Fortigate Cheat and Tricks

Table of Contents

• General Tips
• External support (Fortinet)
• System
  • Status
  • Open Network Connections
  • Performance
    • Processes
    • LDAP / Radius Authentication
  • High Availability
  • Object Management
  • Log
• Layer 1 (Physical Layer)
  • Network Interface Card
• Layer 2 (Data Link Layer)
  • Address Resolution Protocol (ARP)
• Layer 3 (Network Layer)
  • Internet Protocol
    • Routing
    • OSPF
    • IPSEC
    • Geo IP Information
• Layer 4 (Transport Layer)
  • Firewall
    • Session List Filters
  • Traffic Flow through FortiGate
    • Sniffer
• Layer 5 (Session Layer)
  • SSL-Inspection
  • Fortinet Single Sing On (FSSO)
• Layer 7 (Application Layer)
  • Proxy
  • FortiGuard
  • Antivirus
  • IPS

General Tips

• You can use the grep utility to filter output from the commands below.
  • Use grep -f to show the the context of the grepped item.

External support (Fortinet)

• Generate a TAC report: exec tac report
• Get crash log: diag debug crashlog read shows the crashlog in a readable format.

System

Status

• Show system status: get system status

Open Network Connections

• List open networking ports: diagnose sys tcpsock

Performance

• Show performance usage: get system performance status
• Show top: get system performance top, use SHIFT+M to sort on memory usage.
• Show top with grouped processes: diagnose sys top-summary
  • Use diagnose sys top-summary -h to show the help message for top-summary
• Show shared memory information: diagnose hardware sysinfo shm
  • Look if conservemode is 1.

Processes

• Kill processes: diagnose sys kill process_id 15 uses a unconditional kill.
• Kill processes: diagnose sys kill process_id 15 uses a graceful kill.
• See: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34985&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=4468137&stateId=0%200%2069138257 for further reference

LDAP / Radius Authentication

• Use the following commands to debug LDAP or Radius:

diagnose debug enable
diagnose debug application fnbamd -1

• Read: http://kb.fortinet.com/kb/documentLink.do?externalID=FD31886 for further information.

High Availability

• Show HA status: get system ha status
• Show HA checksum: get system checksum status
• Manage other cluster member through HA interface: exec ha manage 0/1
• Show a HA diff: diagnose sys ha hadiff status
• Execute a fail-over: diagnose sys ha reset uptime

Object Management

• Find object dependencies for object (example): diag sys checkused system.interface.name port1

Log

• Set a log filter: execute log filter
• Show log: exec log show

Layer 1 (Physical Layer)

Network Interface Card

• Show all NIC's: config system interface
• Show hardware info for NIC: diagnose hardware deviceinfo nic
• Show device information for specific NIC: diagnose hardware deviceinfo nic <nic>

Layer 2 (Data Link Layer)

Address Resolution Protocol (ARP)

• Show ARP table: get system arp
• View ARP cache: diag ip arp list
• Clear ARP cache: execute clear system arp table
• Remove a single ARP table entry: diag ip arp delete <interface name> <IP address>
• Add static ARP entries: config system arp-table

Layer 3 (Network Layer)

Internet Protocol

• Execute a ping: exec ping <dst>
• Set specific ping options: exec ping-options
  • Set specific source IP: exec ping-options source
• Execute a telnet: exec telnet ip:port

Routing

• Show routing table: get router info routing-table all
• Show routing database: get router info routing-table database
• Get routing information for specific <host>: get router info routing-table details <host>
• Execute a traceroute: exec traceroute

• Poor man's traceroute
  
  If you would like to test a traceroute for a different source IP than the one assigned to your outbound interface you can use poor-mans-traceroute.

  Use this procedure:

  1. Open a second ssh session and filter on the outbound interface for icmp
  2. Set the execute ping-options timeout to 1.
  3. Set the execute ping-options source to your source IP.
  4. Ping the target host.
  5. Observer the ICMP time to live exceeded message you get from the first router.
  6. Increase the timeout to 2 and repeat from step 4.

OSPF

Use Fortinet's recommended procedure to debug OSPF: http://kb.fortinet.com/kb/viewContent.do?externalId=FD31207

• Show OSPF neighbor status: get router info ospf neighbor all
• Delete all OSPF entries: execute router clear ospf process
• Show OSPF router status: get router info ospf status
• Dump OSPF packets on any interface: diagnose sniffer packet any 'proto 89' 4 0
• Show OSPF interface: get router info ospf interface.
• Show OSPF database: get router info ospf database brief

IPSEC

• Show list of IPSEC VPN tunnels: get vpn ipsec tunnel summary
• Show details for IPSEC VPN tunnel: get vpn ipsec tunnel detail
• Debug IKE:

diag debug application ike 63 
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr 1.2.3.4
diagnose debug app ike 255
diagnose debug enable

Look for:

• SNMP tunnel UP / Down traps
• Own and remote proposal

Geo IP Information

• Show Geo IP IP address list: diagnose firewall ipgeo ip-list
• Show Geo IP countries: diagnose firewall ipgeo country-list
• Update Geo IP addresses: execute update-geo-ip

Layer 4 (Transport Layer)

Firewall

• Show session table: diagnose sys session list
• Show session table with statistics: diagnose firewall statistics show
• Short list for session table: get system session list

Session List Filters

It is possible to set filters for the session list.

• Clear session list filter: diagnose sys session filter clear
• Show possible session list filters: diagnose sys session filter ?
• Set session filter for destination IP: diagnose sys session filter dst 8.8.8.8
• Set session filter for destination port: diagnose sys session filter dport 53

Traffic Flow through FortiGate

• Use traffic flow to debug FortiGate policy problems such as NAT.

diagnose debug enable
diagnose debug flow show console enable
Diag debug flow show function enable
diagnose debug flow filter add 10.10.0.1
diagnose debug flow trace start 100

• Use http://kb.fortinet.com/kb/viewContent.do?externalId=FD31702 to debug iprobeincheck() messages.

Sniffer

• Dump packets on interface: ~diagnose sniffer packet <interface> '<tcpdump filter>'~
  • <interface> can be any or specific interface name
  • https://danielmiessler.com/study/tcpdump/ provides a good starting point for tcpdump filters

Packets with TCP RST flag set:

diagnose sniffer packet internal 'tcp[13] & 4 != 0'

Packets with TCP SYN flag set:

diagnose sniffer packet internal 'tcp[13] & 2 != 0'

Packets with TCP SYN ACK flag set:

diagnose sniffer packet internal 'tcp[13]=18'

Packets with TCP SYN and TCP ACK

diagnose sniffer packet internal 'tcp[13] = 18'

Layer 5 (Session Layer)

SSL-Inspection

• Show possible diagnose commands: diagnose test application ssl 0
• Show SSL proxy usage: diagnose test application ssl 4
• Show info per connection: diagnose test application ssl 44

Fortinet Single Sing On (FSSO)

• Debug FSSO:

diag debug enable
diag debug authd fsso list
diag debug authd fsso server-status
diag debug authd fsso-summary

Layer 7 (Application Layer)

Proxy

• Show user list: diagnose wad user list
• Test HTTP proxy: diagnose test application http
• Enable console log for proxy:

execute log filter dump
execute log filter category 0
execute log filter field hostname www.google.ch
execute log display

FortiGuard

• Show list of FortiGuard server: diag debug rating

Antivirus

• Update Antivirus Database: execute update-now

IPS

• Use diagnose test application ipsmonitor ? to get a menu for the IPS monitor.
• Show DoS anomaly list diagnose ips anomaly list