查看完整版本: [轉貼]Fortinet Firewall CLI Commands

chun 2014-2-20 16:58

[轉貼]Fortinet Firewall CLI Commands

http://platforms.infostruction.com/fortinet-firewall-cli-commands/<br><p>**********************<br>
Fortinet Firewall Commands<br>
**********************</p>
<p>// Health and Status</p>
<p>show [enter]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //Note that output is only non-default values.<br>
show full-configuration&nbsp;&nbsp; // Show all configurations on the device.<br>
show system interface wan1 | grep -A2 ip // Show WAN and interface information.<br>
get system info admin status // Show logged in users<br>
get system status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Show system hardware/software update versions<br>
get hardware status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Detailed hardware model information<br>
get system performance status<br>
get system performance top<br>
show system interface // Interface Configuration<br>
diagnose hardware deviceinfo nic // Interface Statistics/Settings<br>
diagnose hardware sysinfo memory<br>
diag debug crashlog read<br>
diag hardware sysinfo shm&nbsp;&nbsp;&nbsp;&nbsp; // Device should be in 0, if (&gt;0) then conservemode<br>
get system global | grep -i timer&nbsp;&nbsp;&nbsp; // Show tcp and udp timers for halfopen and idle<br>
get system session-ttl&nbsp;&nbsp;&nbsp;&nbsp; // System default tcp-idle session timeout<br>
execute ha manage &lt;devid&gt;&nbsp;&nbsp;&nbsp; // send heartbeat accross management link.<br>
get hardware nic<br>
diagnose ip address list<br>
get system interface physical</p>
<p>// ARP</p>
<p>diagnose ip arp list</p>
<p>// Track and Troubleshoot<br>
get system session status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Connection count for ingress/egress<br>
get system session-info full-stat&nbsp;&nbsp;&nbsp; // Displays session status with breakdown by state<br>
get system session list&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Session list, protocol, expire, src nat, dst nat<br>
diag sys session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Basic output with no filters of diag sys session<br>
diag sys session filter &lt;option&gt; &lt;value&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Capture filter based on src, dst, duraction, policy id, vd</p>
<p>// Packet capture</p>
<p>diag debug info&nbsp;&nbsp;&nbsp;&nbsp; // Displays active debug<br>
diag debug enable&nbsp;&nbsp;&nbsp;&nbsp; // Enable debug</p>
<p>#diagnose debug flow filter (shows what filters are configured)<br>
#diagnose debug flow filter clear (clear all filter)<br>
#diagnose debug flow filter &lt;options&gt; &lt;value&gt; (configures the filter)<br>
#diagnose debug flow show con enable &lt;show output on console&gt;<br>
#diagnose debug flow show fun enable &lt;show functions&gt;<br>
#diagnose debug flow trace start &lt;number of lines&gt; (to start the trace)<br>
#diagnose debug flow trace stop (to stop the trace)</p>
<p>Example:<br>
diagnose debug reset<br>
diagnose debug enable<br>
diagnose debug flow filter clear<br>
diagnose debug flow filter saddr 192.168.10.1<br>
diagnose debug flow filter dport 80<br>
diagnose debug flow show con enable<br>
diagnose debug flow show fun enable<br>
diagnose debug flow trace start 20</p>
<p>diagnose sniffer packet &lt;interface or ANY&gt; ‘&lt;arguments&gt;’ &lt;level 1-6&gt;</p>
<p>example:<br>
diagnose sniffer packet ANY ‘net 192.168.10.0/24 and not host 192.168.10.1 and port 80 and TCP’ 6</p>
<p>Syn packets only:<br>
diag sniffer packet internal ‘tcp[13] == 2′</p>
<p>to stop:<br>
diagnose debug reset<br>
diagnose debug disable</p>
<p>// Enable packet capture in GUI</p>
<p>System -&gt; Config -&gt; Advanced<br>
Setup packet capture filter, Check box to start, Uncheck to stop.<br>
Download Debug Log</p>
<p>// Show identified devices<br>
diag user device list</p>
<p>// Routes</p>
<p>Interface Up -&gt; Multiple: Select lowest distance -&gt; Dynamic: If
same distance choose lowest metric -&gt; Dynamic: If multiple have same
distance/metric, depends on protocol -&gt; All “Best Routes” places in
table. Match goes to most exact subnet -&gt; Policy routing applied
before table lookups.</p>
<p>Route lookups are only for the first packet of each session.<br>
All packets will use same path.<br>
After topology change, routes are flushed and sessions relearned.</p>
<p>get system arp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // ARP Table<br>
get router info routing-table all&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // All routing table entries<br>
get router info routing-table details &lt;ip&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Shows if custom static ordynamic routes exist for dest.<br>
get router info kernel&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Raw kernel routing table<br>
show router static&nbsp;&nbsp;&nbsp; // Display static routes</p>
<p>// Restore image<br>
execute restore image &lt;firmware_file_name&gt; &lt;TFTP server_ipaddress&gt;&nbsp;&nbsp;&nbsp; // Restore an image from TFTP</p>
<p>// Provisioning<br>
config system settings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Configure for layer-3<br>
set opmode nat<br>
end</p>
<p>config system settings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Configure transparent<br>
set opmode transparent<br>
end</p>
<p>config system global&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Set port for admin if VPN is sharing<br>
set admin-sport 8443<br>
set sslvpn-sport 443<br>
end</p>
<p>config system global&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Enable SCP<br>
set admin-scp enable</p>
<p>cofng system ntp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Setup NTP<br>
config ntpserver<br>
edit 1<br>
set server 10.0.0.0<br>
end<br>
edit 2<br>
set server 10.0.0.1<br>
end<br>
set ntpsync enable<br>
end<br>
execute time</p>
<p>config system dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Setup DNS<br>
set primary&nbsp; 0.0.0.0<br>
set secondary 0.0.00</p>
<p>config log syslogd(2|3) setting&nbsp;&nbsp;&nbsp;&nbsp; // Enable syslog<br>
set status enable<br>
set server &lt;IP address&gt;<br>
set port 514<br>
set facility user<br>
end<br>
diagnose log test&nbsp;&nbsp;&nbsp;&nbsp; // Test logging</p>
<p>config system interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Setup IP Address<br>
edit wan1<br>
set mode static<br>
set ip 172.16.0.0 255.255.255.0<br>
set vlan id 50<br>
end</p>
<p>config system interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // LACP port aggregation<br>
edit aggr1<br>
set member “port8″ “port9″<br>
end</p>
<p>config system zone&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Add interfaces to zone<br>
edit outside<br>
set interface internal1 internal 2<br>
enable intrazone traffic<br>
set intrazone allow<br>
end</p>
<p>config router static&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Add default route<br>
edit 1<br>
set gateway 172.16.0.0<br>
end</p>
<p>config router static&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Static route<br>
edit2<br>
set device port1<br>
set dst 10.0.0.0 255.0.0.0<br>
set gateway 10.0.1.1</p>
<p>// Vendor Notes</p>
<p>http://docs.fortinet.com/fgt.html</p>
<p>http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-cli-40-mr3.pdf</p>
<p>http://docs.fortinet.com/fgt50.html</p><br>
頁: [1]
查看完整版本: [轉貼]Fortinet Firewall CLI Commands