09/01/13 Fortigate troubleshooting commands « itsecworks 1/21 itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ RSS Subscribe: RSS feed i tsecworks It is all about security and co I have already met Fortigate troubleshooting commands Posted on July 18, 2011 0 i 4 Votes With my requirements for any networking layer 3 device I collected the basic commands that we have to know or you will not be able to manage your fortigate. Okay, okay this is a bullshit, I just update this page since it is the number one post on my site.. :-) 1. 0 Check the basic settings and firewall states C heck the system status Check the hardware performance Check the High Availability state Check the session table of the firewall 2. 0 Check the interface settings C heck the state, speed and duplexity an IP of the interfaces Check the ARP Table 3. 0 Check the Routing Table C heck the matching route 4. 0 VPN Troubleshooting C hange the tunnel state Check the tunnel state Check packet counters for the tunnel 5. 0 sniffertrace
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
RSS Subscribe: RSS feeditsecworksIt is all about security and co I have already met
Fortigate troubleshooting commands
Posted on July 18, 2011
0
i4 Votes
With my requirements for any networking layer 3 device I collected the basic commands that wehave to know or you will not be able to manage your fortigate. Okay, okay this is a bullshit, I justupdate this page since it is the number one post on my site.. :-)
1.0 Check the basic settings and firewall states
Check the system statusCheck the hardware performanceCheck the High Availability stateCheck the session table of the firewall
2.0 Check the interface settings
Check the state, speed and duplexity an IP of the interfacesCheck the ARP Table
3.0 Check the Routing Table
Check the matching route
4.0 VPN Troubleshooting
Change the tunnel stateCheck the tunnel stateCheck packet counters for the tunnel
to see what is the state of the cpu and the uptime:
myfirewall1 # get system performance statusCPU states: 0% user 0% system 0% nice 100% idleCPU0 states: 0% user 0% system 0% nice 100% idleMemory states: 48% usedAverage network usage: 1 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutesAverage sessions: 0 sessions in 1 minute, 0 sessions in 10 minutes, 0 sessions in 30 minutesAverage session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutesVirus caught: 0 total in 1 minuteIPS attacks blocked: 0 total in 1 minuteUptime: 24 days, 11 hours, 25 minutes
to see the high cpu eaters, in case of high cpu usage:
the hearbeat goes on port5 and with backup on port6stateful failover is enabledthe priority in Ha for this cluster unit (The fortigate has a default setting for priority, there willbe only one master if you do not set it on the cluster members. This is cool.)and the monitored ports: port4, port6, port6
myfirewall1 # show full-configuration system haconfig system ha set group-id 0 set group-name "FGT-HA" set mode a-p set password ENC set hbdev "port5" 20 "port6" 10 set route-ttl 10 set route-wait 0 set route-hold 10 set sync-config enable set encryption disable set authentication disable set hb-interval 2 set hb-lost-threshold 6 set helo-holddown 20 set arps 5 set arps-interval 8 set session-pickup enable set link-failed-signal disable set uninterruptable-upgrade enable set vcluster2 disable set override enable set priority 254 set monitor "port4" "port5" "port6" unset pingserver-monitor-interface set pingserver-failover-threshold 0 set pingserver-flip-timeout 60end
The following list has only one session, that may be a DNS request from 192.168.227.97 to .thedns server 65.39.139.53.Do not use this command on live system with many traffic, it lists all sessions and that has nosence.
In this example we route everything through a vpn tunnel, called fortigw-311b:
myfirewall1 # get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [5/0] is directly connected, fortigw-311bS 10.0.0.0/8 [10/0] via 3.3.3.1, wan1C 3.3.3.0/23 is directly connected, wan1S 4.4.3.48/32 [10/0] via 3.3.3.1, wan1S 4.4.3.66/32 [10/0] via 3.3.3.1, wan1, [0/50]C 192.168.223.17/32 is directly connected, gre1C 192.168.223.18/32 is directly connected, gre1C 192.168.224.64/27 is directly connected, internal
Are you looking for a spesific route in a big database? No problem use the details:
myfirewall1 # get router info routing-table details 10.20.100.10Routing entry for 10.0.0.0/8 Known via "static", distance 10, metric 0, best * 3.3.3.1, via wan1
4.0 VPN Troubleshooting
The most significant part for vpn is the time on the devices. The check the time use the followingcommand:
myfirewall1 # get sys statusVersion: Fortigate-50B v4.0,build0632,120705 (MR3 Patch 8)
Virus-DB: 14.00000(2011-08-24 17:17)Extended DB: 14.00000(2011-08-24 17:09)IPS-DB: 3.00150(2012-02-15 23:15)FortiClient application signature package: 1.131(2012-07-05 20:54)Serial-Number: FGT50B1234567891BIOS version: 04000010Log hard disk: Not availableHostname: myfirewall1Operation Mode: NATCurrent virtual domain: rootMax number of virtual domains: 10Virtual domains status: 1 in NAT mode, 0 in TP modeVirtual domain configuration: disableFIPS-CC mode: disableCurrent HA mode: standaloneDistribution: InternationalBranch point: 632Release Version Information: MR3 Patch 8System time: Fri Nov 16 17:31:03 2012
Change the tunnel state
Bring up a vpn tunnel manually. No traffic required.
myfirewall # diag vpn tunnel up phase2-name phase1-name
Shut down a vpn tunnel manually.
myfirewall # diag vpn tunnel down phase2-name phase1-name
Check the tunnel state
If there is no SA that means the tunnel is down and does not work. To see if the tunnel is up weneed to check if any SA exist.To see if the tunnel is up you can use the diagnose vpn tunnel list name or diagnose vpn tunneldumpsa command.Tunnel state is down
Tunnel does not exist if there is no output of the commands below:
myfirewall1 # diagnose vpn tunnel list name myphase1list ipsec tunnel by names in vd 0
with the dumpsa command:
myfirewall1 # diag vpn tunnel dumpsa
The output of the command below shows zero sa (no security association)
Informations from the output of the command below:- vpn peers- encrypted traffic (source and destination)- traffic counters for encrypted traffic- SPI for encrypt and decrypt- Encryption method
To see if the encryption and decryption of the packages works use 2 or more times the diagnosevpn ipsec status or the diagnose vpn tunnel list command and compare the values. On the secondand third outputs the counter should show larger number.
*Looks like you cannot filter explicitly on tunnel interface, you have to use any in that case anddefine a filter string.
And the tcpdump like filter string (or the keyword none):
myfirewall1 # diagnose sniffer packet any flexible logical filters for sniffer (or "none").For example: To print udp 1812 traffic between forti1 and either forti2 or forti3'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'
And the output format you expect (I use always the 4)
myfirewall1 # diagnose sniffer packet any none
1: print header of packets2: print header and data from ip of packets3: print header and data from ethernet of packets (if available)4: print header of packets with interface name5: print header and data from ip of packets with interface name6: print header and data from ethernet of packets (if available) with intf name
myfirewall1 # diagnose sniffer packet any none 4 sniffer count
myfirewall1 # diagnose sniffer packet any none 4 4interfaces=[any]filters=[none]0.914475 wan1 in 10.250.19.159.63929 -> 3.3.3.127.61784: 689103397 ack 647453070.915067 wan1 out 3.3.3.3.22 -> 10.20.100.10.57499: psh 3728577301 ack 16974251750.915079 eth0 out 3.3.3.3.22 -> 10.20.100.10.57499: psh 3728577301 ack 16974251750.915452 wan1 out 3.3.3.3.22 -> 10.20.100.10.57499: psh 3728577433 ack 1697425175
The 2. parameter after “…port6 arp 1? is the number of packets to be sniffered. In this example itis set to 2.
There are some fields that you wont ever see in webui as in the column setting you cannot choosethem. Just an example for this is a false pre-shared key, the field that tells you what the problemis, called “error_reason”.
The buffer size is limited and if the buffer is full the old logs will be overwritten.To check your buffer size issue the following command:
In this example we can sse a failed vpn session as the preshared key is not identical on the vpnpeers. The logs are not in every cases so talkative, for example the logs for different encryptiontraffic failure refer to nothing usefull.
there is an online help for the commands:http://docs.fortinet.com/fgt/handbook/cli_html/wwhelp/wwhimpl/js/html/wwhelp.htm(http://docs.fortinet.com/fgt/handbook/cli_html/wwhelp/wwhimpl/js/html/wwhelp.htm)
7.0 Backup and Restore
Backup command with tftp server:
myfirewall # execute backup full-config tftp <full-config-filename> <tftp server ip>
With an example:
myfirewall1 # execute backup full-config tftp myfirewall1_full_config 192.168.1.1Please wait...Connect to tftp server 192.168.1.1 ...#Send config file to tftp server OK.myfirewall1 #
myfirewall # execute restore config tftp <full-config-filename> <tftp server ip>
Example Restore:
myfirewall1 # execute restore config tftp myfirewall1_full_config 192.168.1.1This operation will overwrite the current settings!Do you want to continue? (y/n)yPlease wait...Connect to tftp server 192.168.1.1 ...Get config file from tftp server OK.File check OK.The system is going down NOW !!Please stand by while rebootinFGT200B (14:15-10.01.2008)Ver:04000010Serial number:FG200B1111111111RAM activationTotal RAM: 256MBEnabling cache...Done.Scanning PCI bus...Done.Allocating PCI resources...Done.Enabling PCI resources...Done.Zeroing IRQ settings...Done.Verifying PIRQ tables...Done.Enabling Interrupts...Done.Boot up, boot device capacity: 64MB.Press any key to display configuration menu.........Reading boot image 1319595 bytes.Initializing firewall...System is started.The config file may contain errors,Please see details by the command 'diagnose debug config-error-log read'myfirewall1 login:
Posted in: Fortigate (http://itsecworks.wordpress.com/category/security/fortigate/), Security(http://itsecworks.wordpress.com/category/security/), Troubleshooting(http://itsecworks.wordpress.com/category/security/fortigate/troubleshooting/)Be the first to start a conversationBlog at WordPress.com.Theme: Inuit Types by BizzArtic.
About these ads (http://en.wordpress.com/about-these-ads/)