Archive for the ‘Fortigate’ Category

h1

Fortigate Limitation

March 4, 2009

I discovered a real annoying limitation to the Fortigate firewalls today.  And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.

Suppose the the following scenario:

fortilimit

Suppose traffic from the Big Bad Internet is destined to company  BOB’s application server at 170.1.1.1:8081.

On the Fortigate you create a port-nat to the  server’s internal address of 192.168.102.1.

Read the rest of this entry ?

Posted in Fortigate | Tagged | Leave a Comment »

h1

Fortigate tcp dump

October 9, 2008

In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli.   The command syntax:

diagnose sniffer packet {interface | all}  ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’  [options]

You can narrow your search by filtering on any or the following:

net/prefix : print a whole netblock
host          : print only one host
port          : print only a specific port number
and/or      : allows additional options

The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

Option ‘4′ is particularly useful, in that it shows the associated interface for the directional traffic

Examples:

diagnose sniffer packet any ‘net 10.0.0.0/8 and host 172.16.16.14 and port 3389′

diagnose sniffer packet any ‘host 10.4.131.97 and host 172.16.16.14 and port 3389′ 4

Posted in Fortigate | Leave a Comment »

h1

Fortigate Commands

October 9, 2008

I configure/support Fortigate firewalls on a daily basis, the baby 60DSL’s, the  200A’s, but mostly the big 3016B’s.

Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I’ll share the commands I use often.

Monitoring commands:

show

  • Show global or vdom config

sh system interface

  • Equivalent to show run interface

diagnose hardware deviceinfo nic

  • Equivalent to show interface

get system status

  • show version information

sh firewall policy 6

  • show firewall rule numer 6

sh router policy

  • Show Policy Routing rules

diagnose system session list

  • Show the excisting translations

diagnose system session clear

  • Clears all xlate/translations

diagnose ip arp list

  • Shows the arp table of connected hosts

get router info routing-table all

  • Equivalent to ’show ip route’

diagnose system top

  • Show System Processes running with PIDs

diagnose system kill 9 <id>

  • Kill the specific PID

diag test auth ldap <server_name> <username> <password>

  • Ldap test query from the Forti to the AD

-

Posted in Fortigate | Leave a Comment »