1. VDOM enable
conf sys global
set vdom-admin enable
end

2. Create VDOM
conf vdom
edit test

3. VDOM mode setting
TP
conf vdom
edit test
conf sys setting
set opmode transparent
set manageip 10.10.10.1/32
end
end

4. Management Port setting
conf sys interface
edit mgmt
set vdom root
set ip 10.10.10.1/24
next
edit port1
set vdom test
next
edit port2
set vdom test
next
edit port4
set ip 192.168.12.1/24
set allowaccess ping https ssh snmp telnet
next
end

5. Sessins-sync setting
conf system session-sync
edit 1
set peerip 192.168.12.2
set syncvd test
next
end

6. HA setting
conf sys ha
set hbdev port3 100
set session-sync-dev port4
set hb-interval 4
set hb-lost-threshold 12
set ha-uptime-diff-margin 1
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set standalone-config-sync enable
set override disable

end


'업무이야기 > Fortinet' 카테고리의 다른 글

FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점점 CLI  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
get system sql
diagnose sql status
diagnose sql show db-size
diagnose log device
diagnose sql process list
diagnose dvm device list
diagose fortilogd msgrate-device
diagose fortilogd lograte
get system performance
get system status

execute log device logstore list


'업무이야기 > Fortinet' 카테고리의 다른 글

FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점점 CLI  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
fortigate # config firewall profile-protocol-options
fortigate (profile-protocol~ons) # edit default
fortigate (default) # config smtp
fortigate (default) # set uncompressed-oversize-limit 5
fortigate (smtp) # get
ports : 25
status : enable
inspect-all : disable
options : oversize
oversize-limit : 10
uncompressed-oversize-limit: 5
uncompressed-nest-limit: 12
scan-bzip2 : enable

server-busy : disable


'업무이야기 > Fortinet' 카테고리의 다른 글

FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점점 CLI  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
1.     get system performance status
-       현재 CPU & Memory, Traffic 사용량, Session수 및 Uptime 확인
2.     get system status
-       OS Version 및 Serial 정보 확인
3.     diag debug crashlog read
-       프로세서 Crash 내역 및 FortiGate의 주요 이슈 사항 확인
4.     diag log alertconsole list
-       관리자 계정 Login 실패 기록, 장비 재시작, 전원 off, FortiGuard 업데이트 내역 확인
5.     diag hardware device nic port1
-       해당 Port의 Speed/Duplex 및 Error확인 가능
6.     diag netlink device list
-       전체 Port에 대한 Error 확인
7.     get route info routing-table all
-       Routing Table 확인
8.     get sys arp
-       ARP Table 확인
9.     get system interface
-       Interface IP정보 확인

10. 기타
# excute tac report

# fnsysctl ls -l /dev/shm
# fnsysctl ls -l /tmp
# diagnose hardware sysinfo shm
# diagnose hardware sysinfo slab
# diagnose hardware sysinfo interrupt
# diagnose ip arp list
# diagnose ip rtcache list
# diagnose ip router command show show int
# diagnose ips anomaly list
# diagnose ips anomaly status
# diagnose ips dissector status
# diagnose ips packet status
# diagnose ips raw status
# get ips session
# diagnose sys session stat
# get system auto-update status
# get system auto-update versions
# diagnose test update info
# diagnose sys flash list
# fnsysctl df -k
# diagnose sys logdisk smart
# diagnose sys logdisk status
# diagnose sys ha status
# diagnose sys ha showcsum
# diagnose sys ha hadiff status
# diagnose sys ha dump-by all-vcluster
# diagnose sys ha dump-by rcache
# diagnose sys ha dump-by all-group
# diagnose sys ha dump-by memory
# diagnose sys ha dump-by vdom
# diagnose sys ha dump-by debug-zone
# diagnose sys ha dump-by kernel
# diagnose sys ha dump-by device
# get sys session-info statistics
# get system session-info ttl
# get system session-helper-info list
# diagnose netlink aggregate list
# diagnose netlink brctl list
# diagnose netlink device list
# diagnose firewall fqdn list
# diagnose firewall iplist list
# diagnose firewall ipmac list
# diagnose firewall ipmac status
# diagnose firewall iprope list
# get firewall proute
# diagnose firewall schedule list
# get system performance firewall statistics
# get router info routing-table all
# get router info routing-table database
# get vpn ipsec stats crypto
# get vpn ipsec tunnel details
# get vpn status ssl list
# get webfilter ftgd-statistics
# get webfilter status
# diagnose spamfilter fortishield statistics list
# diagnose spamfilter fortishield servers
# get hardware nic mgmt2
# get hardware nic mgmt1
# get hardware nic port32
# get test proxyacceptor 1
# get test proxyacceptor 4
# get test proxyworker 1
# get test proxyworker 4
# get test proxyworker 4444
# get test http 444
# get test http 11
# diagnose sys scanunit stats all
# get test urlfilter 10
# diagnose sys sip-proxy filter clear
# diagnose sys sip-proxy redirect list
# diagnose sys sip-proxy config list
# diagnose sys sip-proxy config profiles
# diagnose sys sip-proxy meters list
# diagnose sys sip-proxy stats proto
# diagnose sys sip-proxy stats call
# diagnose sys sip-proxy stats udp
# diagnose sys sip-proxy calls idle
# diagnose sys sip-proxy session list
# diagnose sys sccp-proxy stats list
# diagnose sys sccp-proxy phone list
# get test ipsmonitor 1
# get test ipsmonitor 3
# get test radiusd 5
# diagnose test application miglogd 6

# diagnose debug crashlog read


'업무이야기 > Fortinet' 카테고리의 다른 글

FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점점 CLI  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
FortiGate DNS Translation  (0) 2018.05.08

How-to: Automate FortiGate configuration backups

The FortiGates don't have any backup automation abilities out of the box. Generally you'd use a FortiManager for the config, backup and control of multiple FortiGates.

I've recently setup a lab with several FortiGates for testing and wanted a simple way of backing up the configs every day so I could always revert back to a previous day quickly.

You could just backup the config before making changes, but I wanted to automate this process. Below is a quick and dirty script to automate the config backup.

A few notes to begin with; this script requires a read only user to be created on each FortiGate that have the same password. These passwords are stored in the script itself; so while it never gets transmitted in cleartext over the link, be aware that it is stored in the file. Since this is a lab and it's a readonly account I'm not too fussed. Another thing to note is that the strict host check for the SSH keys has been disabled (so you don't get a confirmation request for new IP addresses). There is a more secure way to do this without using passwords but ssh keys which I may create a blog on at a latter date.

The only dependency is that the script requires sshpass to be installed.

My guide goes through setting this all up on a Debian based Linux system (like Mint or Ubuntu). It should be fine to work on other distributions with few command changes.


Steps involved:

1. Install sshpass
2. Enable SCP and SSH on FortiGates
3. Create a read only profile
4. Create a read only user
5. Create script and edit the code
6. Make script executable
7. Test the script
8. Configure crond to automatically run the script

1. Install sshpass

From your linux terminal type the following to install sshpass:

sudo apt-get install -y sshpass

2. Enable SCP and SSH on the FortiGate

For this example we'll configure port6 with SSH. Login to the CLI of your FortiGate and config the following:

config system interface
edit port6
set allowaccess ssh
end

Then type the below to enable SCP:

config system global
set admin-scp enable
end

3. Create a read only profile

In the webgui goto System > Admin > Admin Profiles and click 'Create New'.

Give your profile a name and select the 'Read Only' tick-box to ensure all access control options change to read only. Click 'Ok' to save.


4. Create a read only user

Goto System > Admin > Administrators and click 'Create New'.

Type in the users login name, give a password and select the read-only profile we created in step 3. Click 'Ok' to save.


5. Create script and edit the code

Copy the script below in a text editor and then change the following settings:

a) SERVERS: Replace the IP addresses here with the IP addresses (and/or hostnames) of the FortiGate units you want to connect to (and that you've enabled SSH/SCP for). Separate server addresses with a space.
b) USR: Replace with your read-only username we created in step 4.
c) PWD: Replace with your read-only password we created in step 4.
d) This is the directory that the file will be saved in. Ensure that this directory exists and the user that runs the script has write access to it.


The full script is below:

#!/bin/bash
#linux/UNIX
SERVERS="172.16.100.91 192.168.200.99"
# SSH User name
USR="readonly"
PWD="password"

timestamp=$(date +"%y-%m-%d")

# connect each host
for host in $SERVERS
do
sshpass -p $PWD scp -oStrictHostKeyChecking=no $USR@$host:sys_config /home/user/backup/"$timestamp"_"$host".conf
done
echo 'Backup Completed!'
exit


Once this is done save the file with the .sh extension (for this exmple I use fortinet-backup.sh).

6. Make script executable

To be able to run the script you'll need to make it executable.

chmod u+x fortinet-backup.sh

7. Test the script

Now the fun part, to test the script! Goto the directory that the script is located in an run it with the following ./fortinet-backup.sh. After a while you should get the 'Backup completed!' message. If you do an ls you should now see the configs. The naming scheme is the date followed by the IP or domain name of the firewall.

allan@amouawad-mint ~/backup $ ./fortinet-backup.sh 
Backup completed!
allan@amouawad-mint ~/backup $ ls
14-01-10_172.16.100.91.conf  14-01-10_192.168.200.99.conf  fortinet-backup.sh

8. Configure crond to automatically run the script

Now this is done and confirmed working, we want to get the script to run on a schedule. For this we need to configure cron with the following command: crontab -e.

If you're unsure howto use cron I'd suggest you search for a few examples. The key here is to add a line at the end of the file that will determine the frequency that you wish the script to run, and the scripts name/location.

For example I've used the following:

0 1 * * * /home/user/backup/fortinet-backup.sh

This will run the script located in /home/user/backup/fortinet-backup.sh once everyday at 1am.


Save the file and you should be done!


config system global
set daily-restart enable
set restart time 04:00

end


FortiGate DNS Translation

Main # show firewall dnstranslation
config firewall dnstranslation
edit 1
set dst 192.168.132.142
set netmask 255.255.255.255
set src 1.233.82.142
next

end


[FortiGate의 자주 쓰는 debug 명령]



1. diagnose debug flow

diag debug flow 명령은 FortiGate 의 inbound->outbound 트래픽의 flow를 확인할 수 있습니다.

filter, show, trace 3가지로 구성



FGT82C3109600076 # diagnose debug flow filter addr 122.49.65.221

FGT82C3109600076 # diagnose debug flow show console enable
show trace messages on console

FGT82C3109600076 # diagnose debug flow trace start 10



FGT82C3109600076 # id=36870 trace_id=21 msg="vd-root received a packet(proto=1, 122.49.65.222:1024->122.49.67.40:8) from port2."
id=36870 trace_id=21 msg="Find an existing session, id-0004a929, original direction"
id=36870 trace_id=22 msg="vd-root received a packet(proto=1, 122.49.67.40:1024->122.49.65.222:0) from local."





2. diagnose sniffer packet



FGT82C3109600076 # diagnose sniffer packet any "icmp" 4

문법
# diag sniffer packet <interface> <'filter'> <verbose> <count> <a>

<interface> can be an Interface name or "any" for all Interfaces.
<'filter'> is a very powerful filter functionality which will be described in more detail.
<verbose> means the level of verbosity as described already.
<count> the number of packets the sniffer reads before stopping. '0'이면 무한수행.
<a> absolute timestamps를 화면에 출력(하지만 반드시 <count> 가 있을때만 유효) defailt는 Relative timstamps이므로, 상대적인 시간만 나옴.

<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

diagnose sniffer packet any "" 4 0 a

패킷 스니퍼
- ICMP확인
dia sniff packet port3 icmp 100
- TCP SYN 100개 확인
dia sniff packet port3 'tcp[13]==2' 100 0 a
- TCP SYN & SYN ACK 100개 확인
dia sniff packet port3 'tcp[13]&2==2' 100





3. NP2 ASIC accelerate enable/disable

FG3K6A3407600192 (global) # diagnose npu np2 fastpath
e2prom View E2PROM data
fastpath Configure fastpath
fastpath-sniffer Configure fastpath sniffer by port
list Display all NP2 devices
performance View NP2 performance
register View NP2 registers
status View NP2 device status

FG3K6A3407600192 (global) # diagnose npu np2 fastpath disable 0





4. NP4 ASIC accelerate enable/disable

# diagnose npu np4 fastpath disable 0

주의1) NP4 Fast Path disabled. Please clear session to clear existing path.

주의2) traffic log는 session is expired 되어야 기록됨.




설정법 .

==================================================================

diag debug flow filter <name> <value>

- 디버그 흐름추적 필터 추가 <필터옵션> <필터값/없으면any>

diag debug flow show console enable

- 디버그 내용 접속화면에 표시

diag debug flow show function-name enable

- 디버그 흐름추적시 사용된 함수이름 표시

diag debug flow trace start <repeat number>

- 디버그 흐름추적을 할 갯 수

diag debug enable

- 디버그 시작

==================================================================



예제 1. (외부와의 통신 디버깅)

인터페이스의 출발지, 세션의 종류, 적용된 정책, 적용된 vdom, 적용된 라우팅 등을 많은 정보를 볼 수 있음.

==================================================================

diag debug flow filter add 192.168.10.4

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 100

diag debug enable

==================================================================

...to stop the debug, type "diag debug flow trace stop"



20085 trace_id=29 func=get_new_addr line=1240 msg="find SNAT: IP-222.110.157.103, port-46024"

20085 trace_id=29 func=fw_forward_handler line=320 msg="Allowed by Policy-5: SNAT"

20085 trace_id=29 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->222.110.157.103:46024"

20085 trace_id=30 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."

20085 trace_id=30 func=resolve_ip_tuple line=2908 msg="allocate a new session-02bb75c1"

20085 trace_id=30 func=rpdb_srv_match line=422 msg="Match policy routing: to 222.234.226.3 via ifindex-3"

20085 trace_id=30 func=vf_ip4_route_input line=1599 msg="find a route: gw-121.131.216.126 via wan1"

20085 trace_id=30 func=get_new_addr line=1240 msg="find SNAT: IP-121.131.216.116, port-46025"

20085 trace_id=30 func=fw_forward_handler line=320 msg="Allowed by Policy-7: SNAT"

20085 trace_id=30 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"

20085 trace_id=31 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."

20085 trace_id=31 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-02bb75c1, original direction"

20085 trace_id=31 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"





예제2. (TP모드의 내부끼리의 통신 디버깅)

==================================================================

diag debug flow filter add 192.168.10.4

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 100

diag debug enable

==================================================================

...to stop the debug, type "diag debug flow trace stop"

Example of debug flow output when traffic flows :

id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 192.168.10.4:4370->192.168.10.2:23) from internal."

id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"

id=20085 trace_id=113 msg="enter fast path"

id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"


Configure FortiGate A interfaces

config system interface
edit port2
set 10.0.0.1/24
next
edit port3
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f3/64
end
 
Configure FortiGate A IPsec settings
config vpn ipsec phase1-interface
edit toB
set interface port2
set remote-gw 10.0.1.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
 
config vpn ipsec phase2-interface
edit toB2
set phase1name toB
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end

Configure FortiGate A security policies

config firewall policy6
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
 
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
Configure FortiGate A routing

edit 1
set device toB
set dst fec0:0000:0000:0004::/64
end
config router static
edit 1
set device port2
set dst 0.0.0.0/0
set gateway 10.0.0.254
end

Configure FortiGate B
 
config system interface
edit port2
set 10.0.1.1/24
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
config vpn ipsec phase1-interface
edit toA
set interface port2
set remote-gw 10.0.0.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
config firewall policy6
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
config router static6
edit 1
set device toA
set dst fec0:0000:0000:0000::/64
end
config router static
edit 1
set device port2
set gateway 10.0.1.254
end

 


'업무이야기 > Fortinet' 카테고리의 다른 글

FortiGate DNS Translation  (0) 2018.05.08
[FortiGate의 자주 쓰는 debug 명령]  (0) 2018.05.08
Fortigate IPv6 over IPv4 VPN Tunnel  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08
  1. tcp-52000-Uncategorized
  2. tcp-52000-web Access
  3. tcp-52000-File Access
  4. tcp-52000-Email
  5. tcp-52000-Network Services
  6. tcp-52000-Authentication
  7. tcp-52000-Remote Access
  8. tcp-49152-65535-Authentication
  9. tcp-49152-65535-Remote Access
  10. tcp-52000-Tunneling / tcp-49152-52000-Tunneling
  11. tcp-49152-65535-Tunneling / tcp-52000-tunneling
  12. tcp-52000-VOIP, Messaging & Other Applications / tcp-49152-52000-VOIP, Messaging & Other Applications
  13. tcp-49152-52000-VOIP, Messaging & Other Applications / tcp-52000-VOIP, Messaging & Other Applications
  14. tcp-52000-Web Proxy / tcp-49152-52000-Web Proxy
  15. tcp-49152-52000-Web Proxy / tcp-52000-Web Proxy
  16. tcp-49152-52000-Uncategorized
  17. tcp-49152-52000-Web Access
  18. tcp-49152-52000-File Access
  19. tcp-49152-52000-Email
  20. tcp-49152-52000-Network Services
  21. tcp/52000
  22. tcp-52000-General TCP-49152-65535-General : 로그 찍지 않음



config firewall service custom
    edit "TCP-49152-65535-general"
        set category "General"
        set tcp-portrange 49152-65535
    next
    edit "TCP-52000-uncat"
        set tcp-portrange 52000
    next
    edit "TCP-49152-65535-auth"
        set category "Authentication"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-remote"
        set category "Remote Access"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-tunnel"
        set category "Tunneling"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-voip"
        set category "VoIP, Messaging & Other Applications"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-webproxy"
        set category "Web Proxy"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-uncat"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-web"
        set category "Web Access"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-file"
        set category "File Access"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-email"
        set category "Email"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-network"
        set category "Network Services"
        set tcp-portrange 49152-65535
    next
    edit "TCP-52000-general"
        set category "General"
        set tcp-portrange 52000
    next
    edit "TCP-52000-web"
        set category "Web Access"
        set tcp-portrange 52000
    next
    edit "TCP-52000-file"
        set category "File Access"
        set tcp-portrange 52000
    next
    edit "TCP-52000-email"
        set category "Email"
        set tcp-portrange 52000
    next
    edit "TCP-52000-network"
        set category "Network Services"
        set tcp-portrange 52000
    next
    edit "TCP-52000-auth"
        set category "Authentication"
        set tcp-portrange 52000
    next
    edit "TCP-52000-remote"
        set category "Remote Access"
        set tcp-portrange 52000
    next
    edit "TCP-52000-tunnel"
        set category "Tunneling"
        set tcp-portrange 52000
    next
    edit "TCP-52000-voip"
        set category "VoIP, Messaging & Other Applications"
        set tcp-portrange 52000
    next
    edit "TCP-52000-webproxy"
        set category "Web Proxy"
        set tcp-portrange 52000
    next

end 


'업무이야기 > Fortinet' 카테고리의 다른 글

[FortiGate의 자주 쓰는 debug 명령]  (0) 2018.05.08
Fortigate IPv6 over IPv4 VPN Tunnel  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08
FortiSandbox VM package  (0) 2018.05.08