쫑콩아빠의 지금 이 순간...

FortiAP Configuration

To enable the FortiAP using Zero Configuration:
1. After connecting the FortiAP unit as described in the previous chapter, the unit goes through its boot procedure and requests an IP address from the DHCP server.
2. If the IP address is retrieved successfully, the FortiAP enters discovery mode to locate a FortiGate or FortiWifi wireless controller. The discovery modes are:
• Broadcast
• Multicast
• DHCP option 138
3. Verify that the FortiAP has successfully connected to the controller.
In the FortiGate Web-based Manager, go to WiFi Controller > Managed Access Points > Managed FortiAP. A successfully discovered unit displays an orange circle with a question mark.
4. Select the access point and click Edit.
5. In the State field, select Authorize.
6. In the AP Profile field, select Change, then select a profile from the list and click OK.
The configuration is downloaded from the wireless controller to the FortiAP and the WiFi LED lights up.
To enable the FortiAP with a static IP address:
1. Connect the FortiAP device to a separate private switch or hub, or directly connect it to your management computer via a cross-over cable.
2. Configure the management computer to be on the same subnet as the internal interface of the FortiAP unit:
a. Browse to the Network and Sharing Center > Change Adapter Settings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4) Properties.
b. Change the IP address of the management computer to 192.168.1.3 and the netmask to 255.255.255.0.
3. Use a Telnet apllication to connect to IP address 192.168.1.2.
4. Type admin in the Name field, leave the Password field blank, and press Enter.
5. Configure a static IP address for the FortiAP unit and netmask & gateway information for your network, using the following commands:
cfg -a ADDR_MODE=STATIC
cfg –a AP_IPADDR=xxx.xxx.xxx.xx
cfg –a AP_NETMASK=255.255.255.0
cfg –a IPGW=yyy.yyy.yyy.yyy
cfg –a AC_IPADDR_1=zzz.zzz.zzz.zzz
where xxx is the IP address of the FortiAP unit, yyy is the Gateway IP address and zzz is the IP address of the FortiGate Wireless Controller.
6. Save the configuration by typing the following command:
cfg –c
7. Unplug the FortiAP unit and plug it back in order for the configuration to take effect.
8. Move the FortiAP to the intended deployment location and connect the Ethernet cable as described in the Connecting Your FortiAP Unit section.
9. Log in to the FortiGate controller Web-based Manager, and go to WiFi Controller > Managed Access Points > Managed FortiAP. A successfully discovered unit displays an orange circle with a question mark in the Status column.
10. Select the access point and click Edit.
11. In the State field, select Authorize.
12. In the Edit FortiAP dialog box, select Enable Wireless Radio. Leave the remaining settings at their default values. The configuration is downloaded from the FortiGate unit to the FortiAP device.
For more information, see the Deploying Wireless Networks Guide, available on Fortinet’s technical documentation website, http://docs.fortinet.com.

diagnose debug enable
diagnose debug flow show console enable
diagnose debug flow filter add 10.10.20.30
diagnose debug flow trace start 100


fg60cxadsl # diagnose sys session filter src 192.168.1.110
fg60cxadsl # diagnose sys session filter dport 80


Next it's time to clear the session by issuing thesession clear command as follows:

fg60cxadsl # diagnose sys session clear
Step 3: Sniffer trace

Take a sniffer trace as per the following examples when running a constant ping (or TCP connection) from PC1 to PC2.
This will answer the following questions:
- Is traffic arriving to the FortiGate and does it arrive on the expected port?- Is the ARP resolution correct for the targeted next-hop?- Is the traffic exiting the FortiGate to the destination?- Is the traffic sent back to the source?

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or

FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4


Including the ARP protocol in the filter may be useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and not responding to the FortiGate ARP requests)

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4


To stop the sniffer, type CTRL+C.

Step 4: Debug flow

Traffic should come in and leave the FortiGate. If not, proceed with a debug flow as follows:

diag debug enable
diag debug flow filter add <PC1>    or    diag debug flow filter add <PC2>
diag debug flow show console enable
diag debug flow trace start 100          <== this will display 100 packets for this flow
diag debug enable


To stop all other debug, type "diag debug flow trace stop".

Step 5: Session list

diag sys session filter src PC1
diag sys session list 

or 

diag sys session filter dst PC1
diag sys session list 

To clear all sessions corresponding to a filter:

diag sys session filter dst PC1
diag sys session clear

1. VDOM enable
conf sys global
set vdom-admin enable
end

2. Create VDOM
conf vdom
edit test

3. VDOM mode setting
TP
conf vdom
edit test
conf sys setting
set opmode transparent
set manageip 10.10.10.1/32
end
end

4. Management Port setting
conf sys interface
edit mgmt
set vdom root
set ip 10.10.10.1/24
next
edit port1
set vdom test
next
edit port2
set vdom test
next
edit port4
set ip 192.168.12.1/24
set allowaccess ping https ssh snmp telnet
next
end

5. Sessins-sync setting
conf system session-sync
edit 1
set peerip 192.168.12.2
set syncvd test
next
end

6. HA setting
conf sys ha
set hbdev port3 100
set session-sync-dev port4
set hb-interval 4
set hb-lost-threshold 12
set ha-uptime-diff-margin 1
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set standalone-config-sync enable
set override disable
end

get system sql
diagnose sql status
diagnose sql show db-size
diagnose log device
diagnose sql process list
diagnose dvm device list
diagose fortilogd msgrate-device
diagose fortilogd lograte
get system performance
get system status
execute log device logstore list

fortigate # config firewall profile-protocol-options
fortigate (profile-protocol~ons) # edit default
fortigate (default) # config smtp
fortigate (default) # set uncompressed-oversize-limit 5
fortigate (smtp) # get
ports : 25
status : enable
inspect-all : disable
options : oversize
oversize-limit : 10
uncompressed-oversize-limit: 5
uncompressed-nest-limit: 12
scan-bzip2 : enable
server-busy : disable

1.     get system performance status
-       현재 CPU & Memory, Traffic 사용량, Session수 및 Uptime 확인
2.     get system status
-       OS Version 및 Serial 정보 확인
3.     diag debug crashlog read
-       프로세서 Crash 내역 및 FortiGate의 주요 이슈 사항 확인
4.     diag log alertconsole list
-       관리자 계정 Login 실패 기록, 장비 재시작, 전원 off, FortiGuard 업데이트 내역 확인
5.     diag hardware device nic port1
-       해당 Port의 Speed/Duplex 및 Error확인 가능
6.     diag netlink device list
-       전체 Port에 대한 Error 확인
7.     get route info routing-table all
-       Routing Table 확인
8.     get sys arp
-       ARP Table 확인
9.     get system interface
-       Interface IP정보 확인

10. 기타
# excute tac report

# fnsysctl ls -l /dev/shm
# fnsysctl ls -l /tmp
# diagnose hardware sysinfo shm
# diagnose hardware sysinfo slab
# diagnose hardware sysinfo interrupt
# diagnose ip arp list
# diagnose ip rtcache list
# diagnose ip router command show show int
# diagnose ips anomaly list
# diagnose ips anomaly status
# diagnose ips dissector status
# diagnose ips packet status
# diagnose ips raw status
# get ips session
# diagnose sys session stat
# get system auto-update status
# get system auto-update versions
# diagnose test update info
# diagnose sys flash list
# fnsysctl df -k
# diagnose sys logdisk smart
# diagnose sys logdisk status
# diagnose sys ha status
# diagnose sys ha showcsum
# diagnose sys ha hadiff status
# diagnose sys ha dump-by all-vcluster
# diagnose sys ha dump-by rcache
# diagnose sys ha dump-by all-group
# diagnose sys ha dump-by memory
# diagnose sys ha dump-by vdom
# diagnose sys ha dump-by debug-zone
# diagnose sys ha dump-by kernel
# diagnose sys ha dump-by device
# get sys session-info statistics
# get system session-info ttl
# get system session-helper-info list
# diagnose netlink aggregate list
# diagnose netlink brctl list
# diagnose netlink device list
# diagnose firewall fqdn list
# diagnose firewall iplist list
# diagnose firewall ipmac list
# diagnose firewall ipmac status
# diagnose firewall iprope list
# get firewall proute
# diagnose firewall schedule list
# get system performance firewall statistics
# get router info routing-table all
# get router info routing-table database
# get vpn ipsec stats crypto
# get vpn ipsec tunnel details
# get vpn status ssl list
# get webfilter ftgd-statistics
# get webfilter status
# diagnose spamfilter fortishield statistics list
# diagnose spamfilter fortishield servers
# get hardware nic mgmt2
# get hardware nic mgmt1
# get hardware nic port32
# get test proxyacceptor 1
# get test proxyacceptor 4
# get test proxyworker 1
# get test proxyworker 4
# get test proxyworker 4444
# get test http 444
# get test http 11
# diagnose sys scanunit stats all
# get test urlfilter 10
# diagnose sys sip-proxy filter clear
# diagnose sys sip-proxy redirect list
# diagnose sys sip-proxy config list
# diagnose sys sip-proxy config profiles
# diagnose sys sip-proxy meters list
# diagnose sys sip-proxy stats proto
# diagnose sys sip-proxy stats call
# diagnose sys sip-proxy stats udp
# diagnose sys sip-proxy calls idle
# diagnose sys sip-proxy session list
# diagnose sys sccp-proxy stats list
# diagnose sys sccp-proxy phone list
# get test ipsmonitor 1
# get test ipsmonitor 3
# get test radiusd 5
# diagnose test application miglogd 6
# diagnose debug crashlog read

http://alstechcorner.blogspot.kr/2014/01/how-to-automate-fortigate-configuration.html

USERS-FW2 # config firewall ipmacbinding setting
USERS-FW2 (setting) # show full-configuration
config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost block
end

USERS-FW2 # config firewall ipmacbinding table
USERS-FW2 (table) # show full-configuration
config firewall ipmacbinding table
edit 1
set ip 10.10.10.100
set mac 00:e0:4c:50:22:f2
set name "sbbaek"
set status enable
next
end

USERS-FW2 # config system interface
USERS-FW2 (interface) # edit mgmt2
set ipmac enable
next
end