FortiGate常用排错命令行_Sniffer_DebugFlow
sniffer和debug flow 复制模板,直接修改IP即可使用:
1.如果要定位去往 119.100.1.200的http流量不通的情况:
先sniffer抓包,查看结果:
(可以先清除一下session,避免已有的session已经NP加速了,导致抓不到数据)
diagnose sys session filter clear
diagnose sys session filter proto 6
diagnose sys session filter dport 80
diagnose sys session filter dst 119.100.1.200
diagnose sys session clear
diagnose sniffer packet any "host 119.100.1.200 and port 80" 4 0 l
然后再debug flow 进一步判断问题:
(可以先清除一下session,避免已有的session已经NP加速了,导致抓不到数据)
diagnose sys session filter clear
diagnose sys session filter proto 6
diagnose sys session filter dport 80
diagnose sys session filter dst 119.100.1.200
diagnose sys session clear
diagnose debug flow filter clear
diagnose debug flow filter addr 119.100.1.200
diagnose debug flow filter dport 80
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
2.如果要定位去往 119.100.1.200的icmp流量不通的情况:
先sniffer抓包,查看结果:
(可以先清除一下session,避免已有的session已经NP加速了,导致抓不到数据)
diagnose sys session filter clear
diagnose sys session filter proto 1
diagnose sys session filter dst 119.100.1.200
diagnose sys session clear
diagnose sniffer packet any "host 119.100.1.200 and icmp" 4 0 l
然后再debug flow 进一步判断问题:
(可以先清除一下session,避免已有的session已经NP加速了,导致抓不到数据)
diagnose sys session filter clear
diagnose sys session filter proto 1
diagnose sys session filter dst 119.100.1.200
diagnose sys session clear
diagnose debug flow filter clear
diagnose debug flow filter addr 119.100.1.200
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
其他类似的思路脚本,可以直接复制粘贴使用,可以自由发挥:
diagnose sys session filter proto 1
diagnose sys session filter dst 117.40.128.137
diagnose sys session clear
diagnose debug flow filter addr 3.3.3.254
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
diagnose sniffer packet any "host 202.106.1.100 and icmp" 4 0 l
diagnose sys session filter proto 1
diagnose sys session filter dst 45.251.23.78
diagnose sys session clear
diagnose debug flow filter addr 114.114.119.119
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter proto 1
diagnose sys session clear
diagnose debug flow filter proto 1
diagnose debug flow filter addr 10.255.255.2
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
diagnose debug flow filter proto 6
diagnose debug flow filter dport 5060
diagnose debug flow show function-name enable
diagnose debug flow show console enable
diagnose debug flow trace start 100
diagnose debug enable
diagnose sniffer packet any "host 111.204.123.112 or host 192.168.30.167 and !port 22345 and !port 44300" 4
diagnose sniffer packet any "host 114.114.114.114 and icmp" 4
diagnose sniffer packet any "host 111.204.123.112 and !port 22 and !port 45328" 4
diagnose sniffer packet any "port 161 and host 111.204.123.116 or host 192.168.168.1" 4
GUI推荐优化脚本:
主要优化项:
1.新建策略的时候可以不命名
2.新建策略的时候可以选择多接口(可以配置all到all的全通策略,可以配置多接口到多接口的策略)
3.低端设备可以配置多个自定义的UTM-Profiles
4.GUI语言切换到中文简体
5.管理员超时时间从默认的5分钟修改到30分钟
6.将时区修改到China的东八区
7.“revision-backup-on-logout”,每次管理员修改配置后退出,系统将自动保存一份配置文件到flash作为修订备份,可以直接切换到配置的还原点。相当于配置的镜像保存功能。切换配置需要重启设备。
config system settings
set inspection-mode flow
set gui-multiple-utm-profiles enable
set gui-allow-unnamed-policy enable
set gui-multiple-interface-policy enable
end
config system global
set admintimeout 30
set language simch
set timezone 55
set revision-backup-on-logout enable
end
IPsec VPN黑洞路由脚本:
私网路由,如果本地没有明细路由的静态路由,VPN路由的话,将会将流量丢弃到黑洞路由,这样可以避免,VPN隧道中断的时候,VPN流量跑到互联网出口,引起了NAT-session不老化的现象出现,而当VPN再次恢复会引起VPN业务不通的情况。
方式一:黑洞路由可以像以下配置汇总的私网路由到黑洞,这个通用,但是范围大,对路由不熟悉的同学,可能会引起误杀。
方式二:另外最好的方式还是配置明细的VPN路由的黑洞路由,当VPN路由失效,则VPN的黑洞路由生效,不会匹配到默认路由,避免产生去往互联网出口的NAT-session表项。
config firewall address
edit "Private_IP_10.0.0.0/8"
set allow-routing enable
set subnet 10.0.0.0 255.0.0.0
next
edit "Private_IP_172.16.0.0/12"
set allow-routing enable
set subnet 172.16.0.0 255.240.0.0
next
edit "Private_IP_192.168.0.0/16"
set allow-routing enable
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit "LAN_Private_IP_Group"
set member "Private_IP_10.0.0.0/8" "Private_IP_172.16.0.0/12" "Private_IP_192.168.0.0/16"
set allow-routing enable
next
end
config router static
edit 0
set distance 254
set blackhole enable
set dstaddr "LAN_Private_IP_Group"
next
end
//Sniffer说明介绍//
Sniffer抓包命令使用:
diagnose sniffer packet any "host 192.168.200.102 and icmp" 4 100 l
diagnose sniffer packet 固定格式
any 代表任何接口,可以选择port1,只抓port1的数据
"host 192.168.200.102 and icmp" 过滤想要的数据
4 代表可以看到数据的IN和OUT接口,而且是人可以读懂的数据格式
100 代表数量 抓100个数据 就停止
l 代表时间戳,当前系统的时间
一般可以简化使用:
diagnose sniffer packet any "host 192.168.200.102 and icmp" 4 0 l
关于sniffer抓包需注意:如果数据已经被NP加速了,则可能sniffer抓不出来,为了准确的抓到数据,可能需要注意调整一下NP加速和已经建立好的Session:
sniffer注意1:在相关的VPN业务流量的策略下临时关闭NP加速(抓包完毕再打开NP加速):
FGT # config firewall policy
FGT (policy) # edit 1 (假设业务相关策略的策略ID为1)
FGT (1) # set auto-asic-offload disable
FGT (1) # end
这样所有与策略相关的数据处理会全部走CPU,因此sniffer才可以完整的抓到数据流。
sniffer注意2:对于已经建立起来的会话(数据已经走了NP处理),即便关闭了 NP,也抓不到包,因此需先将此session过滤出来然后再清除掉这条session,让其再新建就抓到包了:
FGT#diagnose sys session filter dst 192.168.200.102 (过滤 目的IP)
FGT#diagnose sys session filter proto 1 (过滤协议 1:ICMP 其中包括了ping)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT# diagnose sys session filter clear //清除session过滤条件
FGT#diagnose sys session filter dst 192.168.200.102 (过滤 目的IP)
FGT#diagnose sys session filter proto 6 (过滤协议 6: TCP)
FGT#diagnose sys session filter dport 443 (过滤 TCP Port 443端口)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT#diagnose sys session filter src 192.168.200.102 (过滤 源IP)
FGT#diagnose sys session filter proto 6 (过滤协议 6: TCP)
FGT#diagnose sys session filter dport 443 (过滤 TCP Port 443端口)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT# diagnose sys session filter clear //清除session过滤条件
FGT#diagnose sys session filter dst 192.168.200.102 (过滤 目的IP)
FGT#diagnose sys session filter proto 17 (过滤协议 17: UDP)
FGT#diagnose sys session filter dport 500 (过滤 UDP Port 500端口)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT# diagnose sys session filter clear //清除session过滤条件
最后开启抓包,FortiGate抓包命令如下:
FGT#diagnose sniffer packet any "host 192.168.200.102 and icmp" 4
FGT#diagnose sniffer packet any "host 218.203.193.18 and esp” 4
FGT#diagnose sniffer packet any "port 500 or port 4500 and host 1.1.1.1" 4
FGT#diagnose sniffer packet any "host 10.101.2.2 or host 111.204.123.112 and port 22" 4
FGT#diagnose sniffer packet any "host 60.31.254.5 and port 53" 4
FGT#diagnose sniffer packet any "host 192.168.118.57 and icmp" 4
FGT#diagnose sniffer packet any "port 9999" 4
FGT#diagnose sniffer packet any "host 10.172.52.182 and port" 4
Debug Flow的使用:
Debug Flow 通常用于定位调试穿过或访问FortiGate数据流的处理过程,如果不通,可以使用debug flow协助定位,非常好用的数据流分析工具。
Debug flow的命令解析:
#diagnose debug flow filter addr x.x.x.x //过滤某个IP
#diagnose debug flow show function-name enable //显示功能模块名称
#diagnose debug flow trace start 999 //开启debug flow trace并显示999条debug信息
#diagnose debug enable //开启debug命令
#diagnose debug flow trace stop //关闭debug flow trace
#diagnose debug flow filter clear //清除过滤条件
#diagnose debug disable //关闭debug命令
#diagnose debug reset //重置所有的debug命令
最关键的Debug flow的过滤条件,举例:
1.过滤ping流量
#diagnose debug flow filter proto 1
改变相应的proto就可以过滤相应的协议流量
proto 1 为ICMP协议
proto 6 为TCP协议
proto 17 为UDP协议
2.过滤某个IP的ping流量
#diagnose debug flow filter addr 192.168.1.100
#diagnose debug flow filter proto 1
过滤192.168.1.100的ping流量
3.过滤某个端口号
#diagnose debug flow filter port 8080
过滤port为8080的流量
4.过滤某个IP的Port 8080流量
#diagnose debug flow filter addr 192.168.1.100
#diagnose debug flow filter port 8080
过滤192.168.1.100的port8080的流量
5.过滤源端口/目的端口
#diagnose debug flow filter sport 80 ----->过滤源端口80 //
#diagnose debug flow filter dport 25 ----->过滤目的端口25
6.过滤源IP/目的IP
#diagnose debug flow filter saddr x.x.x.x -----> 过滤源IP x.x.x.x //
#diagnose debug flow filter daddr y.y.y.y ----->过滤目的IP y.y.y.y
常用debug flow举例1:抓取10.10.10.100且ICMP的流量
diagnose debug flow filter addr 101.231.244.193
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
常用debug flow举例2:抓取10.10.10.100且TCP端口为10443的流量
diagnose debug flow filter addr 10.10.10.100
diagnose debug flow filter proto 6
diagnose debug flow filter port 10443
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
常用debug flow举例3:抓取10.10.10.100且UDP端口为500的流量
diagnose debug flow filter addr 10.10.10.100
diagnose debug flow filter proto 17
diagnose debug flow filter port 500
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
常用的debug flow复制粘贴脚本:
diagnose sys session filter dst 10.3.10.1
diagnose sys session filter proto 1
diagnose sys session clear
diagnose debug flow filter addr 10.3.10.1
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter dst 10.255.16.114
diagnose sys session clear
diagnose debug flow filter addr 10.255.16.114
diagnose debug flow filter proto 6
diagnose debug flow filter port 443
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
//
diagnose debug flow filter port 53
diagnose debug flow filter proto 17
diagnose debug flow filter port 80
//
diagnose debug flow filter addr 103.17.88.71
diagnose debug flow filter proto 6
diagnose debug flow filter port 57720
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter src 172.40.1.252
diagnose sys session clear
diagnose debug flow filter addr 124.89.90.125
diagnose debug flow filter proto 17
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter dst 116.90.243.115
diagnose sys session clear
diagnose debug flow filter addr 222.92.132.166
diagnose debug flow filter proto 6
diagnose debug flow filter port 3134
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 6
diagnose debug enable
diagnose debug flow filter addr 192.168.1.1
diagnose debug flow filter proto 17
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 6
diagnose debug enable
diagnose sys session filter src 172.40.1.252
diagnose sys session clear
diagnose sys session filter policy 5
diagnose sys session list
diagnose debug flow filter addr 58.18.31.148
diagnose debug flow filter proto 17
diagnose debug flow filter port 161
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
CPU/MEM 过高,查看进程,以及临时Kill进程命令:
查看进程,并kill进程命令:
diag sys top-summary
diagnose sys top 5 33
diagnose sys kill 9 <PID>
IPsec VPN隧道起不来的问题定位:
首先,sniffer抓包确认UDP 500/4500 双方通信是否正常
diagnose sniffer packet any "host 116.6.100.241 and (port 500 or port 4500)" 4
diagnose sniffer packet any "host 202.106.1.35 and (port 500 or port 4500)" 4
//IP换成对方公网IP
UDP 500 或 UDP 4500 这两个端口是IPsec VPN协商协议IKE会使用的端口,一定要互通要通畅,否则VPN无法正常建立,确认互通正常在进行下一步定位
然后,通过日志,debug app ike 确认问题是出在第一阶段还是第二阶段
diagnose vpn ike log-filter name ipsec_wuxian1 // 第一阶段名称
diagnose vpn ike log-filter dst-addr4 124.65.148.86 //IP换成对方公网IP
diagnose debug application ike -1
diagnose debug enable
注意事项:debug app ike的时候要注意,自己不要主动发起连接,需要把第一阶段/第二阶段的自动协商关闭
注意一:可能需要关掉一阶段第二阶段的自动协商
如果是5.6之后的版本,只需要一条命令就可以完全关闭自己的主动发起的IKE连接请求:
config vpn ipsec phase1-interface
edit VPN-P1(第一阶段名称)
set passive-mode enable //永远不主动发起IKE请求,即便使用流量触发,也不主动发起
next
end
如果是旧版本(5.2/5.4)则需要分别关闭第一阶段和第二阶段的自动协商:
BJLab-240D # config vpn ipsec phase1-interface
BJLab-240D (phase1-interface) # edit VPN-P1(第一阶段名称)
BJLab-240D (VPN) # set auto-negotiate disable
BJLab-240D (VPN) # end
BJLab-240D # config vpn ipsec phase2-interface
BJLab-240D (phase1-interface) # edit VPN-P2 (第二阶段名称)
BJLab-240D (VPN) # set auto-negotiate disable
BJLab-240D (VPN) # end
注意二:有时候需要重置IPsec VPN的连接(请谨慎使用,所有的VPN都会重新连接IKE,一般不需要使用这个命令)
diagnose vpn ike restart //重新主动发起连接
diagnose vpn tunnel reset //重置第二阶段
diagnose vpn ike restart
diagnose vpn ike gateway clear
重置IPsec VPN通道,有VDOM的情况下:
FG200D4615810562 # config vdom
FG200D4615810562 (vdom) # edit root
FG200D4615810562 (root) # diagnose vpn tunnel reset
FG200D4615810562 (root) # diagnose vpn ike restart
查看IPsec VPN状态命令:
diagnose vpn ike gateway list
diagnose vpn tunnel list
常用的debug application命令:
debug L2TP VPN命令:
diagnose debug application l2tp -1
diagnose debug enable
debug SSL VPN命令:
diagnose debug application sslvpn -1
diagnose debug enable
debug IPsec VPN命令:
# diagnose debug console timestamp enable
# diagnose debug application ike -1
# diagnose debug enable
# diagnose debug application ike 0 // 关闭debug
# diagnose debug disable //关闭debug
# diagnose debug reset //关闭debug
debug Radius/TACACS+认证命令:
diagnose test authserver radius radius-server user 1 123456
diagnose test authserver tacacs+ tacacs-server user1 123456
diagnose debug application fnbamd -1
diagnose debug enable
debug LDAP认证命令:
diagnose test authserver ldap ldap-server user1 123456
diagnose debug application fnbamd -1
diagnose debug enable
debug fortguard更新命令:
execute update-now
diagnose debug application update -1
diagnose debug enable
关闭debug命令:
# diagnose debug disable
# diagnose debug reset
查看接口错包以及接口MAC地址:
# diagnose netlink device list
# get hardware nic wan1
Driver Name :Fortinet NP4Lite Driver
Version :1.0.1
Admin :up
Current_HWaddr 08:5b:0e:6f:d9:76
Permanent_HWaddr 08:5b:0e:6f:d9:76
Status :up
Speed :100
Duplex :Full
Host Rx Pkts :3095836
Host Rx Bytes :432192732
Host Tx Pkts :773199
Host Tx Bytes :125268953
Rx Pkts :4389000
Rx Bytes :1112122188
Tx Pkts :1888066
Tx Bytes :251656337
rx_buffer_len :2048
Hidden :No
cmd_in_list : 0
promiscuous : 1
enabled 802.1x : 0
authorized : 0
mac bypass : 0
L2TP/PPTP VPN配置脚本:
config vpn l2tp
set status enable
set eip 172.19.4.206
set sip 172.19.4.206
set usrgrp "Guest-group"
end
config vpn pptp
set status enable
set eip 172.19.4.207
set sip 172.19.4.207
set usrgrp "Guest-group"
end
config firewall policy
edit 0
set srcintf "wan"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config user local
edit "guest"
set type password
set passwd 1q2w3e4r
next
end
L2TP Over IPsec 配置脚本:
config vpn l2tp
set status enable
set eip 172.16.254.254
set sip 172.16.254.200
set usrgrp "Guest-group"
end
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config user local
edit "guest"
set type password
set passwd 1q2w3e4r
next
end
config vpn ipsec phase1-interface
edit "L-O-I"
set type dynamic
set interface "port1"
set keylife 3600
set peertype any
set psksecret 1q2w3e4r
next
end
config vpn ipsec phase2-interface
edit "L-O-I"
set phase1name "L-O-I"
set pfs disable
set encapsulation transport-mode
set l2tp enable
set keylifeseconds 3600
next
end
config firewall policy
edit 0
set name "L2TP_Over_IPsec"
set srcintf "L-O-I"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
设备flash里OS查看以及系统常用命令:
升级版本时会保留升级前的版本和配置文件在非活动分区(‘Active列’的‘No’对应的)
FGT90D3Z14014233 # diagnose sys flash list 查看当前运行版本和配置文件所在分区
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT90D-5.04-FW-build1011-151221 253871 37344 15% No
2 FGT90D-5.02-FW-build701-151203 253871 33078 13% Yes
3 ETDB-1.00000 1388840 4456 0% No
Image build at Dec 3 2015 04:50:38 for b0701
FGT90D3Z14014233 #
“Partition”列 1是primary分区 2是secondary分区
“Active”列 yes对应是每次启动时用的版本和配置文件分区
FGT90D3Z14014233 # exec set-next-reboot ?
<primary/secondary> partition
FGT90D3Z14014233 # exec set-next-reboot primary(或secondary,注意不同情况下此处输入的不一样);将启动分区改更为primary分区(分区1)
FGT90D3Z14014233 # exec reboot ;用primary分区(分区1)的版本和配置文件重启设备-----回退到升级前的版本和配置文件
查看当前登陆管理员信息:
BJFG300D # get system admin list
username local device vdom profile remote started
admin ssh SE25(FSW):60.247.121.248:22 root super_admin 192.168.118.25:51208 2016-12-02 09:57:15
查看FGT自身开放端口:
FG100D3G13828247 # diagnose sys tcpsock
0.0.0.0:10400->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:10401->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:10402->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
查看硬盘信息:
FG100D3G13828247 # diagnose hardware deviceinfo disk
Disk Internal ref: 255 29.8GB type: SSD [ATA 32GB SATA Flash] dev: /dev/sda
Disk SYSTEM(boot) ref: 1.9GB type: USB [FORTINET 67_V060324_002] dev: /dev/sdb
partition ref: 247.0MB, 208.0MB free mounted: N label: dev: /dev/sdb1(boot) start: 0
partition ref: 247.0MB, 197.0MB free mounted: Y label: dev: /dev/sdb2(boot) start: 0
partition ref: 19 1.3GB, 1.3GB free mounted: Y label: 0BEC4ED9705DC13A dev: /dev/sdb3 start: 0
Total available disks: 2
Max SSD disks: 1 Available storage disks: 0
# diag hardware smartctl /dev/sda -a 查看Flash损耗
100D的负载如何,记录一下下面的命令的输出:
get sys status
get sys perf status(执行5次)
get hard status
exec disk list
sho log disk set
sho log disk filter
diag sys session full-stat(执行5次)
diag sys top (运行1分钟)
diag vpn tunnel list
# get hardware status
# get system status
# get system performance status
# diagnose sys flash list
# diagnose autoupdate versions
# diagnose hardware sysinfo memory
# diagnose hardware sysinfo shm
# diagnose debug crashlog read
# diagnose hardware deviceinfo disk
# diagnose sys session stat
# diagnose sys top 5 40 (press "q" to quit the sys top)
# diagnose sys top-summary (press "q" to quit the sys top)
# get hardware memory
# diagnose hardware sysinfo memory
# diag hardware sysinfo slab
# fnsyctl df -h
# execute log delete-all
link-monitor配置:
FOS 5.4中的网关检测功能:
config system link-monitor
edit "LT"
set srcintf "wan1"
set server 222.249.171.217
set gateway-ip 222.249.171.217
set interval 3
end
IPS进程定位命令:
2) Enable memory tracking.
diag ips memory track-size 1536 1792
diag ips memory track enable
3) run following commands:
get sys status
diag autoupdate version
get sys per status
diag sys top-summary "-n 30 -i 5 -s mem"
diag sys top 99 5
diag hard sys mem
diag hard sys shm
diag hardware sysinfo slab
diag ips memory status
diag ips memory track-print
diag ips session content
diag ips session performance
diag ips session status
diag ips session content
diagnose ips raw status
diag test application ipsmonitor 3
diag test application ipsmonitor 1
Please also collect the output of these diagnose commands:
# fnsysctl df -h
Find the process id of ips engine daemon, then run these commands:
# fnsysctl cat /proc/[process id]/status
# fnsysctl cat /proc/[process id]/maps
# fnsysctl cat /proc/[process id]/smaps
# fnsysctl cat /proc/[process id]/statm
命令行grep过滤查看使用:
FGVM000000091991 # show full-configuration | grep 10000
set database-overflow-max-lsas 10000
FGVM000000091991 # show full-configuration | grep -f 10000
config router ospf
set abr-type standard
set auto-cost-ref-bandwidth 1000
set bfd disable
set database-overflow disable
set database-overflow-max-lsas 10000 <---
set database-overflow-time-to-recover 300
set default-information-metric 10
set default-information-metric-type 2
set default-information-originate disable
set default-information-route-map ''
set default-metric 10
set distance 110
set distance-external 110
set distance-inter-area 110
set distance-intra-area 110
set distribute-list-in ''
set restart-mode none
set restart-period 120
set rfc1583-compatible disable
set router-id 0.0.0.0
set spf-timers 5 10
end
常用系统排错命令,CPU/MEM过高:
# get system status
# get system performance status
# diagnose hardware sysinfo memory
MemTotal: 995012 kB
MemFree: 376716 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 995012 kB
LowFree: 376716 kB
# diagnose hardware sysinfo slab
kmem_cache 80 80 248 5 5 1 0 : 252 126
tcp_session 106 416 960 45 104 1 622 : 124 62
ip_session 98 148 896 37 37 1 1024 : 124 62
tcp_open_request 20 20 192 1 1 1 38 : 252 126
ip_dst_cache 126 312 320 26 26 1 195 : 124 62
ip_fib_hash 23 112 32 1 1 1 0 : 252 126
arp_cache 15 15 256 1 1 1 0 : 252 126
# diagnose sys top 10
Run Time: 1 days, 18 hours and 55 minutes
1U, 0N, 0S, 99I; 3951T, 2633F
ipsengine 453 S < 0.9 1.8
ipsengine 454 S < 0.4 1.8
reportd 81 S 0.0 3.5
miglogd 64 S 0.0 1.5
miglogd 118 S 0.0 1.1
pyfcgid 6619 S 0.0 0.8
pyfcgid 6620 S 0.0 0.8
pyfcgid 6621 S 0.0 0.8
pyfcgid 6617 S 0.0 0.8
httpsd 5319 S 0.0 0.7
cmdbsvr 45 S 0.0 0.7
newcli 6594 S 0.0 0.7
httpsd 6390 S 0.0 0.6
ipshelper 75 S < 0.0 0.6
httpsd 66 S 0.0 0.5
wad 404 S 0.0 0.5
httpsd 116 S 0.0 0.5
newcli 6624 R 0.0 0.4
newcli 6592 S 0.0 0.4
forticron 76 S 0.0 0.4
模块名字 进程号 状态 CPU MEM
shift + P 按照CPU使用率排序
shift + M 按照MEM使用率排序
Ctrl + C 中断
FG200D3915803188 # diagnose sys top-summary
CPU [|||||||||||||||||||| ] 50.0%
Mem [||||||||||||| ] 34.0% 1353M/3951M
Processes: 20 (running=1 sleeping=96)
PID RSS ^CPU% MEM% FDS TIME+ NAME
* 400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]
401 14M 0.0 0.4 19 00:00.60 urlfilter
670 12M 0.0 0.3 14 00:00.10 ovrd
35 3M 0.0 0.1 5 00:00.00 mrvl3135_worker
45 29M 0.0 0.7 12 00:35.18 cmdbsvr
51 13M 0.0 0.3 89 00:01.10 zebos_launcher [x12]
6332 11M 0.0 0.3 35 00:00.00 iked
63 12M 0.0 0.3 12 00:00.00 uploadd
64 60M 0.0 1.5 55 00:38.76 miglogd [x2]
65 12M 0.0 0.3 8 00:00.00 kmiglogd
66 34M 0.0 0.9 19 00:05.30 httpsd [x4]
68 12M 0.0 0.3 8 00:00.00 getty
69 147M 0.0 3.7 107 13:55.58 ipsmonitor [x4]
72 12M 0.0 0.3 11 00:00.00 merged_daemons
73 13M 0.0 0.3 12 00:00.10 fnbamd
74 12M 0.0 0.3 12 00:00.20 fclicense
76 17M 0.0 0.4 22 00:00.20 forticron
77 14M 0.0 0.4 15 00:00.98 forticldd
78 13M 0.0 0.4 39 00:00.19 authd [x3]
79 13M 0.0 0.3 19 00:00.00 foauthd
FG200D3915803188 # diagnose sys top-summary "-n 100"
CPU [|||||||||||||||||||| ] 50.0%
Mem [||||||||||||| ] 34.0% 1353M/3951M
Processes: 46 (running=1 sleeping=96)
PID RSS ^CPU% MEM% FDS TIME+ NAME
* 400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]
401 14M 0.0 0.4 19 00:00.60 urlfilter
670 12M 0.0 0.3 14 00:00.10 ovrd
35 3M 0.0 0.1 5 00:00.00 mrvl3135_worker
45 29M 0.0 0.7 12 00:35.18 cmdbsvr
51 13M 0.0 0.3 89 00:01.10 zebos_launcher [x12]
6332 12M 0.0 0.3 35 00:00.00 iked
63 12M 0.0 0.3 12 00:00.00 uploadd
64 60M 0.0 1.5 55 00:38.76 miglogd [x2]
65 12M 0.0 0.3 8 00:00.00 kmiglogd
66 34M 0.0 0.9 19 00:05.40 httpsd [x4]
68 12M 0.0 0.3 8 00:00.00 getty
69 147M 0.0 3.7 107 13:56.40 ipsmonitor [x4]
72 12M 0.0 0.3 11 00:00.00 merged_daemons
73 13M 0.0 0.3 12 00:00.10 fnbamd
74 12M 0.0 0.3 12 00:00.20 fclicense
76 17M 0.0 0.4 22 00:00.20 forticron
77 14M 0.0 0.4 15 00:00.98 forticldd
78 13M 0.0 0.4 39 00:00.19 authd [x3]
79 13M 0.0 0.3 19 00:00.00 foauthd
80 12M 0.0 0.3 9 00:00.12 httpclid
81 140M 0.0 3.6 16 00:12.38 reportd
83 14M 0.0 0.4 32 00:00.10 voipd
399 22M 0.0 0.6 606 07:35.60 wad [x3]
398 12M 0.0 0.3 48 00:00.25 proxyd [x2]
88 14M 0.0 0.4 13 00:35.36 updated
6617 48M 0.0 1.2 13 00:00.44 pyfcgid [x5]
91 13M 0.0 0.3 13 00:00.37 snmpd
92 13M 0.0 0.3 21 00:00.60 dhcpd
94 12M 0.0 0.3 16 00:00.60 ntpd
95 44M 0.0 1.1 19 00:01.23 sshd [x6]
96 12M 0.0 0.3 10 00:00.00 telnetd
97 12M 0.0 0.3 13 00:00.80 quard
98 12M 0.0 0.3 10 00:00.30 alertmail
99 14M 0.0 0.4 28 00:09.36 dnsproxy
103 13M 0.0 0.3 11 00:00.20 eap_proxy
104 16M 0.0 0.4 16 00:00.10 fgfmd
105 16M 0.0 0.4 23 00:00.90 cw_acd
108 12M 0.0 0.3 12 00:00.00 wpad_ac
109 12M 0.0 0.3 13 00:00.10 fortilinkd
110 14M 0.0 0.4 19 00:00.50 cu_acd
111 12M 0.0 0.3 11 00:00.10 swctrl_authd
112 12M 0.0 0.3 13 00:00.00 flcfgd
113 764K 0.0 0.0 13 00:00.00 usbmuxd
114 12M 0.0 0.3 11 00:00.00 fsd
115 12M 0.0 0.3 11 00:00.00 radius-das
FG200D3915803188 # diagnose sys top-summary "-s mem -i 60 -n 10"
CPU [|||||||||||||||||||| ] 50.0%
Mem [||||||||||||| ] 34.0% 1368M/3951M
Processes: 10 (running=1 sleeping=96)
PID RSS CPU% ^MEM% FDS TIME+ NAME
* 69 147M 0.0 3.7 107 14:00.60 ipsmonitor [x4]
81 140M 0.0 3.6 16 00:12.43 reportd
64 60M 0.0 1.5 55 00:38.97 miglogd [x2]
6617 56M 0.0 1.4 13 00:00.73 pyfcgid [x5]
95 44M 0.0 1.1 19 00:01.31 sshd [x6]
66 34M 0.0 0.9 19 00:05.27 httpsd [x4]
45 29M 0.0 0.7 12 00:35.18 cmdbsvr
399 22M 0.0 0.6 536 07:36.87 wad [x3]
400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]
76 17M 0.0 0.4 22 00:00.20 forticron
# diagnose hardware sysinfo shm
SHM counter: 62032
SHM allocated: 38210422
SHM total: 3637624832
conservemode: 0 NO System/Proxy | 1 Proxy conserve mode | 2 System/Kernel conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 3715198976
SHM FS free: 3675385856
SHM FS avail: 3675385856
SHM FS alloc: 39813120
2 System/Kernel conserve mode
MEM LowTotal<1GB
Red : LowFree <20% LowTotal Green : LowFree >30% LowTotal
MEM LowTotal >= 1GB
Red : LowFree=200M Green : LowFree = 300M
Actions:
Proxies are bypassed
FortiGate configuration cannot be changed
1 Proxy conserve mode
# get system arp
# get system performance firewall statistics
# get system performance firewall packet-distribution
# get system session status
# get system session list
配置FortiManger管理:
config system central-management
set type fortimanager
set fmg "192.168.147.250"
set fmg-source-ip 101.1.1.2
end
FGT最常用命令:
# config system global
# set hostname “FGT-Master“ //设备命名
# set language simch //语言切换成简体中文
# set timezone 55 //时区切换为(GMT+8)
# set tcp-halfclose-timer 120 //TCP会话空闲时长调整
# set tcp-halfopen-timer 10
# set tcp-timewait-timer 1
# set udp-idle-timer 180 //UDP会话空闲时长调整
# end
# config system session-ttl //TCP established空闲时长调整
# set default 3600
# end
# get system status //查看系统状态
# get router info routing-table all //查看路由表
# get system arp //查看ARP表
# diagnose ip address list //查看接口IP_list
# get system performance status //查看设备运行性能状态(CPU/MEM/新建/并发)
# get system performance top //查看系统允许top进程
有道笔记会不定期更新
config ips global
set sync-session-ttl disable
config system npu
set dedicated-management-cpu enable
set np6-cps-optimization-mode disable
// 单物理CPU(多核CPU),开启优化后,性能提升30%,多个物理CPU(多核CPU),现实项目中不建议使用这条命令,提供了CPU的新建能力 ||NGFW优化
IPS/AV不能使用proxy和flow的混合使用
密码恢复账号:
maintainer
bcpbFG900D3917800436
bcpbFG1K2D3I17800162
报文乱序:
开启了这个命令:
set delay-tcp-npu-session enable
config firewall policy
edit 141
set srcintf "VLAN4" "VLAN1010" "VLAN3000"
set dstintf "VLAN3"
set srcaddr "192.168.121.187"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set delay-tcp-npu-session enable
set nat enable
set ippool enable
set poolname "58.213.19.157"
next
end
FG100E4Q16003872 # get sys perf stat
CPU states: 2% user 2% system 0% nice 96% idle 0% iowait 0% irq 0% softirq
CPU0 states: 4% user 2% system 0% nice 94% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU2 states: 6% user 5% system 0% nice 89% idle 0% iowait 0% irq 0% softirq
CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 3112996k total, 1182116k used (37%), 1857320k free (59%), 73560k freeable (2%)
Average network usage: 317 / 284 kbps in 1 minute, 293 / 206 kbps in 10 minutes, 220 / 63 kbps in 30 minutes
Average sessions: 364 sessions in 1 minute, 279 sessions in 10 minutes, 145 sessions in 30 minutes
Average session setup rate: 26 sessions per second in last 1 minute, 18 sessions per second in last 10 minutes, 6 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 4 days, 11 hours, 14 minutes
修改接口MTU TCP_MSS 查看接口MTU
# diagnose netlink interface list | grep mtu
FG100E4Q16003872 # diagnose netlink interface list | grep mtu
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
if=nturbo_rx family=00 type=1 index=3 mtu=1500 link=0 master=0
if=nturbo_tx family=00 type=1 index=4 mtu=1500 link=0 master=0
if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0
if=mgmt family=00 type=1 index=6 mtu=1500 link=0 master=0
if=wan1 family=00 type=1 index=7 mtu=1500 link=0 master=0
if=wan2 family=00 type=1 index=8 mtu=1500 link=0 master=0
if=ha1 family=00 type=1 index=9 mtu=1500 link=0 master=0
if=ha2 family=00 type=1 index=10 mtu=1500 link=0 master=0
if=port1 family=00 type=1 index=11 mtu=1500 link=0 master=32
if=port2 family=00 type=1 index=12 mtu=1500 link=0 master=32
if=port3 family=00 type=1 index=13 mtu=1500 link=0 master=0
if=port4 family=00 type=1 index=14 mtu=1500 link=0 master=0
if=port5 family=00 type=1 index=15 mtu=1500 link=0 master=0
if=port6 family=00 type=1 index=16 mtu=1500 link=0 master=0
if=port7 family=00 type=1 index=17 mtu=1500 link=0 master=0
if=port8 family=00 type=1 index=18 mtu=1500 link=0 master=0
if=port9 family=00 type=1 index=19 mtu=1500 link=0 master=0
if=port10 family=00 type=1 index=20 mtu=1500 link=0 master=0
if=port11 family=00 type=1 index=21 mtu=1500 link=0 master=0
if=port12 family=00 type=1 index=22 mtu=1500 link=0 master=0
if=port13 family=00 type=1 index=23 mtu=1500 link=0 master=0
if=port14 family=00 type=1 index=24 mtu=1500 link=0 master=0
if=port15 family=00 type=1 index=25 mtu=1500 link=0 master=0
if=port16 family=00 type=1 index=26 mtu=1500 link=0 master=0
if=npu0_vlink0 family=00 type=1 index=27 mtu=15324 link=0 master=0
if=npu0_vlink1 family=00 type=1 index=28 mtu=15324 link=0 master=0
if=modem family=00 type=512 index=29 mtu=1500 link=0 master=0
if=root family=00 type=772 index=30 mtu=16436 link=0 master=0
if=ssl.root family=00 type=65534 index=31 mtu=1500 link=0 master=0
if=BOND1 family=00 type=1 index=32 mtu=1500 link=0 master=0
if=vsw.BOND1 family=00 type=1 index=33 mtu=1500 link=0 master=0
if=qtn.BOND1 family=00 type=1 index=34 mtu=1500 link=0 master=0
if=VLAN100 family=00 type=1 index=35 mtu=1500 link=0 master=0
if=VLAN200 family=00 type=1 index=36 mtu=1500 link=0 master=0
if=VLAN901 family=00 type=1 index=37 mtu=1500 link=0 master=0
if=VLAN12 family=00 type=1 index=38 mtu=1500 link=0 master=0
if=VLAN13 family=00 type=1 index=39 mtu=1500 link=0 master=0
if=lan family=00 type=1 index=40 mtu=1500 link=0 master=0
if=vsys_ha family=00 type=772 index=41 mtu=16436 link=0 master=0
if=port_ha family=00 type=1 index=42 mtu=1496 link=0 master=0
if=vsys_fgfm family=00 type=772 index=43 mtu=16436 link=0 master=0
if=tun_fgfm family=00 type=65534 index=44 mtu=1492 link=0 master=0
if=B family=00 type=768 index=45 mtu=1438 link=0 master=0
FG100E4Q16003872 # config system interface
FG100E4Q16003872 (interface) # edit wan1
FG100E4Q16003872 (wan1) # set tcp-mss 1452
FG100E4Q16003872 (wan1) # end
FG100E4Q16003872 # config firewall policy
FG100E4Q16003872 (policy) # edit 1
FG100E4Q16003872 (1) # set tcp-mss-sender 1452
FG100E4Q16003872 (1) # set tcp-mss-receiver 1452
FG100E4Q16003872 (1) # end
清除策略匹配统计计数:
To show the statistics of policy <policy_id>:
# diag firewall iprope show 100004 <policy_id>
For example:
# diag firewall iprope show 100004 2
idx=2 pkts/bytes=1732/262451
To clear the statistics for this policy:
# diag firewall iprope clear 100004 2
# diag firewall iprope show 100004 2
idx=2 pkts/bytes=0/0
Link-monitor配置:
config system link-monitor
edit "Monitor_WAN1_DX"
set srcintf "wan1"
set gateway-ip 116.228.1.25
set source-ip 116.228.1.26
set failtime 3
set recoverytime 3
next
edit "Monitor_WAN2"
set srcintf "wan2"
set server "www.10010.com"
set gateway-ip 210.13.66.117
set source-ip 210.13.66.118
set failtime 3
set recoverytime 3
next
end
报文乱序:
TCP 乱序
config firewall policy
edit 1
set name "TO_Internet_Policy"
set srcintf "port11"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set delay-tcp-npu-session enable
set nat enable
next
end
所有报文乱序:
config port-cpu-map
edit "port9"
set cpu-core "3"
next
edit "port11"
set cpu-core "3"
next
end
FG900D3915800574 # get hardware status
Model name: FortiGate-900D
ASIC version: CP8
ASIC SRAM: 64M
CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Number of CPUs: 4
RAM: 16065 MB
Compact Flash: 1925 MB /dev/sda
Hard disk: 244198 MB /dev/sdb
USB Flash: not available
Network Card chipset: FortiASIC NP6 Adapter (rev.)
FG900D3915800574 # get system performance status
CPU states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU2 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 16450708k total, 3300036k used (20%), 13150672k free (80%)
Average network usage: 49 / 4 kbps in 1 minute, 46 / 1 kbps in 10 minutes, 46 / 0 kbps in 30 minutes
Average sessions: 49 sessions in 1 minute, 35 sessions in 10 minutes, 32 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Average NPU sessions: 1 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 1 days, 19 hours, 20 minutes
异常不建立会话的日志:
看到不建立会话的异常包的日志,比如SYN+ACK/FIN+ACK等等,或RPF检查失败的日志。
config log setting
set log-invalid-packet enable
end
config log disk filter
set severity warning
set forward-traffic enable
end
date=2018-02-08 time=21:14:13 logid=0000000007 type=traffic subtype=forward level=warning vd=root srcip=124.124.125.27 srcport=46311 srcintf="port24" dstip=133.133.133.122 dstport=80 dstintf=unknown-0 proto=6 action=deny policyid=0 dstcountry="Japan" srccountry="India" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"
date=2018-02-08 time=21:49:19 logid=0000000007 type=traffic subtype=forward level=warning vd=root srcip=124.124.124.255 srcport=15062 srcintf="port24" dstip=133.133.133.122 dstport=80 dstintf=unknown-0 sessionid=2095719319 proto=6 action=deny policyid=0 dstcountry="Japan" srccountry="India" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check fail(bad src),drop"
丢弃的数据包也建立会话,并且保持30s。某些时候可以缓解某些ddos攻击:
config system settings
set ses-denied-traffic enable
end
BJFG300D (settings) # set ses-denied-traffic
enable Include denied sessions in the session table.
disable Do not add denied sessions to the session table.
BJFG300D (global) # get | grep sess
auth-session-limit : block-new
av-failopen-session : disable
block-session-timer : 30
proxy-re-authentication-mode: session
reset-sessionless-tcp: disable
strict-dirty-session-check: enable
Technical Note: Technical support on customization on various Fortinet products
Custom IPS signatures from Fortinet
Customizing reports generated by FortiGate
会话长连接:
Technical Note : Changing the TCP session TTL (time to live) on a FortiGate
Technical Note: Priority of session-ttl settings in FortiGate
Technical Note: Session TTL values and Policy RST for Sessions
光模块功率:查看光纤光衰,光模块功率
FG3K2D3Z17800004 # get sys interface transceiver
Interface port5: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX16430003258
Interface port6: SFP/SFP+
Vendor Name: OEM
Part No. : DEM-431TX
Serial No. : H08LA0039
Interface port7: SFP/SFP+
Vendor Name: OEM
Part No. : SFP-T-F
Serial No. : F80T061
Interface port8: SFP/SFP+
Vendor Name: OEM
Part No. : SFP-GE-T
Serial No. : CSGETG40333
Interface port17: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX15190014113
Interface port18: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX15190014090
Interface port19: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX15190014109
Interface port25: SFP/SFP+
Vendor Name: OPLINK
Part No. : TPP1XGDS0E000E2
Serial No. : 7331850
Optical Optical Optical
SFP/SFP+ Temperature Voltage Tx Bias Tx Power Rx Power
Interface (Celsius) (Volts) (mA) (dBm) (dBm)
------------ ----------- --------- --------- --------- --------
port5 32.5 3.31 6.07 -1.8 -1.4
port6 35.4 3.23 6.10 -1.8 -2.5
port7 N/A N/A N/A N/A N/A
port8 N/A N/A N/A N/A N/A
port17 34.0 3.31 5.78 -1.9 -1.0 +
port18 33.8 3.32 7.43 -1.9 -1.8
port19 34.1 3.30 6.27 -1.8 -1.3
port25 23.0 3.27 5.18 -2.6 -1.7
++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.
FGT1KD3915801542 # execute sensor list
1 CPU VCCP alarm=0 value=1.7743 threshold_status=0
2 PVDDQ alarm=0 value=1.52 threshold_status=0
3 DDR VTT alarm=0 value=0.768 threshold_status=0
4 CPU VCORE alarm=0 value=1.776 threshold_status=0
5 NCT 3VDD alarm=0 value=3.36 threshold_status=0
6 NCT VCC3 alarm=0 value=3.312 threshold_status=0
7 NCT 3VSB_HM alarm=0 value=3.312 threshold_status=0
8 NCT CPU_Vtt alarm=0 value=1.008 threshold_status=0
9 NCT VBAT alarm=0 value=3.168 threshold_status=0
10 PCB Temp. alarm=0 value=28 threshold_status=0 //主板温度
11 D1 alarm=0 value=42 threshold_status=0
12 D2 alarm=0 value=40 threshold_status=0
13 TR3 alarm=0 value=27 threshold_status=0
14 DTS CPU alarm=0 value=53 threshold_status=0//CPU温度
15 CPU Core 0 alarm=0 value=54 threshold_status=0//CPU core温度
16 CPU Core 1 alarm=0 value=52 threshold_status=0
17 CPU Core 2 alarm=0 value=54 threshold_status=0
18 CPU Core 3 alarm=0 value=51 threshold_status=0
19 Sys Fan 1 alarm=0 value=3200 threshold_status=0//主板上的风扇,转速3200
20 Sys Fan 2 alarm=0 value=3200 threshold_status=0//主板上的风扇,转速3200
21 Sys Fan 3 alarm=0 value=3200 threshold_status=0//主板上的风扇,转速3200
22 PS1 Ambient Temp alarm=0 (scanning disabled)
23 PS1 Comp Temp alarm=0 (scanning disabled)
24 PS1 Fan 1 alarm=0 (scanning disabled)//没有值,说明没有该电源PS1风扇不转或没有没有插电源
25 PS1 VIN alarm=0 (scanning disabled)
26 PS1 VOUT_12V alarm=0 (scanning disabled)
27 PS1 Status alarm=0 (not detected)//PS1模块没有插入
28 PS2 Ambient Temp alarm=0 value=33 threshold_status=0
29 PS2 Comp Temp alarm=0 value=35 threshold_status=0
30 PS2 Fan 1 alarm=0 value=12160 threshold_status=0// 电源PS2的风扇,转速为12160
31 PS2 VIN alarm=0 value=230 threshold_status=0
32 PS2 VOUT_12V alarm=0 value=12.284 threshold_status=0
33 PS2 Status alarm=0//PS2电源模块工作时长
Technical Note: Enable creation of TCP session on the firewall without checking for a SYN packet
这个命令就能生成各种各样的日志,包括攻击日志:
diagnose log test
IPsec VPN证书认证失败:
IPsec VPN证书认证存在分片,对方无法正常重组IKE报文,拿到完整的证书内容:
IPS的session和内存的session进行TTL同步:
config ips global
set sync-session-ttl enable
end
ips的会话表查看:
dia ips session list
BJLab-240D-90-254 # fnsysctl df -h
Filesystem Size Used Available Use% Mounted on
rootfs 1.9G 78.8M 1.8G 4% /
tmpfs 1.9G 78.8M 1.8G 4% /
none 3.4G 1.3M 3.4G 0% /tmp
none 3.4G 37.1M 3.4G 1% /dev/shm
none 3.4G 16.6M 3.4G 0% /dev/cmdb
/dev/sda1 247.9M 41.7M 193.4M 18% /data
/dev/sda3 14.1G 52.5M 13.4G 0% /data2
/dev/sdb1 58.6G 17.6G 38.0G 32% /var/log
代理模式 TCP_OPTION选项设置:
fgt-3700D-LAB # config system global
fgt-3700D-LAB (global) # get | grep tcp
reset-sessionless-tcp: disable
tcp-halfclose-timer : 120
tcp-halfopen-timer : 10
tcp-option : enable
tcp-timewait-timer : 1
fgt-3700D-LAB (global) # set tcp-option
enable Enable TCP option.
disable Disable TCP option.
fgt-3700D-LAB (global) # set tcp-option
//NPx
config firewall policy
edit 0
set auto-asic-offload disable
next
end
config vpn ipsec phase1-interface
edit phase1
set npu-offload disable
next
end
//CPx
config global
set ipsec-asic-offload disable
set ipsec-hmac-offload disable
Demo机:
清除会话和路由缓存:
FGT60D4614022596 # diagnose sys session clear
FGT60D4614022596 # diagnose ip rtcache flush
可以基于每条防火墙策略的流量SNMP OID
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable.fgFwPolStatsEntry.fgFwPolPktCount 1.3.6.1.4.1.12356.101.5.1.2.1.1.2
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable.fgFwPolStatsEntry.fgFwPolByteCount 1.3.6.1.4.1.12356.101.5.1.2.1.1.3
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable.fgFwPolStatsEntry.fgFwPolLastUsed 1.3.6.1.4.1.12356.101.5.1.2.1.1.4
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable.fgFwPolStatsEntry.fgFwPolPktCountHc 1.3.6.1.4.1.12356.101.5.1.2.1.1.5
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPolStatsTable.fgFwPolStatsEntry.fgFwPolByteCountHc 1.3.6.1.4.1.12356.101.5.1.2.1.1.6
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ID 1.3.6.1.4.1.12356.101.5.1.2.2.1.1
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6PktCount 1.3.6.1.4.1.12356.101.5.1.2.2.1.2
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ByteCount 1.3.6.1.4.1.12356.101.5.1.2.2.1.3
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6LastUsed 1.3.6.1.4.1.12356.101.5.1.2.2.1.4
diagnose firewall iprope show 100004 105
BJFG300D # diagnose firewall iprope show 100004 105
idx=105 pkts/bytes=1617122436/1192262066204 asic_pkts/asic_bytes=1490574669/1171713194675 nturbo_pkts/nturbo_bytes=1480232974/1171074662700 flag=0x0 hit count:24589274
first:2019-01-09 21:36:07 last:2019-03-21 09:16:02
established session count:1248
first est:2019-01-09 21:36:07 last est:2019-03-21 09:16:02
通过API 查看每隔VDOM的性能指标:
"http_method":"GET",
"results":{
"cpu":1,
"memory":13,
"sessions":14,
"setup_rate":0,
"is_deletable":false
},
dsri:
FG100E4Q16003872 # config firewall policy
FG100E4Q16003872 (policy) # edit 1
FG100E4Q16003872 (1) # set dsri
enable Enable DSRI.
disable Disable DSRI.
FG100E4Q16003872 (1) # set d
*dstintf Outgoing (egress) interface.
dstaddr Destination address and address group names.
dscp-match Enable DSCP check.
devices Names of devices or device groups that can be matched by the policy.
disclaimer Enable/disable user authentication disclaimer.
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
dsri Enable DSRI to ignore HTTP server responses.
delay-tcp-npu-session Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
FG100E4Q16003872 (1) # set dsri enable
FG100E4Q16003872 (1) # end
FortiGuard提交APP Control:
Every time when you re-download the file from(FortiSandbox使用):
It will generate a NEW file (The checksum will be a different one) for you, so that when you test it on FSA this NEW file will NOT be detected by AV.
SACK Panic attack: CVE-2019-11477
关于TCP-OPTION规避解决:
config system global
set tcp-option disable
缺省是 enable
enable时, fnsysctl cat /proc/sys/net/ipv4/tcp_sack 的结果是1
disable 是, fnsysctl cat /proc/sys/net/ipv4/tcp_sack 的结果是0
IPS特征库:
F-SBID( --name "Linux.Kernel.TCP.SACK.Panic.DoS.custom"; --protocol tcp; --flow from_client; --tcp_flags S; --tcp[20] = 0x02040008,dword; --tcp.any_option=0x0402;)
diagnose sys process daemon-auto-restart disable miglogd
策略修改,是否dirty旧的会话:
FGT-1500D (settings) # set firewall-session-dirty
check-all Flush all sessions and evaluate them anew. 缺省配置
check-new Keep existing sessions and check new connections only.
check-policy-option Allow check policy to be decided in the firewall policy.
命令行输出行数调整:
Technical Note: How to configure FortiGate to perform routing based on specific URLs:
修改策略不将会话重新上送到CPU检测:
FGT_Master # config system settings
FGT_Master (settings) # set firewall-session-dirty
check-all All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.
check-new Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.
check-policy-option Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.
FGT_Master (settings) # set firewall-session-dirty check-new
FGT_Master (settings) # end
对于 check-now, check-all,两者是有区别的
set firewall-session-dirty check-new
set firewall-session-dirty check-all
但如果对一个没有会话,需要创建新会话的情况来讲,两者是一样的效果
而对于一个已经建立的会话,如果外部网络有问题,比如下一跳的路由器上对这条会话没有路由,
就会返回ICMP unreachable, FGT收到ICMP unreachable 后,就会触发删除这条会话。
这条会话能否删除的前提条件是:会话处于dirty状态
哪些情况让会话处于dirty呢,改变防火墙策略,对应会话的路由改变等
所以,回过头来讲,不让会话dirty,该会话就不会被删除,check-new能让会话不dirty,所以有可能解决这个问题。
有可能的意思是,外部路由器的问题只是短暂问题,只是短暂的不稳定,
只要会话还没有timeout,而且在客户端/服务器的重传机制内,是check-new是管用的
FGT的进程是干啥用的?进程的作用?进程具体指什么功能?
Technical Tip: How to list processes in FortiOS
关闭IPSEC芯片处理:
config vpn ipsec phase1-interface
edit "beijing"
set npu-offload disable #缺省enable
next
end
config system global
set ipsec-asic-offload disable #缺省enable
set ipsec-hmac-offload disable #缺省 enable
end
config system global
set ipsec-soft-dec-async disable
diagnose vpn ipsec status
Firewall acl 防火墙的ACL E的型号NP6支持,DDOS场景下 丢弃数据包可使用:
FG5H1E5819904036 # config firewall acl
FG5H1E5819904036 (acl) # show
config firewall acl
end
FG5H1E5819904036 (acl) # edit
policyid Policy ID.
FG5H1E5819904036 (acl) # edit 1
new entry '1' added
FG5H1E5819904036 (1) # show full-configuration
config firewall acl
edit 1
set status enable
set comments ''
set interface ''
next
end
FG5H1E5819904036 (1) # set
status Enable/disable access control list status.
comments Comment.
*interface Interface name.
*srcaddr Source address name.
*dstaddr Destination address name.
*service Service name.
FG5H1E5819904036 (1) # set
DPD设置:
总部Hub spoke, Dialup VPN, 分支PPPoE重启后,报增加路由冲突
原因是总部的VPN dpd缺省为on-deman,分支重启后,总部不知道,一直保持隧道;
而且分支重启后PPPoE获得的地址与之前不同,这样就好像有另外一个配置了相同阶段2的网段在跟总部建立vpn,所以产生路由冲突。
on-idle,传统方式,耗用带宽和CPU 。IPSec没有流量(即idle)时发dpd probe, 只有当IPSec双向流量时,才不发dpd probe。
on-demand, 默认配置,只有IPSec单向流量时发dpd probe,其他都不发dp probe,节省带宽和减少CPU中断
需要开启DPD ON-IDLE
两个重要的系统命令 anti-replay和set-tcp-session-without-syn
set anti-replay
全局命令system.global开启strict或loose后,
FGTVM # config system global
FGTVM (global) # set anti-replay
disable Disable anti-replay check.
loose Loose anti-replay check.
strict Strict anti-replay check. #缺省 strict
可以在防火墙策略中关闭
FGTVM # config firewall policy
FGTVM (policy) # edit 1
FGTVM (1) # set anti-replay
enable Enable anti-replay check. #缺省enable
disable Disable anti-replay check.
如果全局system.global, set anti-replay disable,防火墙策略中就没有set anti-replay命令,debug flow见如下:
set-tcp-session-without-syn
从v5.6.3开始,system.setting是全局开启此功能
全局开启后,在每条策略里配置后,才会对特定的策略生效。
参考KB https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD47331
