Sesjonstabellen

Kommandoen gir oversikt over sesjoner. Her havner trafikk som går gjennom brannmurregler.

diag sys session list

Eksempel på output:

session info: proto=6 proto_state=65 expire=14 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
bandwidth=0/sec	guaranteed_bandwidth=0/sec	traffic=0/sec	prio=0	ha_id=0 hakey=23015
tunnel=/
state=redir local may_dirty ndr 
statistic(bytes/packets/err): org=1306/6/0 reply=1542/5/0 tuples=3
orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=195.1.208.57/192.168.10.101
hook=post dir=org act=snat 192.168.10.101:3914->213.180.79.130:80(195.1.208.62:36370)
hook=pre dir=reply act=dnat 213.180.79.130:80->195.1.208.62:36370(192.168.10.101:3914)
hook=post dir=reply act=noop 213.180.79.130:80->192.168.10.101:3914(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=20000 policy_id=1 auth_info=0 ids=0xcac41e78 vd=0 serial=000b259e tos=ff/ff app=0

session info: proto=6 proto_state=65 expire=14 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
bandwidth=0/sec	guaranteed_bandwidth=0/sec	traffic=0/sec	prio=0	ha_id=0 hakey=23015
tunnel=/
state=redir local may_dirty ndr 
statistic(bytes/packets/err): org=1511/7/0 reply=2755/6/0 tuples=3
orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=195.1.208.57/192.168.10.101
hook=post dir=org act=snat 192.168.10.101:3915->213.180.79.130:80(195.1.208.62:36371)
hook=pre dir=reply act=dnat 213.180.79.130:80->195.1.208.62:36371(192.168.10.101:3915)
hook=post dir=reply act=noop 213.180.79.130:80->192.168.10.101:3915(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=20000 policy_id=1 auth_info=0 ids=0xcac41e78 vd=0 serial=000b259f tos=ff/ff app=0

Kommandoen kan gi mye output. Dette kan begrenses ved å bruke filter:

diag sys session filter <option>

<option> kan være:

clearclear session filter
dportdest port
dstdest IP address
negateinverse filter
policypolicy ID
protoprotocol number
sportsource port
srcsource IP address
vdindex of virtual domain. -1 matches all

Eksempel. List alle med «dest port» 80:

diag sys session filter dport 80
diag sys session list

Flow Trace

diag debug flow trace start

Denne kommandoen returnerer hvordan pakker «flyter gjennom» en FortiGate.

Eksempel:

diag debug enable
diag debug flow filter <option>
diag debug flow show function-name enable
diag debug flow show console enable
diag debug flow trace start 100

filter <option> filtrerer output:

addrip address
clearclear filter
daddrdest ip address
dportdestination port
negateinverse filter
portport
protoprotocol number
saddrsource ip address
sportsource port
vdindex of virtual domain, -1 matches all

Når du er ferdig:

diag debug disable

Kan returnere:

id=20085 trace_id=6228 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33ee, original direction"
id=20085 trace_id=6228 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.230->195.1.208.62:38698"
id=20085 trace_id=6229 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.230:45096->195.139.129.149:80) from local."
id=20085 trace_id=6229 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33ee, original direction"
id=20085 trace_id=6229 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.230->195.1.208.62:38698"
id=20085 trace_id=6230 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.230:45096->195.139.129.149:80) from internal."
id=20085 trace_id=6230 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33ee, original direction"
id=20085 trace_id=6231 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from internal."
id=20085 trace_id=6231 func=resolve_ip_tuple line=2924 msg="allocate a new session-000b33f9"
id=20085 trace_id=6231 func=vf_ip4_route_input line=1597 msg="find a route: gw-195.1.208.57 via wan1"
id=20085 trace_id=6231 func=get_new_addr line=1240 msg="find SNAT: IP-195.1.208.62, port-38704"
id=20085 trace_id=6231 func=fw_forward_handler line=320 msg="Allowed by Policy-1: AV SNAT"
id=20085 trace_id=6232 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from internal."
id=20085 trace_id=6232 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6233 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from internal."
id=20085 trace_id=6233 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6234 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from local."
id=20085 trace_id=6234 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6234 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.16->195.1.208.62:38704"
id=20085 trace_id=6235 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from local."
id=20085 trace_id=6235 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6235 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.16->195.1.208.62:38704"
id=20085 trace_id=6236 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from local."
id=20085 trace_id=6236 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6236 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.16->195.1.208.62:38704"
id=20085 trace_id=6237 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from local."
id=20085 trace_id=6237 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6237 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.16->195.1.208.62:38704"
id=20085 trace_id=6238 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from local."
id=20085 trace_id=6238 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6238 func=__ip_session_run_tuple line=1563 msg="SNAT 192.168.10.16->195.1.208.62:38704"
id=20085 trace_id=6239 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from internal."
id=20085 trace_id=6239 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6240 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from internal."
id=20085 trace_id=6240 func=resolve_ip_tuple_fast line=2852 msg="Find an existing session, id-000b33f9, original direction"
id=20085 trace_id=6241 func=resolve_ip_tuple_fast line=2825 msg="vd-root received a packet(proto=6, 192.168.10.16:41871->87.238.54.158:80) from local."

VLAN på «småe» bokser

GUI på «småe» Fortigater viser ikke valget for å opprette VLAN.

Slik gjør du i CLI:

config system interface
edit <vlannavn>
set type vlan
set vlanid <ID>
set interface <interface>
set allowaccess https
next
end

Konfigurer videre i GUI

Oppdatere firmware fra konsollet

Dette kan være aktuelt dersom «boksen» ikke kommer opp på vanlig måte.

Normal prosedyre er:

  1. du må ha en tftpserver tilgjengelig, f.eks. 3Com tftp-server fra http://support.3com.com/software/utilities_for_windows_32_bit.htm
  2. last ned ny firmware fra http://support.fortinet.com
  3. Koble deg til konsollporten, se Oppsett mot konsollporten
  4. Koble til strømmen
  5. Avbryt oppstarten når teksten «Press any key to display configuration menu…» vises.
  6. Formater «boot-devicen» (velg F, deretter Y)
  7. Velg så G (Get firmware image from TFTP server). Oppgi parametre.

Dette kan se ut slik:

FGT50B3G07501104 login: FGT50B (11:04-02.28.2007)
 Ver:04000007
 Serial number:FGT50B3G07505588
 RAM activation
 Total RAM: 256MB
 Enabling cache…Done.
 Scanning PCI bus…Done.
 Allocating PCI resources…Done.
 Enabling PCI resources…Done.
 Zeroing IRQ settings…Done.
 Verifying PIRQ tables…Done.
 Enabling Interrupts…Done.
 Boot up, boot device capacity: 64MB.
 Press any key to display configuration menu…
 ……
 [G]:  Get firmware image from TFTP server.
 [F]:  Format boot device.
 [I]:  Configuration and information.
 [Q]:  Quit menu and continue to boot with default firmware.
 [H]:  Display this list of options.
 Enter Selection [G]:
 Enter G,F,I,Q,or H:
 All data will be erased,continue:[Y/N]?
 Formatting boot device…
 …………………………..
 Format boot device completed.
 Enter G,F,I,Q,or H:
 Please connect TFTP server to Ethernet port "3".
 Enter TFTP server address [192.168.1.168]: 192.168.10.104
 Enter local address [192.168.1.188]: 192.168.10.254
 Enter firmware image file name [image.out]: FGT_50B-v300-build0730-FORTINET.out
 MAC:00090F72237F
 #
 Total 14859152 bytes data downloaded.
 Verifying the integrity of the firmware image.
 Total 28288kB unzipped.
 Save as Default firmware/Run image without saving:[D/R]?d
 Programming the boot device now.
 ………………………
 Reading boot image 1304129 bytes.
 Initializing firewall…

Oppsett mot konsollporten

Hvordan koble til konsoll-porten på en fortigate brannmur eller fortiswitch?

Bruk følgende oppsett (i PuTTY, hyperterm eller f.eks minicom) ved bruk av konsoll-porten på en fortigate:

  • Hastighet 9600 (på endel nye fortiswitch-er skal du bruke 115200)
  • Databit: 8
  • Paritet: ingen
  • Stoppbit: 1
  • Hardware Flow Control: Nei

Putty er veldig grei å bruke.