728x90

##
## Network interface configuration
##
interface eth0
  no dhcp
  ip address 192.168.1.13 /24
  exit
##
## Network interface IPv6 configuration
##
interface eth0
  no ipv6 dhcp client enable
  exit
##
## Routing configuration
##
ip default-gateway 192.168.1.1 eth0
##
## Other IP configuration
##
hostname HC1
ip domain-list inner
ip name-server 168.126.63.1
##
## Other IPv6 configuration
##
no ipv6 enable
##
## Logging configuration
##
logging 192.168.1.245
logging 192.168.1.245 trap warning
##
## Port level configurations
##
port 1/1/g1 type network
port 1/1/g1 params admin enable
port 1/1/g2 type tool
port 1/1/g2 params admin enable
##
## Gigastream hash configurations
##
gigastream advanced-hash slot 1/cc1 default
##
## Gsgroup configurations
##
gsgroup alias GSHS port-list 1/1/e1
##
## IP Interface configurations
##
ip interface alias IN-VPN
  attach 1/1/g1
  ip address 192.168.1.10 /24
  gw 192.168.1.1
  gsgroup add GSHS
  exit
##
## Gs params configurations
##
gsparams gsgroup GSHS
  cpu utilization type total rising 80
  dedup-action drop
  dedup-ip-tclass include
  dedup-ip-tos include
  dedup-tcp-seq include
  dedup-timer 50000
  dedup-vlan ignore
  diameter-packet timeout 2
  diameter-s6a-session limit 10000
  diameter-s6a-session timeout 30
  eng-watchdog-timer 60
  erspan3-timestamp format none
  flow-mask disable
  flow-sampling-rate 5
  flow-sampling-timeout 1
  flow-sampling-type device-ip
  generic-session-timeout 5
  gtp-control-sample enable
  gtp-flow timeout 48
  gtp-persistence disable
  gtp-persistence file-age-timeout 30
  gtp-persistence interval 10
  gtp-persistence restart-age-time 30
  gtp-randomsample disable
  gtp-randomsample interval 12
  ip-frag forward enable
  ip-frag frag-timeout 10
  ip-frag head-session-timeout 30
  lb failover disable
  lb failover-thres lt-bw 80
  lb failover-thres lt-pkt-rate 1000
  lb replicate-gtp-c disable
  lb use-link-spd-wt disable
  node-role disable
  resource buffer-asf disable
  resource cpu overload-threshold 90
  resource hsm-ssl buffer disable
  resource hsm-ssl packet-buffer 1000
  resource inline-ssl standalone enable
  resource metadata disable
  resource packet-buffer overload-threshold 80
  resource xpkt-pmatch num-flows 0
  session logging level none
  sip-media timeout 30
  sip-nat disable
  sip-session timeout 30
  sip-tcp-idle-timeout 20
  ssl-decrypt decrypt-fail-action drop
  ssl-decrypt enable
  ssl-decrypt hsm-pkcs11 dynamic-object enable
  ssl-decrypt hsm-pkcs11 load-sharing enable
  ssl-decrypt hsm-timeout 1000
  ssl-decrypt key-cache-timeout 10800
  ssl-decrypt non-ssl-traffic drop
  ssl-decrypt pending-session-timeout 60
  ssl-decrypt session-timeout 300
  ssl-decrypt tcp-syn-timeout 20
  ssl-decrypt ticket-cache-timeout 10800
  tunnel-health-check action pass
  tunnel-health-check disable
  tunnel-health-check dstport 54321
  tunnel-health-check interval 600
  tunnel-health-check protocol icmp
  tunnel-health-check rcvport 54321
  tunnel-health-check retries 5
  tunnel-health-check roundtriptime 1
  tunnel-health-check srcport 54321
  xpkt-pmatch disable
  exit
##
## Gsop configurations
##
gsop alias gsope1 strip-header vxlan 0 port-list GSHS
##
## Traffic map connection configurations
##
map alias 01.G2-G1_HS_MAP
  type regular byRule
  roles replace admin to owner_roles
  use gsop gsope1
  rule add pass ipver 4
  rule add pass ipver 6
  to 1/1/g2
  from 1/1/g1
  exit
##
## SNMP configuration
##
no snmp-server host 192.168.1.245 disable
snmp-server host 192.168.1.245 traps port 162 version 2c public

728x90
저작자표시

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

Gigamon HC Series에서 pcap 받는 방법  (17) 2024.09.05
Gigamon HC Series CLI를 통한 Firmware upgrade  (1) 2024.09.05
Gigamon FM Canvas 사용 시 주의할 점  (1) 2024.08.01
Gigamon FM Canvas Export & Import에 관하여  (0) 2024.08.01
Gigamon Config Backup 및 수정을 통한 Config Restore 방법  (0) 2024.01.18
728x90
SRX IPSec Tunnel Sample
root@SRX_Test# show | display set | no-more
set version 15.1X49-D90.7
set system host-name SRX_Test
set system root-authentication encrypted-password "$5$ZZrR8Xx5$ZPpG6X5ugNL7s0dHqj.URP4v6YhfzLqkDk3TrtfWHh8"
set system name-server 8.8.8.8
set system login user isd uid 2001
set system login user isd class super-user
set system login user isd authentication encrypted-password "$5$7i/tv6W2$eU0ilDNMbZQhZHff4gUFbtqTFIwigO3SiY8yqpD/.n0"
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group5
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$-nd4aJGiqPQdbmTQ3tp0BIhlM7Nbg4Z8L2aZU.mcylvNd"
set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
set security ike gateway VPN-GATEWAY address 10.1.2.201
set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
set security ike gateway VPN-GATEWAY nat-keepalive 10
set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN bind-interface st0.1
set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
set security ipsec vpn IPSEC-VPN ike proxy-identity local 172.15.0.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity remote 172.15.1.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity service any
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule r1 match source-address 0.0.0.0/0
set security nat source rule-set src-nat rule r1 then source-nat interface
set security forwarding-process enhanced-services-mode
set security policies from-zone trust to-zone untrust policy permit-all match source-address any
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone trust to-zone vpn policy permit-all match source-address any
set security policies from-zone trust to-zone vpn policy permit-all match destination-address any
set security policies from-zone trust to-zone vpn policy permit-all match application any
set security policies from-zone trust to-zone vpn policy permit-all then permit
set security policies from-zone vpn to-zone trust policy permit-all match source-address any
set security policies from-zone vpn to-zone trust policy permit-all match destination-address any
set security policies from-zone vpn to-zone trust policy permit-all match application any
set security policies from-zone vpn to-zone trust policy permit-all then permit
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.115/24
set interfaces ge-0/0/1 unit 0 family inet address 172.15.0.1/24
set interfaces st0 unit 1 family inet
set routing-options static route 0.0.0.0/0 next-hop 10.1.2.1
set routing-options static route 172.15.1.0/24 next-hop st0.1
[edit]
root@SRX_Test# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6299423 UP f51982a09b260851 3fcd24f6bec6f419 Main 10.1.2.201
6299424 UP 25885c239e958271 92d1dde980db90c8 Main 10.1.2.201
[edit]
root@SRX_Test# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 44d00f02 84435/unlim - root 500 10.1.2.201
>131073 ESP:3des/sha1 46f0dfb7 84435/unlim - root 500 10.1.2.201
[edit]
root@SRX_Test#
======================================================================================================================================================
FWF90D3Z13006231 # get vpn ipsec tunnel details
gateway
name: 'VPN-GW'
type: route-based
local-gateway: 10.1.2.201:0 (static)
remote-gateway: 10.1.2.115:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 0 bytes: 0 errors: 0
tx packets: 0 bytes: 0 errors: 7870
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TUNNEL'
auto-negotiate: disable
mode: tunnel
src: 0:172.15.1.0/255.255.255.0:0
dst: 0:172.15.0.0/255.255.255.0:0
SA
lifetime/rekey: 86400/79426
mtu: 1446
tx-esp-seq: 1
replay: enabled
inbound
spi: 46f0dfb7
enc: 3des 6b1ddb0ba8c46a879e22dd055ae0c5b643983f4d68d72ff1
auth: sha1 ce45021dbfac556674600ff9cb08faf7d942d48f
outbound
spi: 44d00f02
enc: 3des aa81515e22c7e8eefce24d6ff740b1b3c4cec463d6dd15b5
auth: sha1 69dff90febd00f5d4e64637c73dec32527ddbba7
NPU acceleration: none
FWF90D3Z13006231 #
FWF90D3Z13006231 # get vpn ip tunnel summary
'VPN-GW' 10.1.2.115:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/7902
FWF90D3Z13006231 # get ipsec tunnel list
NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT
VPN-GW 10.1.2.115:0 172.15.1.0/255.255.255.0 172.15.0.0/255.255.255.0 up 79367
728x90
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

DeepFinder (웹방화벽)  (6) 2024.10.23
FortiGate SIP Debug  (1) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
FortiGate FSSO 설정  (0) 2022.08.10
Juniper SRX Cluster configuration  (2) 2021.08.26
728x90

IP Tunnel Receiving End Configuration

port 1/1/x1 type network

port 1/1/x5 type tool

gsgroup alias GS51 port-list 1/5/e1

tunneled-port 1/1/x1 ip 192.168.51.80/24 gateway 192.168.51.1 mtu 9600 port-list GS51

gsop alias Remote2HQtunnel tunnel-recap type grip portdst 8001 port-list GS51

map alias FieldCallCtrDB

# comment "Field Call Center database traffic received at HQ"
# use gsop Remote2HQTunnel
# rule add pass ipsrc 172.16.10.88
# from 1/1/x1
# to 1/1/x5
# exit

 

 

728x90
저작자표시

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

Gigamon Active Visibility (Condition & Action Lists)  (0) 2021.01.20
Gigamon Controlled GigaStream Configuration  (0) 2021.01.20
Gigamon IP Tunnel Sending End Configuration  (0) 2021.01.18
Gigamon Resiliency for Inline Protection (GRIP)  (0) 2021.01.18
Gigamon Maps to Individual Inline Tool Group Members  (0) 2021.01.18
728x90

IP Tunnel Sending End Configuration

port 1/1/x1 type network

port 1/1/x5 type tool

gsgroup alias GS51 port-list 1/5/e1

tunneled-port 1/1/x5 ip 172.16.10.88/24 gateway 172.16.10.1 mtu 9600 port-list GS51

gsop alias Chicago2HQ tunnel-uncap type gmip porters 8000 protest 8001 ipdst 192.168.51.80 port-list GS51

map alias ChicagoDBtoHQ

# comment "Chicago Call Center Database traffic sent to HQ"
# use gsop Chcago2HQ
# rule add pass porters 1521 bidir
# from 1/1/x1
# to 1/1/x5
# exit

 

 

728x90
저작자표시

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

Gigamon Controlled GigaStream Configuration  (0) 2021.01.20
Gigamon IP Tunnel Receiving End Configuration  (0) 2021.01.18
Gigamon Resiliency for Inline Protection (GRIP)  (0) 2021.01.18
Gigamon Maps to Individual Inline Tool Group Members  (0) 2021.01.18
Gigamon Asymmetrical Hashing in Inline Tool Group  (0) 2021.01.18
728x90

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/tunneling-erspan-termination.html

 

Remote Traffic Tunneling | ERSPAN Termination | GigaSMART | Gigamon

GigaSMART® Tunneling helps alleviate blindness of business-critical traffic at remote sites, virtualized data centers or hosted in a public cloud.

www.gigamon.com

Extend monitoring to remote sites and the cloud

The Tunneling feature is a licensable addition to the GigaSMART® engine that helps alleviate blindness of business-critical traffic at remote sites, virtualized data centers, or hosted in a public cloud. Tunneling is used in conjunction with Flow Mapping® technology to select traffic at remote sites that should be subject to additional inspection. That traffic subset can then be forwarded via IP/UDP or L2GRE encapsulation to centralized monitoring and security resources. Tunneling also works with GigaVUE-VM for VMware, GigaVUE-VM for OpenStack, and Visibility Platform for AWS to select and tunnel traffic from within virtual environments to the Gigamon® Visibility Platform via L2GRE tunnels. With Tunneling, physical networks can utilize cloud-based tools and load balance across multiple instances.

Benefits of the Tunneling feature

  • Provides security teams with access to suspicious traffic anywhere within the organization, local or remote, physical or virtual.
  • Eliminates the cost of deploying and managing tools at branch offices and remote sites.
  • Preserves the processing power of hypervisors to handle workload, instead of management and monitoring.
  • Immediately extends monitoring and security to new acquisitions or temporary installations until other arrangements can be made.
  • Enables load balancing across multiple IP-addressable virtual and cloud-based tools.
  • Allows operators to take advantage of existing Cisco NEXUS features by forwarding traffic via ERSPAN tunnels to the Gigamon Visibility Platform.

 

728x90
저작자표시

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

Application Visualization  (0) 2020.06.04
Adaptive Packet Filtering  (0) 2020.06.04
Load Balancing  (0) 2020.06.04
Masking  (0) 2020.06.04
Packet Slicing  (0) 2020.06.04
728x90

GigaSMART ERSPAN Tunnel Decapsulation
Some Cisco equipment provides the ability to mirror monitored traffic to a remote destination through an ERSPAN tunnel. Using ERSPAN tunnel decapsulation, GigaSMART can act as the receiving end of an ERSPAN tunnel, decapsulating mirrored traffic sent over the Internet from a Cisco switch or router.

ERSPAN Tunnel Header Removal Example
In this example, a tunnel is configured to capture ERSPAN packets, then the ERSPAN header is removed and the packets are forwarded to a tool port.

 

Step

Description

Command

1.    
Configure a tool type of port.

(config) # port 1/1/g1 type tool

2.  
Configure a GigaSMART group and associate it with a GigaSMART engine port.

(config) # gsgroup alias gsgp1 port-list 1/3/e1

3.  
Configure the IP interface.

(config) # ip interface alias test

(config ip interface alias test) # attach 1/1/g1

(config ip interface alias test) # ip address 10.10.10.10 /29

(config ip interface alias test) # gw 10.10.10.1

(config ip interface alias test) # mtu 9400

(config ip interface alias test) # gsgroup add gsgp1

(config ip interface alias test) # exit

4.  
Configure the GigaSMART operation and assign it to the GigaSMART group.

Note: A flow ID of zero is a wildcard value that matches all flow IDs.

(config) # gsop alias er1 tunnel-decap type erspan flow-id 0 port-list gsgp1

5.  
Create a map.

(config) # map alias ermap
(config map alias ermap) # type regular byRule
(config map alias ermap) # use gsop er1
(config map alias ermap) # rule add pass protocol gre
(config map alias ermap) # from 1/1/g2
(config map alias ermap) # to 1/1/g1
(config map alias ermap) # exit
(config) #

6.  
Display the configuration for this example.

(config) # show gsgroup
(config) # show gsop
(config) # show ip interfaces
(config) # show map

ERSPAN Type III Tunnel Header Removal Example
In this example, a tunnel is configured to capture ERSPAN packets. ERSPAN Type III packets are parsed, the ERSPAN header is removed, and the timestamp is calculated. A timestamp trailer is added before the packets are forwarded to a tool port.

 

Step

Description

Command

1.    
Configure a tool type of port.

(config) # port 1/1/g1 type tool

2.  
Configure a GigaSMART group and associate it with a GigaSMART engine port.

(config) # gsgroup alias gsgp1 port-list 1/3/e1

3.  
Configure the IP interface.

(config) # ip interface alias test

(config ip interface alias test) # attach 1/1/g1

(config ip interface alias test) # ip address 10.10.10.10 /29

(config ip interface alias test) # gw 10.10.10.1

(config ip interface alias test) # mtu 9400

(config ip interface alias test) # gsgroup add gsgp1

((config ip interface alias test) # exit

4.  
Configure the GigaSMART operation and assign it to the GigaSMART group.

Note: A flow ID of zero is a wildcard value that matches all flow IDs.

(config) # gsop alias gsop_erspan tunnel-decap type erspan flow-id 0 port-list gsgp1

5.  
Configure a timestamp trailer format.

(config) # gsparams gsgroup gsgp1 erspan3-timestamp format gs

6.  
Create a map. The map contains a rule to allow marker packets (UDP) to be processed.

(config) # map alias ermap
(config map alias ermap) # type regular byRule
(config map alias ermap) # use gsop gsop_erspan
(config map alias ermap) # rule add pass protocol gre
(config map alias ermap) # rule add pass protocol udp
(config map alias ermap) # from 1/1/g2
(config map alias ermap) # to 1/1/g1
(config map alias ermap) # exit
(config) #

7.  
View the the ERSPAN III timestamp

(config) # show gsparams
8.  
View the ERSPAN statistics.

(config) # show gsop stats alias gsop_erspan
Refer to the “ERSPAN Statistics Definitions” section and to the “GigaSMART Operations Statistics Definitions” in the GigaVUE-FM User’s Guide for details.

 

 

728x90

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

Flexible Inline include ISSL  (0) 2020.06.03
GigaSMART Layer 2 GRE Tunnel Encapsulation/Decapsulation  (0) 2020.06.03
GigaSMART VxLAN Tunnel Decapsulation  (0) 2020.06.03
Cluster B  (0) 2020.06.03
Cluster A  (0) 2020.06.03
728x90

GigaSMART VxLAN Tunnel Decapsulation
Refer to the “GigaSMART VxLAN Tunnel Decapsulation” section in the GigaVUE-FM User’s Guide for details.

VxLAN Tunnel Termination Example
 

Step

Description

Command

1.    
Configure a tool type of port.

(config) # port 1/1/g1 type tool

2.  
Configure a GigaSMART group and associate it with a GigaSMART engine port.

(config) # gsgroup alias gsgp1 port-list 1/3/e1

3.  
Configure the IP interface.

(config) # ip interface alias test

(config ip interface alias test) # attach 1/1/g1

(config ip interface alias test) # ip address 10.10.10.10 /29

(config ip interface alias test) # gw 10.10.10.1

(config ip interface alias test) # mtu 9400

(config ip interface alias test) # gsgroup add gsgp1

(config ip interface alias test) # exit

4.  
Configure the GigaSMART operation and assign it to the GigaSMART group.

(config) # gsop alias vxlan1 tunnel-decap type vxlan portsrc 200 portdst 4789 vni 200 port-list gsgp1

5.  
Create a map.

(config) # map alias map1
(config map alias map1) # type regular byRule
(config map alias map1) # use gsop vxlan1
(config map alias map1) # rule add pass protocol udp
(config map alias map1) # from 1/1/g2
(config map alias map1) # to 1/1/g1
(config map alias map1) # exit
(config) #

6.  
View the VxLAN tunnel GSOP.

(config) # show gsop alias vxlan1

7.  
View the VxLAN tunnel statistics.

(config) # show gsop stats alias vxlan1
Refer to the “Tunnel Decapsulation Statistics Definitions” section and the“GigaSMART Operations Statistics Definitions” in the GigaVUE-FM User’s Guide for details.

 

 

728x90

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

GigaSMART Layer 2 GRE Tunnel Encapsulation/Decapsulation  (0) 2020.06.03
GigaSMART ERSPAN Tunnel Decapsulation  (0) 2020.06.03
Cluster B  (0) 2020.06.03
Cluster A  (0) 2020.06.03
FM5801 CLI  (0) 2020.06.03
728x90
Configure FortiGate A interfaces
 
config system interface
edit port2
set 10.0.0.1/24
next
edit port3
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f3/64
end
 
Configure FortiGate A IPsec settings
config vpn ipsec phase1-interface
edit toB
set interface port2
set remote-gw 10.0.1.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
 
config vpn ipsec phase2-interface
edit toB2
set phase1name toB
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
 
Configure FortiGate A security policies
 
config firewall policy6
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
 
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
Configure FortiGate A routing
 
edit 1
set device toB
set dst fec0:0000:0000:0004::/64
end
config router static
edit 1
set device port2
set dst 0.0.0.0/0
set gateway 10.0.0.254
end
 
Configure FortiGate B
 
config system interface
edit port2
set 10.0.1.1/24
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
config vpn ipsec phase1-interface
edit toA
set interface port2
set remote-gw 10.0.0.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
config firewall policy6
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
config router static6
edit 1
set device toA
set dst fec0:0000:0000:0000::/64
end
config router static
edit 1
set device port2
set gateway 10.0.1.254
end

 

 
728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiGate DNS Translation  (0) 2018.05.08
[FortiGate의 자주 쓰는 debug 명령]  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08

+ Recent posts

티스토리툴바