Scribd Logo
Upload

Welcome to Scribd!

  • 40 views

    Learning Fortigate

    Uploaded by

    RajArya
    The document provides instructions for various FortiGate configuration tasks using the CLI, including: 1. Configuring an interface with an IP address, services, and other settings. 2. Creating firewall policies to allow or block traffic between interfaces and address groups. 3. Backing up and restoring the FortiGate configuration using the CLI. 4. Viewing and troubleshooting various settings and connections like routes, sessions, and logs. 5. Configuring additional settings like interfaces, VLANs, NAT, and static routes.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Learning Fortigate

    Uploaded by

    RajArya
    40 views11 pages
    The document provides instructions for various FortiGate configuration tasks using the CLI, including: 1. Configuring an interface with an IP address, services, and other settings. 2. Creating firewall policies to allow or block traffic between interfaces and address groups. 3. Backing up and restoring the FortiGate configuration using the CLI. 4. Viewing and troubleshooting various settings and connections like routes, sessions, and logs. 5. Configuring additional settings like interfaces, VLANs, NAT, and static routes.

    Original Title

    Learning fortigate

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides instructions for various FortiGate configuration tasks using the CLI, including: 1. Configuring an interface with an IP address, services, and other settings. 2. Creating firewall policies to allow or block traffic between interfaces and address groups. 3. Backing up and restoring the FortiGate configuration using the CLI. 4. Viewing and troubleshooting various settings and connections like routes, sessions, and logs. 5. Configuring additional settings like interfaces, VLANs, NAT, and static routes.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    40 views11 pages

    Learning Fortigate

    Uploaded by

    RajArya
    The document provides instructions for various FortiGate configuration tasks using the CLI, including: 1. Configuring an interface with an IP address, services, and other settings. 2. Creating firewall policies to allow or block traffic between interfaces and address groups. 3. Backing up and restoring the FortiGate configuration using the CLI. 4. Viewing and troubleshooting various settings and connections like routes, sessions, and logs. 5. Configuring additional settings like interfaces, VLANs, NAT, and static routes.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 11

    Learning Fortigate

    1. Configuring fortigate interface and allowing ssh

    config system interface


    edit "port1"
    set vdom "root"
    set ip 192.168.1.99 255.255.255.0
    set allowaccess ping https ssh
    set type hard-switch
    set stp enable
    set role lan
    set snmp-index 6
    next
    End

    2. Verify interface config

    Show system interface port1

    Enabling and disabling of paging in Fortigate in case to take full


    backup of config so continuous output can be obtained without
    pressing space.

    Following command will enable continuous output on console.


    Config system console
    Set output standard
    End

    Following command will disable continuous output and will set


    restriction to specific number of lines at console, further output
    can be availed after pressing space.

    Config system console


    Set output more
    End

    The baud rate of the local console connection can be changed from its
    default value of 9600.

    To change the baud rate:

    config system console set baudrate {9600 | 19200 | 38400 | 57600 |


    115200}
    end

    3. Creating firewall policy via cli

    config firewall policy


    edit 0
    ......
    next
    end

    4. Edit firewall policy

    config firewall policy


    edit 27
    ....
    next
    end

    5. Delete a firewall policy

    Config firewall policy


    Delete 30
    End

    6. Table values can be cleared with ‘purged’ command and this


    isn’t reversible and can only be restored via previous backup.

    7. Changing location of a firewall policy

    Config firewall policy


    Move 27 to 30
    End

    8. copying an existing firewall policy

    Config firewall policy


    Clone 27 to 30
    End

    9. Rename and administrator e.g. from Flank to Frank

    Config system admin


    Rename Flank to Frank
    End

    10. To view the existing firewall policy


    Config firewall policy
    Get

    11. configure the host name in CLI

    Config system global


    Set hostname 200F_YVR
    End

    12. Configure the default route in the CLI

    Config router static


    Edit 0
    Set gateway 192.168.1.254
    Set device port1
    Next
    End

    13. To backup the configuration using the CLI

    Use one of the following commands:

    Execute backup config management-station <comment>


    or
    Execute backup config usb <backup_filename> [backup_password]
    or for FTP, note that port number, username are optional depending on
    the FTP site:
    Execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>]
    [user_name>] [<password>] [<backup_password>]
    Or for TFTP:
    Execute backup config tftp <backup_filename> <tftp_servers>
    [<backup_password>]
    Or for SFTP:
    Execute backup config sftp <backup_filename>
    <sftp_servers>[<:sftp_port] <user> <password> [<backup_password>]

    Use the same commands to backup a VDOM configuration by first


    entering the commands:

    Config vdom
    Edit <vdom_name>
    Restoring a configuration

    To restore the Fortigate configuration using the CLI

    Execute restore config management-station normal 0

    Or

    Execute restore config usb <backup_filename> [backup_password>]

    Or for TFTP:

    Execute restore config tftp <backup_filename> <tftp_server>


    [<backup_password>]

    Backup and restore the local certificates

    This procedure exports a server (local) certificate and private key


    together as a password protected PKCS12 file. The export file is
    created through a customer-supplied TFTP server Ensure that ourTFTP
    server is running and accessible to the Fortigate before we enter the
    command.

    To back up the local certificates:

    Connect to the CLI and use the following command:

    Execute vpn certificate local export tftp <cert_name> <filename>


    <tftp_ip>

    Where:
    <cert_name> is the name of the server certificate.
    <filename> is a name for the output file.
    <tftp_ip> is the IP address assigned to the TFTP server host
    interface.

    To Restore the local certificates using the CLI:

    Execute vpn certificates local import tftp <filename> <tftp_ip>

    Restore factory defaults

    Execute factoryreset
    When prompted, type y to confirm the reset

    Alternatively, in the CLI we can reset the factory defaults but


    retain the interface and VDOM configuration with the following
    command:

    Execute factoryreset2

    To view the routing table in the CLI:

    #get route info routing-table all

    To look up a firewall route in the CLI:

    #diagnose firewall proute list

    To view the DHCP lease list in the CLI:

    #execute dhcp lease-list

    To view the IPsec monitor in the CLI:

    #diagnose vpn tunnel list

    To monitor SSL-VPN users in the CLI:

    #get vpn ssl monitor

    To view firewall users in the CLI:

    #diagnose firewall auth list

    To configure logging to disk:

    Config log disk setting


    Set status enable
    End

    To include sniffer traffic and local-deny traffic when Fortiview from


    Disk:

    Config report setting


    Set report-source forward-traffic sniffer-traffic local-deny-
    traffic
    End

    Troubleshooting

    Use ‘execute report flush-cache’ and ‘execute report recreate-db’


    to clear up any irregularities that may be caused by upgrading or
    cache issues.

    Traffic logs
    To view traffic logs from disk:

    1. Go to Log & Report, and select either the Forward Traffic, Local
    Traffic, or Sniffer Traffic views.
    2. In the top menu bar, click Log location and select Disk.

    To view session data using the CLI:

    #diagnose sys session list

    The session table output in the CLI is very large. We can use the
    supported filters in the CLI to show only the data you need.

    To view session data with filters using the CLI:

    #diagnose sys session filter <option>

    To enable address object UUID logging in the CLI:

    Config system global


    Set log-uuid-address enable

    To configure an interface in the CLI:

    config system interface


    edit <name>
    set vdom <VDOM_name>
    set mode {static | dhcp | pppoe}
    set ip <IP_address/netmask>
    set security-mode {none | captive-portal | 802.1X}
    set egress-shaping-profile <profile>
    set device-identification {enable | disable}
    set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response
    fabric ftm}
    set secondary-IP enable
    config secondaryip
    edit 1
    set ip 9.1.1.2 255.255.255.0
    set allowaccess ping https ssh snmp http
    next
    end
    next
    End

    To create an aggregate interface in the CLI:


    config system interface
    edit "aggregate"
    set vdom "root"
    set ip 10.1.1.123 255.255.255.0
    set allowaccess https ssh
    set type aggregate
    set member "port4" "port5" "port6"
    set snmp-index 45
    next
    end

    To create a redundant interface in the CLI:


    config system interface
    edit "redundant"
    set vdom "root"
    set ip 10.13.101.100 255.255.255.0
    set allowaccess https http
    set type redundant
    set member "port4" "port5" "port6"
    set snmp-index 9
    next
    End

    Enhanced hashing for LAG member selection- (Personal notes:- look for hashing in more details on
    google)

    config system npu


    set lag-out-port-select {enable | disable}
    config sw-eh-hash
    set computation {xor4 | xor8 | xor16 | crc16}
    set ip-protocol {include | exclude}
    set source-ip-upper-16 {include | exclude}
    set source-ip-lower-16 {include | exclude}
    set destination-ip-upper-16 {include | exclude}
    set destination-ip-lower-16 {include | exclude}
    set source-port {include | exclude}
    set destination-port {include | exclude}
    set netmask-length {0 - 32}
    end
    End

    For example, to use XOR16 and include all of the fields in the 5-tuple to compute the link in the LAG
    interface that the
    packet is distributed to:
    config system npu
    set lag-out-port-select enable
    config sw-eh-hash
    set computation xor16
    set ip-protocol include
    set source-ip-upper-16 include
    set source-ip-lower-16 include
    set destination-ip-upper-16 include
    set destination-ip-lower-16 include
    set source-port include
    set destination-port include
    set netmask-length 32
    end
    End

    To configure the external interface:


    config system interface
    edit external
    set mode static
    set ip 172.16.21.2 255.255.255.0
    next
    end
    To add VLAN subinterfaces:
    config system interface
    edit VLAN_100
    set vdom root
    set interface internal
    set type vlan
    set vlanid 100
    set mode static
    set ip 10.1.1.1 255.255.255.0
    set allowaccess https ping
    next
    edit VLAN_200
    set vdom root
    set interface internal
    set type vlan
    set vlanid 200
    set mode static
    set ip 10.1.2.1 255.255.255.0
    set allowaccess https ping
    next
    end
    To add the firewall addresses:
    config firewall address
    edit VLAN_100_Net
    set type ipmask
    set subnet 10.1.1.0 255.255.255.0
    next
    edit VLAN_200_Net
    set type ipmask
    set subnet 10.1.2.0 255.255.255.0
    next
    End

    To add security policies:


    Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
    config firewall policy
    edit 1
    set srcintf VLAN_100
    set srcaddr VLAN_100_Net
    set dstintf VLAN_200
    set dstaddr VLAN_200_Net
    set schedule always
    set service ALL
    set action accept
    set nat disable
    set status enable
    next
    edit 2
    set srcintf VLAN_200
    set srcaddr VLAN_200_Net
    set dstintf VLAN_100
    set dstaddr VLAN_100_Net
    set schedule always
    set service ALL
    set action accept
    set nat disable
    set status enable
    next
    edit 3
    set srcintf VLAN_100
    set srcaddr VLAN_100_Net
    set dstintf external
    set dstaddr all
    set schedule always
    set service ALL
    set action accept
    set nat enable
    set status enable
    next
    edit 4
    set srcintf VLAN_200
    set srcaddr VLAN_200_Net
    set dstintf external
    set dstaddr all
    set schedule always
    set service ALL
    set action accept
    set nat enable
    set status enable
    next
    end

    VLANs in Transparent mode

    In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services
    such as antivirus scanning, web filtering, spam filtering, and intrusion protection to traffic. Some
    limitations of transparent mode is that we cannot use SSL VPN, PPTP/L2TP VPN, DHCP server,
    or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks
    passing through the unit

    Add static route on Fortinet..

    config router static


    edit 1
    set dst 10.20.20.0/24
    set gateway 10.30.30.1
    set distance 1
    set device
    end

    You might also like