Last active
March 12, 2025 06:34
-
-
Save githubfoam/66c9b8e08498867df393a600a290de45 to your computer and use it in GitHub Desktop.
Revisions
-
githubfoam revised this gist
Jun 11, 2024 . 1 changed file with 147 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1114,7 +1114,154 @@ S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 ... other routes ... C accounting.yourcompany.com/32 is directly connected, internal Here, you can see the static route with the destination address as the resolved IP (not the FQDN) followed by a directly connected route for the actual server with the resolved IP assigned. #===================================================================== #chatgpt FGT1# get router info routing-table all The command get router info routing-table all on FortiOS 7.2 retrieves and displays the routing table information for all Virtual Routing and Forwarding (VRF) instances on the FortiGate device. Let's break down the output step by step to understand what each line represents. Command Explanation Command: plaintext FGT1# get router info routing-table all This command is executed on a FortiGate device and it retrieves the routing table information for all VRFs. Output Explanation Output: plaintext Routing table for VRF-0 This indicates that the routing table information being displayed is for VRF-0, the default VRF instance. Routing Table Entries Each line in the routing table provides specific information about a route: Route Type: S: Static route C: Connected route Destination Network: This specifies the network address and subnet mask of the destination network. Administrative Distance / Metric: These values are used to determine the priority of the route. Next-Hop IP Address and Interface: The IP address of the next-hop router and the interface used to reach this network. Additional Metrics: Further metrics for more specific routing decisions. Detailed Output Breakdown Example Entry: plaintext S 0.0.0.0/0 [10/01] via 172.20.121.2, port1, [1/0] S: Static route 0.0.0.0/0: Default route (matches all IP addresses) [10/01]: Administrative distance (10) / Metric (01) via 172.20.121.2: Next-hop IP address port1: Interface to use [1/0]: Additional metric values (e.g., weight, preference) Connected Routes: plaintext C 172.20.121.0/24 is directly connected, port1 C 172.20.168.0/24 is directly connected, port2 C 172.20.167.0/24 is directly connected, port3 C: Connected route 172.20.121.0/24: Directly connected network on port1 172.20.168.0/24: Directly connected network on port2 172.20.167.0/24: Directly connected network on port3 Static Routes: plaintext S 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0] S 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0] S 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0] S: Static route 10.20.30.0/26, 10.20.30.0/24, 10.30.20.0/24: Destination networks [10/0]: Administrative distance (10) / Metric (0) via 172.20.168.254, 172.20.167.254, 172.20.121.2: Next-hop IP addresses port2, port3, port1: Interfaces to use [1/0]: Additional metric values Summary S (Static routes) and C (Connected routes) indicate the type of route. The destination network and subnet mask follow, showing the network this route applies to. The [AD/Metric] values show the administrative distance and metric used to prioritize routes. via [IP] and port[#] indicate the next-hop IP address and the interface through which the network is reachable. [Additional metrics] provide further details for more specific routing decisions. This command and its output help network administrators understand how traffic will be routed through the FortiGate device, providing crucial information for troubleshooting and network design. #===================================================================== #gemini FGT1# get router info routing-table all Routing table for VRF-0 S 0.0.0.0/0 [10/01 via 172.20.121.2, port1, [1/0] C 172.20.121.0/24 is directly connected, portl C 172.20.168.0/24 is directly connected, port2 C 172.20.167.0/24 is directly connected, port3 S 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0] S 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0] S 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0] The command get router info routing-table all executed on a FortiGate device running FortiOS 7.2 displays the routing table for all Virtual Routing and Forwarding (VRF) instances. Here's a breakdown of the output you provided: FGT1#: This is the prompt on the FortiGate device, indicating the switch to configuration mode. get router info routing-table all: This is the command used to retrieve the routing table information. get: Keyword to retrieve information. router: Specifies we're interested in routing information. info: Further specifies details about the routing table. routing-table: Indicates we want to see the routing table. all: Shows entries for all VRFs (Virtual Routing and Forwarding instances). Routing Table for VRF-0: This section displays the routing table for the default VRF instance (VRF-0). VRFs allow for separation of routing tables within a single physical router. Here's an explanation of each line: Codes: S: Static route (manually configured route). C: Connected route (directly connected network). Destination Network/Mask [ADmetric]: This specifies the destination network address and subnet mask for which the route applies. [ADmetric]: The Administrative Distance (AD) is a metric used to determine the preferred route in case of multiple paths. A lower AD indicates a more preferred route. Next Hop: This is the IP address of the next hop device used to reach the destination network. Interface: This is the interface on the FortiGate through which traffic is routed to reach the destination network. [Distance]: This shows the route's distance or metric used by the routing protocol to determine the best path (shown as [1/0] in this case, which might be a hop count or cost). Breakdown of Specific Routes: S 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]: This is a static route for the default internet gateway (0.0.0.0/0) with a next hop of 172.20.121.2 through interface port1. The AD is 10 (might be configurable) and the distance is 1. C 172.20.121.0/24 is directly connected, port1: This is a connected route for the network 172.20.121.0/24 which is directly connected to the FortiGate through interface port1. (Similar entries for other connected networks): There are entries for other directly connected networks on ports 2 and 3. S 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]: This is a static route for the network 10.20.30.0/26 with a next hop of 172.20.168.254 through interface port2. The AD is 10 and the distance is 1. (Similar entries for other static routes): There are similar entries for another network (10.30.20.0/24) with a next hop through port1. This output provides a snapshot of the routing table on the FortiGate device, showing how packets are directed to different networks based on their destination addresses. #===================================================================== #get router info routing-table all #verify the routing table -
Mar 5, 2024 . 1 changed file with 30 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2482,6 +2482,36 @@ Immediate action is required, and administrators may need to intervene to addres System stability is at risk, and critical functions may be impacted. These thresholds allow administrators to proactively monitor the health of the FortiGate firewall and take appropriate actions based on the severity of the memory usage. It helps in identifying potential issues before they cause major disruptions to the firewall's performance #===================================================================== define memory and CPU usage thresholds: config system global set cpu-use-threshold <percent> set memory-use-threshold-extreme <percent> set memory-use-threshold-green <percent> set memory-use-threshold-red <percent> end cpu-use-threshold Threshold at which CPU usage is reported, in percent of total possible CPU utilization (default = 90). memory-use-threshold-extreme Threshold at which memory usage is considered extreme, and new sessions are dropped, in percent of total RAM (default = 95). memory-use-threshold-green Threshold at which memory usage forces the FortiGate to exit conserve mode, in percent of total RAM (default = 82). memory-use-threshold-red Threshold at which memory usage forces the FortiGate to enter conserve mode, in percent of total RAM (default = 88). #===================================================================== #check the total number of TCP sessions for an IP pool named INTERNAL diagnose firewall ippool-all stats INTERNAL -
Mar 5, 2024 . 1 changed file with 25 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1674,6 +1674,31 @@ Select a process.Click the Kill Process dropdown. Kill: the standard kill option that produces one line in the crash log (diagnose debug crashlog read). Force Kill: the equivalent to diagnose sys kill 9 <pid>. This can be viewed in the crash log. Kill & Trace: the equivalent to diagnose sys kill 11 <pid>. This generates a longer crash log and backtrace. A crash log is displayed afterwards. #========================================================================================================================================== When in conserve mode, FortiOS generates conserve mode log messages and SNMP traps, and a conserve mode banner is shown in the GUI. view current information about memory conservation status: # diagnose hardware sysinfo conserve memory conserve mode: on total RAM: 997 MB memory used: 735 MB 73% of total RAM memory freeable: 173 MB 17% of total RAM memory used + freeable threshold extreme: 947 MB 95% of total RAM memory used threshold red: 877 MB 88% of total RAM memory used threshold green: 817 MB 82% of total RAM If the GUI is unresponsive due to high memory usage, making the logs inaccessible, they can be viewed in the CLI: # execute log filter category 1 # execute log display 1: date=2022-11-02 time=16:58:37 eventtime=1667433517502192693 tz="-0700" logid="0100022011" type="event" subtype="system" level="critical" vd="root" logdesc="Memory conserve mode entered" service="kernel" conserve="on" total=997 MB used=707 MB red="877 MB" green="698 MB" msg="Kernel enters memory conserve mode view the crash log in the CLI: # diagnose debug crashlog read #========================================================================================================================================== diag debug rating Show list of FortiGuard Services -
Mar 4, 2024 . 1 changed file with 44 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1232,6 +1232,50 @@ High CPU and Memory Troubleshooting # diagnose sys top # get system performance top #(use Shift+M for memory usage #===================================================================== How to do initial troubleshooting of high memory utilization issues (conserve mode) Run the command above a few times and compare patterns of memory usage, throughput and number of sessions If the used memory is more than 75%, this may indicate that a further check may be required. get system performance status CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq CPU0 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq Memory: 2004540k total, 586528k used (29%), 1418012k free (71%) Average network usage: 1 / 0 kbps in 1 minute, 0 / 0 kbps in 10 minutes, 0 / 0 kbps in 30 minutes Average sessions: 25 sessions in 1 minute, 25 sessions in 10 minutes, 25 sessions in 30 minutes Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 0 days, 23 hours, 41 minutes find memory usage per process instance. diagnose sys top 1 45 In order: process name, Process ID, Process state, CPU usage %, Memory usage %. '1' stands for refreshing period in seconds '45' stands for a number of processes displayed. See part of it as example below: Run Time: 0 days, 23 hours and 54 minutes 0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1957T, 1271F newcli 308 R 0.9 0.5 sshd 305 S 0.9 0.5 pyfcgid 142 S 0.0 2.0 reportd 154 S 0.0 1.8 cmdbsvr 120 S 0.0 1.4 pyfcgid 184 S 0.0 1.2 pyfcgid 186 S 0.0 1.2 pyfcgid 185 S 0.0 1.2 forticron 149 S 0.0 1.2 miglogd 139 S 0.0 1.1 httpsd 141 S 0.0 1.1 scanunitd 158 S < 0.0 1.0 #===================================================================== # show system interface # diagnose ip address list -
Feb 26, 2024 . 1 changed file with 16 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2446,5 +2446,21 @@ diagnose debug application update -1 # diagnose autoupdate versions # diagnose antivirus test "get scantime" # execute update-av #===================================================================== # create multiple IP address objects on a FortiGate firewall through the Command Line Interface (CLI) Enter Configuration Mode: config firewall address Create IP Address Objects: For each IP address object, use the following commands: edit RAC_1 set subnet 172.18.12.13 255.255.255.255 next Review Configuration: show firewall address #===================================================================== -
Feb 17, 2024 . 1 changed file with 14 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2433,4 +2433,18 @@ diagnose firewall auth clear #the amount of reserved space on your FortiGate diagnose sys logdisk usage #===================================================================== Check FortiGuard website for latest antivirus database version https://fortiguard.com/updates/antivirus diagnose debug application update -1 # diagnose debug enable # execute update-av # get system performance status # diagnose antivirus database-info # diagnose autoupdate versions # diagnose antivirus test "get scantime" # execute update-av #===================================================================== -
Feb 17, 2024 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2429,5 +2429,8 @@ diagnose firewall auth list Clears all authorized users from the current list diagnose firewall auth clear #===================================================================== #the amount of reserved space on your FortiGate diagnose sys logdisk usage #===================================================================== #===================================================================== -
Feb 17, 2024 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1292,6 +1292,10 @@ diagnose debug {enable|disable} FGT# diagnose debug enable FGT# diagnose debug application fnbamd 255 #===================================================================== Tests preshared key between FortiGate and the RADIUS server diagnose test authserver radius-direct <ip> <port> <secret> #===================================================================== #fnbamd FortiGate non-blocking auth daemon diagnose debug application fnbamd -
Feb 17, 2024 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2423,4 +2423,7 @@ show system session-helper Shows authenticated users, associated groups and their IP address diagnose firewall auth list Clears all authorized users from the current list diagnose firewall auth clear #===================================================================== -
Feb 17, 2024 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2418,5 +2418,9 @@ diagnose firewall ippool-all list #==================================================================== #show configured session helpers show system session-helper #===================================================================== Shows authenticated users, associated groups and their IP address diagnose firewall auth list #===================================================================== -
Feb 17, 2024 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1282,6 +1282,11 @@ diagnose test application ssl 44 # #FGT# diagnose test authserver ldap LDAP_SERVER user1 password # diagnose test authserver ldap External_Server aduser1 Training! authenticate 'aduser1' against 'External_Server' succeeded! Group membership(s) - CN=AD-users,OU=Training,DC=trainingAD,DC=training,DC=lab diagnose debug {enable|disable} FGT# diagnose debug enable -
Feb 17, 2024 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2405,8 +2405,11 @@ System stability is at risk, and critical functions may be impacted. These thresholds allow administrators to proactively monitor the health of the FortiGate firewall and take appropriate actions based on the severity of the memory usage. It helps in identifying potential issues before they cause major disruptions to the firewall's performance #===================================================================== #check the total number of TCP sessions for an IP pool named INTERNAL diagnose firewall ippool-all stats INTERNAL #Lists all the configured NAT IP pools with NAT IP range and type diagnose firewall ippool-all list #==================================================================== #show configured session helpers show system session-helper -
Feb 17, 2024 . 1 changed file with 7 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -869,6 +869,13 @@ timeout=3600 The firewall policy ID is tracked policy_id=1 TCP States proto_state=05 ICMP has no state proto_state is always 00 #===================================================================== #the FortiGate is a stateful firewall (keeps the track of both directions of the session) #https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988?externalID=FD30042 -
Feb 17, 2024 . 1 changed file with 31 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -838,7 +838,38 @@ FGT# diagnose sys session filter dport 80 888 FGT# diagnose sys session filter FGT # diagnose sys session clear #===================================================================== # diagnose sys session filter dst 10.200.1.254 # diag sys session filter dport 80 # diag sys session list session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=may_dirty statistic(bytes/packets/allow_err): org=538/6/1 reply=5407/6/0 tuples=2 tx speed(Bps/kbps): 5/0 rx speed(Bps/kbps): 2/0 orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.200.1.254/10.0.1.10 hook=post dir=org act=snat 10.0.1.10:64624->10.200.1.254:80(10.200.1.1:64624) hook=pre dir=reply act=dnat 10.200.1.254:80->10.200.1.1:64624(10.0.1.10:64624) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 #see the session TTL, which reflects how long FortiGate can go without receiving any packets for this session, #until it removes the session from its table. timeout=3600 The firewall policy ID is tracked policy_id=1 #===================================================================== #the FortiGate is a stateful firewall (keeps the track of both directions of the session) #https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988?externalID=FD30042 a) ICMP (proto 1). -
Feb 17, 2024 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2369,5 +2369,8 @@ These thresholds allow administrators to proactively monitor the health of the F #check the total number of TCP sessions for an IP pool named INTERNAL diagnose firewall ippool-all stats INTERNAL #==================================================================== #show configured session helpers show system session-helper #===================================================================== -
Feb 17, 2024 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2365,4 +2365,9 @@ The firewall enters the "Extreme" state, indicating an extremely high level of m Immediate action is required, and administrators may need to intervene to address the issue. System stability is at risk, and critical functions may be impacted. These thresholds allow administrators to proactively monitor the health of the FortiGate firewall and take appropriate actions based on the severity of the memory usage. It helps in identifying potential issues before they cause major disruptions to the firewall's performance #===================================================================== #check the total number of TCP sessions for an IP pool named INTERNAL diagnose firewall ippool-all stats INTERNAL #===================================================================== -
Feb 17, 2024 . No changes.There are no files selected for viewing
-
Feb 17, 2024 . 1 changed file with 2 additions and 93 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ #===================================================================== #CIS benchmark https://www.cisecurity.org/benchmark/fortinet #===================================================================== Packet flow ingress and egress: FortiGates without network processor offloading https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading @@ -743,14 +743,7 @@ Log ID 0100022220 Log Description Threat feed updated Log & Report > System events > General System Events #===================================================================== #Save the debugging using Putty Logging @@ -886,14 +879,7 @@ proto_state: state of the session (depending on protocol) For example, when FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when the SYN/ACK packet is received. After the three-way handshake, the state value changes to 1. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988?externalId=FD30042 #===================================================================== # diag debug crashlog read #list crash logs @@ -1180,38 +1166,13 @@ config firewall policy # If the interface is accessed via another port of the Fo diagnose sniffer packet any "(host <PC1> and host <PC2>) and icmp" 4 diagnose sniffer packet any "host <PC1> and host <PC2>" 4 firewall statistic show sys session full-stat #session table #===================================================================== Change vdom: config vdom edit vdomname #===================================================================== ## excute tac report GUI System-Settings-Debug Logs-Download @@ -1389,58 +1350,6 @@ https://docs.fortinet.com/document/fortigate/6.2.6/cookbook/122078/deep-inspecti get system settings | grep ssl-ssh-profile #check if SSL inspection is enabled #SSL inspection profile named "ssl_inspection" is currently in use and SSL inspection is enabled on the device get firewall ssl-ssh-profile ssl_inspection | grep status #===================================================================== #view ports that are being listened on, and active connections and the services or processes using them -
Feb 17, 2024 . 1 changed file with 1 addition and 43 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ #===================================================================== #CIS benchmark https://www.cisecurity.org/benchmark/fortinet#Explain diagnose debug flow show iprope enable command in fortigate cli. #===================================================================== Packet flow ingress and egress: FortiGates without network processor offloading https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading @@ -1033,48 +1033,6 @@ Location: India, code: A0 (ip-ranges 1) (ip6-ranges 0) 208.91.112.52 - 208.91.112.52 #===================================================================== #Bard -
Feb 17, 2024 . 1 changed file with 0 additions and 61 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -927,67 +927,6 @@ diagnose ipo router ospf level info dignose ip router ospf all enable diagnose ip router ospf level info diagnose debug enable #===================================================================== #Set certificate for admin interface -
Feb 17, 2024 . 1 changed file with 67 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2492,5 +2492,71 @@ License Status: Invalid VM Resources: 1 CPU/1 allowed, 2007 MB RAM/2048 MB allowed #===================================================================== FortiGate Memory Threshold Settings and Example Scenarios: The provided configuration defines three important thresholds for FortiGate memory usage: memory-use-threshold-red: This sets the memory usage level at which the firewall enters conserve mode. In this configuration, it's set to 88%. memory-use-threshold-extreme: This sets the level at which the firewall starts dropping new sessions to conserve memory. Here, it's set to 95%. memory-use-threshold-green: This level signifies normal operation and indicates when the firewall exits conserve mode. It's set to 82%. Example Scenarios: Normal Operation (Memory below 82%): The firewall operates normally, using all available memory for its functions. Memory Usage Increases (82% - 88%): Memory usage crosses the green threshold. While still functional, consider monitoring resource usage and optimizing if necessary to prevent reaching higher thresholds. Conserve Mode (88% - 95%): Memory usage reaches the red threshold. The firewall enters conserve mode, which includes: Disabling non-essential features like antivirus transparent proxy. Reducing logging verbosity. Prioritizing existing connections over new ones. Showing a conserve mode banner on the GUI. Critical State (Above 95%): Memory usage reaches the extreme threshold. The firewall starts dropping new sessions to free up memory, potentially impacting new connections and network functionality. This is a critical situation requiring immediate action to free up memory. Understanding the Impact: Setting lower thresholds will trigger conservative mode earlier, potentially impacting performance even under moderate memory usage. However, it provides a cushion to prevent reaching the critical extreme threshold. Setting higher thresholds allows the firewall to use more memory before taking action, offering better performance but risking reaching the critical state faster. Recommendations: Monitor memory usage regularly and adjust thresholds based on your specific needs and risk tolerance. Identify and address memory leaks or resource-intensive processes. Consider adding more RAM if memory usage consistently reaches high levels. Understand the impact of conserve mode on your network functionality and have mitigation strategies in place. By understanding these settings and their implications, you can effectively manage memory usage on your FortiGate firewall and ensure optimal performance and security. #===================================================================== The configuration settings you provided are related to memory usage thresholds on a FortiGate firewall. These settings help monitor the memory consumption of the device and trigger alerts or actions based on predefined thresholds. Let's break down each setting: memory-use-threshold-red: This sets the memory usage threshold for the "Red" state, indicating a critical level of memory usage. In the example, it is set to 88%. memory-use-threshold-extreme: This sets the memory usage threshold for the "Extreme" state, indicating an extremely high level of memory usage. In the example, it is set to 95%. memory-use-threshold-green: This sets the memory usage threshold for the "Green" state, indicating a normal or acceptable level of memory usage. In the example, it is set to 82%. These settings are part of the global system configuration on FortiGate and are used for monitoring and alerting purposes. Here are some scenarios explaining the significance of these settings: Normal Operation (Green): Memory usage is below 82%. No immediate action is taken as the memory usage is considered acceptable. Warning State (Yellow): Memory usage is between 82% and 88%. The firewall enters the "Yellow" state, indicating a warning. Administrators may receive alerts to monitor the situation closely. Critical State (Red): Memory usage is between 88% and 95%. The firewall enters the "Red" state, indicating a critical condition. Alerts are escalated, and administrators are notified for immediate attention. System performance may start to degrade. Extreme State: Memory usage is above 95%. The firewall enters the "Extreme" state, indicating an extremely high level of memory usage. Immediate action is required, and administrators may need to intervene to address the issue. System stability is at risk, and critical functions may be impacted. These thresholds allow administrators to proactively monitor the health of the FortiGate firewall and take appropriate actions based on the severity of the memory usage. It helps in identifying potential issues before they cause major disruptions to the firewall's performance #===================================================================== -
Feb 17, 2024 . 1 changed file with 49 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2423,6 +2423,55 @@ Unique VLAN IDs are crucial for proper network segmentation and communication wi Identical VLAN IDs are only permissible when paired with distinct subnet masks on the subinterfaces, creating logically separate network segments. By understanding these requirements, you can effectively configure and manage VLANs on your FortiGate firewall, ensuring seamless and secure network operation. #===================================================================== In FortiGate firewall operating in NAT mode, VLAN subinterfaces are often utilized to segregate network traffic logically. The statement implies that two VLAN subinterfaces with the same VLAN ID are allowed as long as they have IP addresses in different subnets. This scenario is commonly used to enable different IP subnets on the same VLAN, allowing for better network segmentation. Here's an explanation with examples: Let's consider a physical interface, for example, "port1," configured with two VLAN subinterfaces: VLAN ID: 10 Subinterface IP: 192.168.1.1/24 Subnet: 192.168.1.0/24 VLAN ID: 10 Subinterface IP: 192.168.2.1/24 Subnet: 192.168.2.0/24 In this example, both VLAN subinterfaces have the same VLAN ID (10), but they operate in different IP subnets (192.168.1.0/24 and 192.168.2.0/24). The VLAN ID is used to logically separate the traffic, and the unique subnets ensure that devices on VLAN 10 with IP addresses in the 192.168.1.0/24 subnet are kept separate from devices with IP addresses in the 192.168.2.0/24 subnet. This configuration allows the FortiGate firewall to handle multiple IP subnets on the same VLAN, facilitating network segmentation while using the same VLAN ID for organizational purposes. It's a common practice in environments where VLAN IDs are used primarily for logical separation, and IP addresses are used for defining different subnets. #===================================================================== In FortiGate's NAT mode, two virtual LAN (VLAN) subinterfaces on the same physical interface can have the same VLAN ID only if they have IP addresses in different subnets. Here's why: Understanding VLAN Subinterfaces: Imagine a physical interface like a highway with multiple lanes. Each lane can represent a separate VLAN subinterface, carrying traffic for a specific VLAN. VLAN IDs act like traffic signs, identifying which lane belongs to which VLAN. Requirement for Different Subnets: When NAT mode is enabled, the FortiGate needs to distinguish between traffic originating from different VLANs even if they share the same VLAN ID. Different subnet addresses provide this distinction. Each VLAN subinterface acts as a separate network, and their subnets ensure routing and NAT functions work correctly. Example: Consider a physical interface with two VLAN subinterfaces: VLAN 10 with subnet 10.0.1.0/24 VLAN 20 with subnet 10.0.2.0/24 Both subinterfaces have the same VLAN ID (100), but their different subnets allow the FortiGate to: Route traffic for each VLAN to its intended destination. Apply separate NAT rules based on the source subnet, ensuring traffic from each VLAN is translated appropriately. Consequences of Same Subnet: If both VLAN subinterfaces had the same subnet (e.g., 10.0.1.0/24), the FortiGate would face ambiguity: It wouldn't know which VLAN the traffic originated from. NAT rules wouldn't work properly, potentially causing connectivity issues or security vulnerabilities. Key Points: Same VLAN ID for subinterfaces is allowed in NAT mode, but different subnets are mandatory. Subnets provide essential information for routing and NAT, ensuring each VLAN operates as a distinct network. This configuration enables efficient network management and security within a single physical interface. I hope this explanation clarifies the requirement for different subnets when using the same VLAN ID on FortiGate VLAN subinterfaces in NAT mode! #===================================================================== An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. -
Feb 15, 2024 . 1 changed file with 35 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1158,6 +1158,41 @@ get system interface You can also use the following command to list a specific interface: get system interface <interface-name> #===================================================================== Static routes can utilize both IP/Netmask and FQDN, and both are considered service objects in FortiGate firewalls. However, displaying an FQDN in the get router info routing-table all output wouldn't be possible because this command shows the resolved destination IP address instead of the original FQDN. For a complete example, let's assume you have a static route configured using an FQDN: Scenario: You have a web server with the FQDN "accounting.yourcompany.com" on a remote network, and you want to route traffic to it through a specific gateway. Static Route Configuration: Create a service object of type FQDN: config system dns edit "accounting.yourcompany.com" set hostname "accounting.yourcompany.com" end end Configure the static route: config router static edit 10 set dst-address "accounting.yourcompany.com" set gateway "10.0.1.254" set device "wan1" next end Explanation: In the service object configuration, you define the FQDN "accounting.yourcompany.com". In the static route, you use the service object name ("accounting.yourcompany.com") as the destination address. When you run get router info routing-table all, the resolved IP address of the FQDN (obtained through DNS) will be displayed instead of the FQDN itself. Sample Output (showing resolved IP): S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 ... other routes ... C accounting.yourcompany.com/32 is directly connected, internal Here, you can see the static route with the destination address as the resolved IP (not the FQDN) followed by a directly connected route for the actual server with the resolved IP assigned. #===================================================================== #get router info routing-table all #verify the routing table -
Feb 15, 2024 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -211,6 +211,7 @@ Replace the certificate that is offered for HTTPS access with a trusted certific Configure the Fortinet Security Fabric when multiple FortiGates and fabric devices are used. It provides a single-pane-of-glass administration, allowing administrators access to each device in the fabric using SSO. https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/103945/administrative-settings #===================================================================== #===================================================================== Using FSSO, the Fortigate firewall can enforce user-based security policies, such as URL filtering, web filtering, and VPN access, based on the user's AD group membership. FSSO is also used to provide single sign-on for web-based applications, such as webmail and file sharing portals, that are protected by the Fortigate firewall. When users log in to the firewall, they are automatically logged in to the protected applications without having to enter their credentials again. -
Feb 15, 2024 . 1 changed file with 72 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1159,7 +1159,79 @@ You can also use the following command to list a specific interface: get system interface <interface-name> #===================================================================== #get router info routing-table all #verify the routing table The entry in the routing table you provided is in a format commonly used to represent a static default route. Let's break down each part of the entry: css Copy code S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 S:* Indicates that this is a static route. 0.0.0.0/0: Represents the destination IP address range. In this case, it's 0.0.0.0/0, which is a shorthand for all possible IP addresses (any destination IP address). [10/0]: The square bracket notation represents the routing metrics associated with the route. The first number (10 in this case) is the administrative distance, which is a measure of the trustworthiness of the source of the route. Lower values are more trusted. The second number (0 in this case) is the metric, which is used to determine the best route when there are multiple routes to the same destination with the same administrative distance. via 10.0.1.254: Specifies the next-hop IP address for the route. This is the IP address of the next device to which the traffic will be forwarded. In this example, the next-hop IP address is 10.0.1.254. wan1: Indicates the outgoing interface through which the traffic should be forwarded. In this example, the outgoing interface is named "wan1." Now, let's illustrate with an example: Assume you have a network setup where a device needs to send traffic to destinations outside of its local network. The static default route entry is used to specify that any traffic with a destination IP address not explicitly covered by more specific routes should be sent to the next-hop IP address 10.0.1.254 via the "wan1" interface. Example: Destination IP: 192.168.1.100 (outside of the local network) Static Default Route Entry: S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 When the device wants to send traffic to 192.168.1.100, it matches the default route because the destination IP address is not covered by a more specific route. The traffic will be forwarded to the next-hop IP address 10.0.1.254 via the "wan1" interface. This allows the device to reach destinations outside of its local network using the specified next-hop gateway #===================================================================== #get router info routing-table all #verify the routing table The entry in the routing table you provided is in a format commonly used to represent a static default route. Let's break down each part of the entry: css Copy code S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 S:* Indicates that this is a static route. 0.0.0.0/0: Represents the destination IP address range. In this case, it's 0.0.0.0/0, which is a shorthand for all possible IP addresses (any destination IP address). [10/0]: The square bracket notation represents the routing metrics associated with the route. The first number (10 in this case) is the administrative distance, which is a measure of the trustworthiness of the source of the route. Lower values are more trusted. The second number (0 in this case) is the metric, which is used to determine the best route when there are multiple routes to the same destination with the same administrative distance. via 10.0.1.254: Specifies the next-hop IP address for the route. This is the IP address of the next device to which the traffic will be forwarded. In this example, the next-hop IP address is 10.0.1.254. wan1: Indicates the outgoing interface through which the traffic should be forwarded. In this example, the outgoing interface is named "wan1." Now, let's illustrate with an example: Assume you have a network setup where a device needs to send traffic to destinations outside of its local network. The static default route entry is used to specify that any traffic with a destination IP address not explicitly covered by more specific routes should be sent to the next-hop IP address 10.0.1.254 via the "wan1" interface. Example: Destination IP: 192.168.1.100 (outside of the local network) Static Default Route Entry: S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 When the device wants to send traffic to 192.168.1.100, it matches the default route because the destination IP address is not covered by a more specific route. The traffic will be forwarded to the next-hop IP address 10.0.1.254 via the "wan1" interface. This allows the device to reach destinations outside of its local network using the specified next-hop gateway #===================================================================== get router info routing-table all #verify the routing table show system interface port1 #Verify that all appropriate services are opened on the interface that is being accessed. (telnet, http...) config firewall policy # If the interface is accessed via another port of the FortiGate, a firewall policy must exist to allow this traffic -
Feb 13, 2024 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -818,6 +818,11 @@ Displays the FortiGate's Address Resolution Protocol (ARP) table, which maps IP Ensures correct Layer 3 to Layer 2 address resolution within the local network. Helps troubleshoot issues related to ARP cache poisoning or incorrect entries. This command displays the Address Resolution Protocol (ARP) table, showing the mapping of IP addresses to MAC addresses. It can help troubleshoot connectivity issues by checking ARP entries. #===================================================================== list the MAC addresses for all interfaces diag hardware deviceinfo nic <interface-name> #===================================================================== # diagnose sys session list #Show Session Table -
Feb 12, 2024 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1241,6 +1241,8 @@ At the physical layer, troubleshooting analyzes which ports are plugged in, medi At the data link layer, diagnostics often analyze how many frames are being dropped because of CRC errors or collisions # get hardware nic <interface_name> #===================================================================== #list directories on fortios # fnsysctl ls -l /dev/shm # fnsysctl ls -l /dev/cmdb -
Feb 1, 2024 . 1 changed file with 17 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2312,4 +2312,21 @@ An administrator must block access to download.com, which belongs to the Freewar also allow other websites in the same category. Configure a separate firewall policy with action Deny and an FQDN address object for *. download.com as destination address. #===================================================================== #Permanent trial mode for FortiGate-VM get sys stat Version: FortiGate-VM64 v7.2.1,build1242,220715 (interim) ... Serial-Number: FGVMEVNXFLTGKOBC License Status: Invalid VM Resources: 1 CPU/1 allowed, 2007 MB RAM/2048 MB allowed #===================================================================== -
Jan 23, 2024 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2307,5 +2307,9 @@ Conclusion: Unique VLAN IDs are crucial for proper network segmentation and communication with VLAN subinterfaces on the same physical interface. Identical VLAN IDs are only permissible when paired with distinct subnet masks on the subinterfaces, creating logically separate network segments. By understanding these requirements, you can effectively configure and manage VLANs on your FortiGate firewall, ensuring seamless and secure network operation. #===================================================================== An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. Configure a separate firewall policy with action Deny and an FQDN address object for *. download.com as destination address. #===================================================================== -
Jan 23, 2024 . 1 changed file with 25 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -792,7 +792,32 @@ execute ping-options source 192.168.1.4 execute traceroute 8.8.8.8 execute telnet targethost #===================================================================== troubleshoot Layer 3 issues Here's why these commands are relevant for Layer 3 troubleshooting: 1. execute ping: Tests basic IP reachability between the FortiGate and a target device. Verifies if Layer 3 communication is functioning correctly. Helps isolate whether an issue lies within the local network or beyond. This command allows you to perform a ping test to check the connectivity between two devices, helping to identify Layer 3 issues. 2. execute traceroute: Traces the path packets take to reach a destination, identifying each hop along the way. Reveals potential routing problems or latency issues at different network segments. Pinpoints where in the network a connectivity issue might be occurring. Traceroute is used to trace the route that packets take to reach a destination. It can help identify the routers or hops where issues might be occurring in the Layer 3 path. 3. get system arp: Displays the FortiGate's Address Resolution Protocol (ARP) table, which maps IP addresses to MAC addresses. Ensures correct Layer 3 to Layer 2 address resolution within the local network. Helps troubleshoot issues related to ARP cache poisoning or incorrect entries. This command displays the Address Resolution Protocol (ARP) table, showing the mapping of IP addresses to MAC addresses. It can help troubleshoot connectivity issues by checking ARP entries. #===================================================================== # diagnose sys session list #Show Session Table
NewerOlder