查看完整版本: [轉貼]通过查看FortiGate连接表进行故障定位

[轉貼]通过查看FortiGate连接表进行故障定位

<a href="http://support.fortinet.com.cn/index.php?m=content&amp;c=index&amp;a=show&amp;catid=27&amp;id=175">http://support.fortinet.com.cn/index.php?m=content&amp;c=index&amp;a=show&amp;catid=27&amp;id=175</a><div><div class="summary" style="background-color: rgb(246, 250, 253); border: 1px solid rgb(220, 221, 221); line-height: 23px; margin: 15px 0px 0px; padding: 12px 5px 6px; text-align: justify; text-indent: 2em; color: rgb(68, 68, 68); font-family: tahoma, arial, 宋体, sans-serif;">适用范围所有的FortiGate设备。说明本文描述的是FortiGate详细的连接表信息。通过FortiGate的Web管理界面我们可以从FortiGate的Web管理界面查看防火墙连接表信息，如下图：(点击放大)(点击放大)通过FortiGate的命...</div><div class="content" style="color: rgb(68, 68, 68); font-family: tahoma, arial, 宋体, sans-serif; background-color: rgb(238, 238, 238);"><h2 style="font-size: 26px;">适用范围</h2><p style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">所有的FortiGate设备。</p><h2 style="font-size: 26px;">说明</h2><p style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">本文描述的是FortiGate详细的连接表信息。</p><h2 style="font-size: 26px;">通过FortiGate的Web管理界面</h2><p style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">我们可以从FortiGate的Web管理界面查看防火墙连接表信息，如下图：<br><img alt="1" src="http://support.fortinet.com.cn/image/doc/09072404/doc09072404_clip_image002.jpg" width="420" style="border: none; vertical-align: middle; width: 624px; height: 266px;"><br><a class="red_link" href="http://support.fortinet.com.cn/image/doc/09072404/doc09072404_clip_image002.jpg" style="text-decoration: none; color: rgb(68, 68, 68);">(点击放大)</a><br><img alt="2" src="http://support.fortinet.com.cn/image/doc/09072404/doc09072404_clip_image004.jpg" width="420" style="border: none; vertical-align: middle; width: 554px; height: 256px;"><br><a class="red_link" href="http://support.fortinet.com.cn/image/doc/09072404/doc09072404_clip_image004.jpg" style="text-decoration: none; color: rgb(68, 68, 68);">(点击放大)</a></p><h2 style="font-size: 26px;">通过FortiGate的命令行界面</h2><p style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">从命令行界面可以得到比Web界面更加详细的连接表信息，具体命令是：<strong>diagnose sys session list</strong><br>FGT #&nbsp;<strong>diagnose sys session list</strong></p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">同样可以设置连接表查看过滤器，具体如下显示：<br>&nbsp; &nbsp;FGT # d<strong>iagnose sys session filter &lt;options&gt;</strong><br>&nbsp;&nbsp; 相关的过虑选项有：<br>&nbsp; &nbsp;&nbsp;clear&nbsp;&nbsp;&nbsp; clear session filter<br>dport&nbsp;&nbsp; &nbsp;&nbsp; dest port<br>dst&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dest ip address<br>negate&nbsp;&nbsp; &nbsp; inverse filter<br>policy&nbsp; &nbsp;&nbsp; policy id<br>proto&nbsp;&nbsp; &nbsp;&nbsp; protocol number<br>sport&nbsp;&nbsp;&nbsp; &nbsp; source port<br>src&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source ip address<br>vd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; index of virtual domain. -1 matches all</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">清除选定的防火墙连接命令如下：<br>&nbsp;&nbsp; FGT # diagnose sys session clear</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">如下是具体的防火墙连接表信息描述，如下图显示了命令行下显示出来的具体的连接表：<br><img alt="3" src="http://support.fortinet.com.cn/image/doc/09072404/doc09072404_clip_image006.jpg" width="420" style="border: none; vertical-align: middle; width: 554px; height: 358px;"><br><a class="red_link" href="http://support.fortinet.com.cn/image/doc/09072404/doc09072404_clip_image006.jpg" style="text-decoration: none; color: rgb(68, 68, 68);">(点击放大)</a><br><strong>其中对于TCP协议中的proto_state字段对应的值的含义如下 :</strong></p><table border="1" cellpadding="0" cellspacing="1" width="420" style="border-spacing: 0px;"><tbody><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">TCP&nbsp;状态</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">值</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;默认超时时间</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;NONE</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;0</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;60 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;ESTABLISHED</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;1</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;3600 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;SYN_SENT</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;2</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;120 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;SYN &amp; SYN/ACK</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;3</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;60 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;FIN_WAIT</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;4</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;120 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;TIME_WAIT</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;5</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;120 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;CLOSE</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;6</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;10 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;CLOSE_WAIT</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;7</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;120 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;LAST_ACK</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;8</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;30 s</p></td></tr><tr><td valign="top" width="38%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;LISTEN</p></td><td valign="top" width="16%" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;9</p></td><td valign="top" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;120 s</p></td></tr></tbody></table><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;"><br><br><strong>其中对于UDP协议中的proto_state字段对应的值的含义如下 :</strong><br>对于所有的UDP协议，FortiGate都记录了UDP的2种状态：<br>State &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; Value<br>UDP&nbsp;&nbsp; reply not seen &nbsp;&nbsp; 0<br>UDP&nbsp; reply seen &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">状态0，之后一个方向的UDP报文到达FortiGate：<br>session info: proto=17 proto_state=00 expire=179 timeout=3600 use=3<br>bandwidth=0/sec guaranteed_bandwidth=0/sec&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; traffic=0/sec&nbsp;&nbsp; prio=0<br>logtype=session ha_id=0 hakey=42691<br>tunnel=/<br>state=local<br>statistic(bytes/packets): org=7685450/17248 reply=237440/4240 tuples=2<br>orgin-&gt;sink: org out-&gt;post, reply pre-&gt;in oif=0/5<br>gwy=0.0.0.0/10.250.250.250<br>hook=out dir=org act=noop<br>10.250.250.250:1025-&gt;192.168.171.201:514(0.0.0.0:0)<br>hook=in dir=reply act=noop<br>192.168.171.201:514-&gt;10.250.250.250:1025(0.0.0.0:0)<br>misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=0006d655 tos=00/00</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">状态 1，双向UDP包都已经到达FortiGate：<br>session info: proto=17 proto_state=01 expire=22 timeout=3600 use=3<br>bandwidth=0/sec guaranteed_bandwidth=0/sec&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; traffic=0/sec&nbsp;&nbsp; prio=0<br>logtype=session ha_id=0 hakey=42650<br>tunnel=/<br>state=local may_dirty<br>statistic(bytes/packets): org=590/5 reply=822/6 tuples=2<br>orgin-&gt;sink: org pre-&gt;in, reply out-&gt;post oif=5/2<br>gwy=10.250.250.250/0.0.0.0<br>hook=pre dir=org act=noop<br>192.168.171.160:33712-&gt;10.250.250.250:161(0.0.0.0:0)<br>hook=post dir=reply act=noop<br>10.250.250.250:161-&gt;192.168.171.160:33712(0.0.0.0:0)<br>misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000ae073 tos=ff/ff</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;"><strong>其中对于ICMP协议中的proto_state字段对应的值的含义如下 :</strong><br>FortiGate不没有关于ICMP协议的状态值，proto_state值始终是00。</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;"><strong>我们可以从防火墙的连接表里面得到如下更具体的连接表信息：</strong></p><table border="1" cellpadding="0" cellspacing="1" width="440" style="border-spacing: 0px;"><tbody><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;">&nbsp;状态</td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">含义</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;log</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">连接已经记录日志</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;local</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">连接一端是FortiGate本身</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;ext</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">这是一个子连接，附属于某一个主连接，具有和主连接相同的属性</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;may_dirty</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">创建于防火墙策略，通常是主连接，子连接没有此状态</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;ndr</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">此连接启用了IPS特征检查功能</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;nds</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">此连接启用了IPS异常检查功能</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;br</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">此连接建立防火墙透明模式</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;npu</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">此连接将被NPU处理器加速</p></td></tr><tr><td valign="top" width="88" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">&nbsp;wccp</p></td><td valign="top" width="551" style="margin: 0px; padding: 0px;"><p align="left" style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; line-height: 23px; text-align: justify;">此连接将被WCCP模块处理（FortiOS4.0）</p></td></tr></tbody></table><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;">&nbsp;</p><p align="left" style="padding-top: 8px; padding-bottom: 8px; line-height: 23px; text-align: justify;"><u>下面是具有多个标志信息的连接表举例：</u>&nbsp;<br>session info: proto=6 proto_state=11 expire=3527 timeout=3600 use=3<br>bandwidth=0/sec guaranteed_bandwidth=0/sec&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; traffic=0/sec&nbsp;&nbsp; prio=0<br>logtype=session ha_id=1 hakey=0<br>tunnel=/<br>state=redir log may_dirty ndr nds br<br>statistic(bytes/packets): org=48/1 reply=0/0 tuples=2<br>orgin-&gt;sink: org pre-&gt;post, reply pre-&gt;post oif=6/8<br>gwy=194.199.143.130/193.251.169.175<br>hook=pre dir=org act=noop<br>193.251.169.175:3761-&gt;194.199.143.130:25(0.0.0.0:0)<br>hook=post dir=reply act=noop<br>194.199.143.130:25-&gt;193.251.169.175:3761(0.0.0.0:0)<br>set=2: 10.0.0.1, 10.0.0.2,<br>pos/(before,after) 0/(0,0), 0/(0,0)<br>misc=20004 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=1babac4b tos=ff/ff</p><div><br></div></div></div>