dev: /dev/sda1 major: 8 minor: 1 free: 11MB mounted: Y ] partition 2 39.1 MB ref: n/a label: [ dev: /dev/sda2 major: 8 minor: 2 free: 11MB mounted: N ] partition 3 39.1 MB ref: n/a label: [ dev: /dev/sda3 major: 8 minor: 3 free: 10MB mounted: Y ] partition 4 7.2 GB ref: 4 label: 34847B710E010EB9 [ dev: /dev/sda4 major: 8 minor: 4 free: 5414MB mounted: Y ] Total available disks: 1 tuxedo #
---
tuxedo # config log memory setting tuxedo (setting) # get diskfull : overwrite status : enable tuxedo (setting) # end tuxedo # config log disk setting tuxedo (setting) # get status : disable max-policy-packet-capture-size: 10 log-quota : 0 dlp-archive-quota : 0 maximum-log-age : 0 full-first-warning-threshold: 75 full-second-warning-threshold: 90 full-final-warning-threshold: 95 tuxedo (setting) # end tuxedo # config log fortiguard setting tuxedo (setting) # get status : disable source-ip : 0.0.0.0 tuxedo (setting) # end tuxedo #
IPV6 setup
http://cookbook.fortinet.com/creating-an-ipv6-interface-using-slaac/
config system interface
edit port1
config ipv6
set ip6-address 2001:db8::1/32
set ip6-send-adv enable
config ip6-prefix-list
edit 2001:db8::/32
set autonomous-flag enable
set onlink-flag enable
end
end
end
Monitoring
PING
Suppose that you want to ping an interface.
1. go to netowrk -> interfaces -> the interface , for example wan1 "Administrative Access" check PING.
2. go to "admin" -> "Adminitrators", and add you allowed source ip for ping to the admin user's allowed hosts.
SNMP
MIBS:
/usr/share/snmp/mibs/FORTINET-CORE-MIB.mib /usr/share/snmp/mibs/FORTINET-FORTIGATE-MIB.mib
Examples:
snmpwalk -v 2c -c mystring 192.168.1.99 .1.3.6.1.4.1.12356
oid of note:
FORTINET-CORE-MIB::fortinet.101.4.1.1.0 ( .1.3.6.1.4.1.12356.101.4.1.5.0 ) http://www.oidview.com/mibs/12356/FORTINET-FORTIGATE-MIB.html
mrtg
cfgmaker --ifref=name \ --snmp-options ":::::2" \ --zero-speed=100000000 \ --no-down \ --show-op-down \ --output /var/www/mrtg/tuxedo/tuxedo.cfg XXX@192.168.1.99
snmpwalk -m +FORTINET-CORE-MIB:FORTINET-FORTIGATE-MIB -v 2c -c XXX 192.168.1.99 FORTINET-CORE-MIB::fortinet > /tmp/tuxedo FORTINET-FORTIGATE-MIB::fgSysCpuUsage.0 = Gauge32: 23 FORTINET-FORTIGATE-MIB::fgSysMemUsage.0 = Gauge32: 42 FORTINET-FORTIGATE-MIB::fgSysDiskUsage.0 = Gauge32: 1848 FORTINET-FORTIGATE-MIB::fgSysDiskCapacity.0 = Gauge32: 7262 FORTINET-FORTIGATE-MIB::fgSysSesCount.0 = Gauge32: 73 FORTINET-FORTIGATE-MIB::fgSysSes6Count.0 = Gauge32: 0 FORTINET-FORTIGATE-MIB::fgSysLowMemUsage.0 = Gauge32: 46 FORTINET-FORTIGATE-MIB::fgProcessorUsage.1 = Gauge32: 19 % FORTINET-FORTIGATE-MIB::fgProcessorUsage5sec.1 = Gauge32: 18 % FORTINET-FORTIGATE-MIB::fgProcessorPktDroppedCount.1 = Counter64: 0 FORTINET-FORTIGATE-MIB::fgProcessorUserUsage.1 = Gauge32: 1 % FORTINET-FORTIGATE-MIB::fgProcessorSysUsage.1 = Gauge32: 17 % FORTINET-FORTIGATE-MIB::fgWcStaSignal.1.10.164.209.210.62.95.178 = INTEGER: -49 FORTINET-FORTIGATE-MIB::fgWcStaSignal.1.10.252.194.222.195.104.101 = INTEGER: -52 FORTINET-FORTIGATE-MIB::fgWcStaNoise.1.10.164.209.210.62.95.178 = INTEGER: -95 FORTINET-FORTIGATE-MIB::fgWcStaNoise.1.10.252.194.222.195.104.101 = INTEGER: -95
Working with the API
http://docs.fortinet.com/uploaded/files/1276/FortiAuthenticator_REST_API_Solution_Guide.pdf
sample code:( untested ):
https://www.reddit.com/r/fortinet/comments/3ndnli/age_old_question_of_api_documentation/
import requests
fortigate_host = '192.168.1.99'
fortigate_user = 'admin'
fortigate_pass = 'password'
login_url = 'https://%s/logincheck' % fortigate_host
login_payload = {'username': fortigate_user, 'secretkey': fortigate_pass}
r = requests.post(login_url, data=login_payload, verify=False)
cookiejar = r.cookies
print r.headers
print r.text
r = requests.get('https://%s/api/v2/cmdb/system/interface/' % fortigate_host,
cookies=cookiejar, verify=False)
print r.content
My devices
Tuxedo
I have a 60C, Tuxedo.quadratic.net
#config-version=FWF60C-5.00-FW-build271-140409:opmode=0:vdom=0:user=admin #conf_file_ver=17066477072978363314 #buildno=3608
and I have a 60D deluxe.quadratic.net
#config-version=FWF60D-5.02-FW-build688-150722:opmode=0:vdom=0:user=admin #conf_file_ver=18133040463207349270 #buildno=0688
is a Fortigate
- interface monitoring: https://www.quadratic.net/mrtg/tuxedo/
- some system stats: https://www.quadratic.net/mrtg/tuxedo/index_system.html
Deluxe
here is deluxe 60D):
Deluxe # diagnose hardware deviceinfo disk Disk Internal-0(boot) ref: 3.8GB type: USB [FORTINET S01_V140320_004] dev: /dev/sda partition ref: 251.0MB, 223.0MB free mounted: N label: dev: /dev/sda1(boot) partition ref: 247.0MB, 215.0MB free mounted: Y label: dev: /dev/sda2(boot) partition ref: 3.2GB, 3.1GB free mounted: Y label: dev: /dev/sda3 Disk Internal ref: 16 7.5GB type: USB [FORTINET S01_V140320_008] dev: /dev/sdb partition ref: 17 7.4GB, 7.4GB free mounted: N label: 3CD780673389B3D2 dev: /dev/sdb1 Total available disks: 2 Max SSD disks: 0 Available storage disks: 1 Deluxe #
interfaces:
Deluxe # show system interface<space><questionmark> name name HE static 0.0.0.0 0.0.0.0 up disable tunnel dmz static 10.10.10.1 255.255.255.0 up disable physical internal static 0.0.0.0 0.0.0.0 up disable hard-switch lan static 192.168.1.28 255.255.255.0 up disable switch modem pppoe 0.0.0.0 0.0.0.0 down disable physical ssl.root static 0.0.0.0 0.0.0.0 up disable tunnel tocdahub static 0.0.0.0 0.0.0.0 down disable tunnel wan1 pppoe 69.165.169.40 255.255.255.255 up disable physical wan2 dhcp 0.0.0.0 0.0.0.0 up disable physical wifi static 10.23.45.2 255.255.255.0 up disable vap-switch
config system interface edit "HE" set status up endmdns setup
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45560 224.0.0.251
