Sunday, May 31, 2020

Sessions

Lets see how to monitor for and clear a specific session.

Using the same flow from the last blog Logs and Debug,  lets find the session and then clear it.

FG1 (VDOM1) # diagnose sys session filter clear

FG1 (VDOM1) # diagnose sys session filter src 192.168.250.50

FG1 (VDOM1) # diagnose sys session filter dst 192.168.100.220

FG1 (VDOM1) # diagnose sys session list

Logs and Debugs.

In this blog we will look at log entries via the cli along with some more debugging.

We will be trying to ssh from VDOM1 IP 192.168.250.50 to a device in the root VDOM on IP 192.168.100.220.

The connection is failing. Below are a few things to look at in regards troubleshooting this scenario.

CHECK DEBUG FLOW FILTER.

FG1 (VDOM1) # diagnose debug flow filter saddr 192.168.250.50

FG1 (VDOM1) # diagnose debug flow filter daddr 192.168.100.220

FG1 (VDOM1) # diagnose debug enable

FG1 (VDOM1) # diagnose debug flow trace start

FG1 (VDOM1) # id=20085 trace_id=1 func=print_pkt_detail line=5517 msg="vd-VDOM1:0 received a packet(proto=6, 192.168.250.50:49988->192.168.100.220:22) from port4. flag [S], seq 2872570577, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5682 msg="allocate a new session-00018033"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.1.1.1 via IVL_VDOM1"
id=20085 trace_id=1 func=fw_forward_handler line=753 msg="Allowed by Policy-3:"

FG1 (VDOM1) #


Looks good from a routing and policy perspective in VDOM1.

Tuesday, April 28, 2020

Packet Capture and Debugs

In this post I will just show some examples of packet captures and debugs for reference.

Generally speaking we would use the packet capture "diagnose sniffer packet" for wanting to know about traffic coming or going from the firewall.

If some traffic is coming in and not coming out of the firewall we can use "debug flow filter" to see how the Forti is processing a packet and why it might be being dropped.


PACKET CAPTURE

Lets do an identical packet capture and see what the different verbosity levels can give us.


Verbosity level options:

FG1 # diagnose sniffer packet port2 'host 52.52.208.2 and tcp port 443'
<verbose>   
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

Backup

In this blog we will take some backups via cli on the Fortigate and then do a restore.

We will try with FTP/TFTP and SCP.

First lets see what options we have with the execute backup command.

FG1 # execute backup
config           config
disk             disk
full-config      full-config
ipsuserdefsig    ipsuserdefsig
memory           memory

FG1 #

Sunday, April 26, 2020

Syslog

This post will show how to get syslog messages from a Fortigate into a syslog server.
In this case I am using Splunk free for the syslog.

Our syslog server is running on 192.168.100.200 on UDP port 1514.

If you enable syslog in the gui you don't get many choices.


However, if we look in the cli we will see a lot more options to configure.

Friday, April 24, 2020

DHCP

In this post we will see how to config a basic DHCP scope to set the Fortigate as a DHCP server for a local interface and also how to monitor the assignment and check the leases.

First let's note we have no DHCP config. We will configure it for port2.

FG1 (server) # show
config system dhcp server
end

NTP

In this post we will set NTP and timezone for our Fortigate

CONFIGURE NTP

First lets see the current NTP config

FG1 # show system ntp
config system ntp
    set ntpsync enable
end

FG1 # show full-configuration system ntp
config system ntp
    set ntpsync enable
    set type fortiguard
    set syncinterval 60
    set source-ip 0.0.0.0
    set source-ip6 ::
    set server-mode disable
end



Find a suitable public NTP server and confirm reachability. In this case Google.

FG1 # execute ping time.google.com
PING time.google.com (216.239.35.8): 56 data bytes
64 bytes from 216.239.35.8: icmp_seq=0 ttl=43 time=142.7 ms
64 bytes from 216.239.35.8: icmp_seq=1 ttl=43 time=142.7 ms
64 bytes from 216.239.35.8: icmp_seq=2 ttl=43 time=142.2 ms
64 bytes from 216.239.35.8: icmp_seq=3 ttl=43 time=142.6 ms
64 bytes from 216.239.35.8: icmp_seq=4 ttl=43 time=143.0 ms

--- time.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 142.2/142.6/143.0 ms

FG1 #