Fortigate: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
Line 206: Line 206:
  diag debug flow filter6  addr XXXXX
  diag debug flow filter6  addr XXXXX


=== Internal interface for ipv6 :
=== Internal interface for ipv6 ===


<pre>
<pre>
Line 231: Line 231:


from: http://firewall-tutorial.blogspot.ca/2014/02/configure-ipv6-sit-tunnel-in-fortigate.html
from: http://firewall-tutorial.blogspot.ca/2014/02/configure-ipv6-sit-tunnel-in-fortigate.html
examine icmp for ipv6
diag sniffer packet HE "icmp6" 4


== working with local storage ==
== working with local storage ==

Revision as of 02:27, 16 April 2018

some quick ref command i ncluding debugging packet flow. http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_appendix_diags.html

HE ipv6 tunnel with foritgate https://www.sixxs.net/wiki/Fortigate

http://docs.fortinet.com/uploaded/files/1587/fortigate-ipv6.pdf

Supplementary Recipes http://docs-legacy.fortinet.com/supplement.html

Fortigate ipv6 http://docs.fortinet.com/uploaded/files/1587/fortigate-ipv6.pdf

cacti + snmp + fortigate

Loading FortiGate firmware image using TFTP

Troubleshooting / Diag

what process?

diag sys top

other stuff

get sys stat
get sys perf stat
diag hardware sysinfo shm
diag hardware sysinfo mem
diag hardware sysinfo slab
diag debug crashlog read
diag sys top-summary (leave running for ~20-30 seconds, then press 'q' to stop the output)


Is IPS your problem?


what nic?

diag  hardware deviceinfo nic <name>

or

get hardware nic port  <name>

get logs at console

Deluxe #  execute log filter category
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
11: netscan

Deluxe # execute log filter category 2

Deluxe # execute log filter view-lines 100


# diag test application ipsmonitor 
 
IPS Engine Test Usage: (Values for >
1: Display IPS engine information
2: Toggle IPS engine enable/disable status
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor

clear a session

http://alstechcorner.blogspot.ca/2013/05/howto-clear-session-on-fortigate.html

packet capute via web interface

do it here:

https://[firewall mgmt IP]/p/firewall/sniffer/

packet capture , command line

diagnose sniffer packet any "host 10.67.2.82 or host 10.67.0.164" 4
diagnose sniffer packet any "host 192.168.1.98 and not tcp port 22" 4

working with netscan

 
netscan
Use this command to start and stop the network vulnerability scanner and perform related functions.
Syntax
execute netscan import
execute netscan list
execute netscan start scan
execute netscan status
execute netscan stop
 
Variable
Description
import
Import hosts discovered on the last asset discovery scan.
list
List the hosts discovered on the last asset discover scan.
start scan
Start configured vulnerability scan.
status
Display the status of the current network vulnerability scan.
stop
Stop the current network vulnerability scan.


Syslog setup

logging

(v5.0,build0271 (GA Patch 6))

# config log syslogd setting<enter>
# show
config log syslogd setting
    set status enable
    set server "192.169.1.135"
    set source-ip 192.168.1.99
end
# set server  "192.169.1.98"
# end


turn off paging

config system console
set output more
end


Expect Script to grab a config

./get_foritgate_config.expect

#!/usr/bin/expect

set timeout 60

set device   [lindex $argv 0]
set user     [lindex $argv 1]
set password [lindex $argv 2]

spawn ssh "$user@$device"
expect "*password: "
send "$password\n"
expect "* #"
send "show full-configuration\n"
expect "$device #"
send "exit\n"

use it like this:

./get_foritgate_config.expect mit-hwfw-01 admin XXX > my.cfg

Note: the host's hostname must match the name you used to connect to it.

examining vpn

diag debug reset
diag debug disable
diag debug application ike -1

examine flow

diagnose debug disable 
diagnose debug flow trace stop 
diagnose debug flow filter clear 
diagnose debug reset


diagnose debug flow filter addr x.x.x.x
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable

for ipv6:

diag debug flow filter6  addr XXXXX

Internal interface for ipv6

config system interface   
  # your internal interface name may be different   
  edit "internal"   
   ...   
   config ipv6    
   set ip6-allowaccess ping https ssh snmp    
   set ip6-address "first IPv6/mask in the routed/64 prefix from HE portal (e.g. 2001:470:890a:bcd::1/64)"   
   set ip6-send-adv enable    
   set ip6-manage-flag enable    
   set ip6-other-flag enable    
    config ip6-prefix-list    
    edit "routed/64 IPv6 prefix from HE portal e.g. 2001:470:890a:bcd::/64"    
     set autonomous-flag disable  
     set onlink-flag enable    
    next    
    end    
   end    
  next    
 end 

from: http://firewall-tutorial.blogspot.ca/2014/02/configure-ipv6-sit-tunnel-in-fortigate.html

examine icmp for ipv6

diag sniffer packet HE "icmp6" 4

working with local storage

tuxedo # diagnose hardware deviceinfo disk

Device S0           7.5 GB      ref: 0          FORTINET FGT60C (Unknown) [FLASH]
  partition 1      39.1 MB      ref: n/a        label:
  [ dev: /dev/sda1  major: 8  minor: 1  free: 11MB  mounted: Y ]
  partition 2      39.1 MB      ref: n/a        label:
  [ dev: /dev/sda2  major: 8  minor: 2  free: 11MB  mounted: N ]
  partition 3      39.1 MB      ref: n/a        label:
  [ dev: /dev/sda3  major: 8  minor: 3  free: 10MB  mounted: Y ]
  partition 4       7.2 GB      ref: 4          label: 34847B710E010EB9
  [ dev: /dev/sda4  major: 8  minor: 4  free: 5414MB  mounted: Y ]

Total available disks: 1

tuxedo #

---

tuxedo # config log memory setting

tuxedo (setting) # get
diskfull            : overwrite
status              : enable

tuxedo (setting) # end
tuxedo # config log disk setting

tuxedo (setting) # get
status              : disable
max-policy-packet-capture-size: 10
log-quota           : 0
dlp-archive-quota   : 0
maximum-log-age     : 0
full-first-warning-threshold: 75
full-second-warning-threshold: 90
full-final-warning-threshold: 95

tuxedo (setting) # end
tuxedo # config log fortiguard setting

tuxedo (setting) # get
status              : disable
source-ip           : 0.0.0.0

tuxedo (setting) # end
tuxedo #

IPV6 setup

http://cookbook.fortinet.com/creating-an-ipv6-interface-using-slaac/

config system interface
  edit port1
    config ipv6
      set ip6-address 2001:db8::1/32
      set ip6-send-adv enable
         config ip6-prefix-list
           edit 2001:db8::/32
              set autonomous-flag enable
              set onlink-flag enable
          end
     end
end

Monitoring

PING

Suppose that you want to ping an interface.

1. go to netowrk -> interfaces -> the interface , for example wan1 "Administrative Access" check PING.

2. go to "admin" -> "Adminitrators", and add you allowed source ip for ping to the admin user's allowed hosts.

SNMP

MIBS:

/usr/share/snmp/mibs/FORTINET-CORE-MIB.mib
/usr/share/snmp/mibs/FORTINET-FORTIGATE-MIB.mib

Examples:

snmpwalk -v 2c -c mystring 192.168.1.99 .1.3.6.1.4.1.12356

oid of note:

FORTINET-CORE-MIB::fortinet.101.4.1.1.0
( .1.3.6.1.4.1.12356.101.4.1.5.0 )
http://www.oidview.com/mibs/12356/FORTINET-FORTIGATE-MIB.html


mrtg

cfgmaker --ifref=name \
   --snmp-options ":::::2" \
   --zero-speed=100000000 \
   --no-down \
   --show-op-down \
   --output /var/www/mrtg/tuxedo/tuxedo.cfg XXX@192.168.1.99
snmpwalk -m +FORTINET-CORE-MIB:FORTINET-FORTIGATE-MIB -v 2c -c XXX 192.168.1.99 FORTINET-CORE-MIB::fortinet > /tmp/tuxedo

FORTINET-FORTIGATE-MIB::fgSysCpuUsage.0 = Gauge32: 23
FORTINET-FORTIGATE-MIB::fgSysMemUsage.0 = Gauge32: 42

FORTINET-FORTIGATE-MIB::fgSysDiskUsage.0 = Gauge32: 1848
FORTINET-FORTIGATE-MIB::fgSysDiskCapacity.0 = Gauge32: 7262

FORTINET-FORTIGATE-MIB::fgSysSesCount.0 = Gauge32: 73
FORTINET-FORTIGATE-MIB::fgSysSes6Count.0 = Gauge32: 0

FORTINET-FORTIGATE-MIB::fgSysLowMemUsage.0 = Gauge32: 46

FORTINET-FORTIGATE-MIB::fgProcessorUsage.1 = Gauge32: 19 %
FORTINET-FORTIGATE-MIB::fgProcessorUsage5sec.1 = Gauge32: 18 %

FORTINET-FORTIGATE-MIB::fgProcessorPktDroppedCount.1 = Counter64: 0

FORTINET-FORTIGATE-MIB::fgProcessorUserUsage.1 = Gauge32: 1 %
FORTINET-FORTIGATE-MIB::fgProcessorSysUsage.1 = Gauge32: 17 %

FORTINET-FORTIGATE-MIB::fgWcStaSignal.1.10.164.209.210.62.95.178 = INTEGER: -49
FORTINET-FORTIGATE-MIB::fgWcStaSignal.1.10.252.194.222.195.104.101 = INTEGER: -52
FORTINET-FORTIGATE-MIB::fgWcStaNoise.1.10.164.209.210.62.95.178 = INTEGER: -95
FORTINET-FORTIGATE-MIB::fgWcStaNoise.1.10.252.194.222.195.104.101 = INTEGER: -95

Working with the API

http://docs.fortinet.com/uploaded/files/1276/FortiAuthenticator_REST_API_Solution_Guide.pdf

sample code:( untested ):

https://www.reddit.com/r/fortinet/comments/3ndnli/age_old_question_of_api_documentation/

import requests

fortigate_host = '192.168.1.99'
fortigate_user = 'admin'
fortigate_pass = 'password'

login_url = 'https://%s/logincheck' % fortigate_host
login_payload = {'username': fortigate_user, 'secretkey': fortigate_pass}

r = requests.post(login_url, data=login_payload, verify=False)
cookiejar = r.cookies

print r.headers
print r.text

r = requests.get('https://%s/api/v2/cmdb/system/interface/' % fortigate_host,
             cookies=cookiejar, verify=False)

print r.content

My devices

Tuxedo

I have a 60C, Tuxedo.quadratic.net

#config-version=FWF60C-5.00-FW-build271-140409:opmode=0:vdom=0:user=admin
#conf_file_ver=17066477072978363314
#buildno=3608

and I have a 60D deluxe.quadratic.net

#config-version=FWF60D-5.02-FW-build688-150722:opmode=0:vdom=0:user=admin
#conf_file_ver=18133040463207349270
#buildno=0688

is a Fortigate


Deluxe

here is deluxe 60D):

Deluxe # diagnose hardware deviceinfo disk

Disk Internal-0(boot) ref:       3.8GB    type: USB [FORTINET S01_V140320_004] dev: /dev/sda
  partition ref:     251.0MB, 223.0MB free  mounted: N  label:  dev: /dev/sda1(boot)
  partition ref:     247.0MB, 215.0MB free  mounted: Y  label:  dev: /dev/sda2(boot)
  partition ref:       3.2GB,   3.1GB free  mounted: Y  label:  dev: /dev/sda3

Disk Internal        ref:  16   7.5GB    type: USB [FORTINET S01_V140320_008] dev: /dev/sdb
  partition ref:  17   7.4GB,   7.4GB free  mounted: N  label: 3CD780673389B3D2 dev: /dev/sdb1

Total available disks: 2
Max SSD disks: 0  Available storage disks: 1

Deluxe #

interfaces:

Deluxe # show system interface<space><questionmark>
name    name
HE   static   0.0.0.0 0.0.0.0  up   disable   tunnel
dmz   static   10.10.10.1 255.255.255.0  up   disable   physical
internal   static   0.0.0.0 0.0.0.0  up   disable   hard-switch
lan   static   192.168.1.28 255.255.255.0  up   disable   switch
modem   pppoe   0.0.0.0 0.0.0.0  down   disable   physical
ssl.root   static   0.0.0.0 0.0.0.0  up   disable   tunnel
tocdahub   static   0.0.0.0 0.0.0.0  down   disable   tunnel
wan1   pppoe   69.165.169.40 255.255.255.255  up   disable   physical
wan2   dhcp   0.0.0.0 0.0.0.0  up   disable   physical
wifi   static   10.23.45.2 255.255.255.0  up   disable   vap-switch
config system interface
edit "HE"
set status up
end