Lets see how to monitor for and clear a specific session.
Using the same flow from the last blog Logs and Debug, lets find the session and then clear it.
FG1 (VDOM1) # diagnose sys session filter clear
FG1 (VDOM1) # diagnose sys session filter src 192.168.250.50
FG1 (VDOM1) # diagnose sys session filter dst 192.168.100.220
FG1 (VDOM1) # diagnose sys session list
FortinetNotes
Notes and thoughts on Fortinet
Sunday, May 31, 2020
Logs and Debugs.
In this blog we will look at log entries via the cli along with some more debugging.
We will be trying to ssh from VDOM1 IP 192.168.250.50 to a device in the root VDOM on IP 192.168.100.220.
The connection is failing. Below are a few things to look at in regards troubleshooting this scenario.
CHECK DEBUG FLOW FILTER.
FG1 (VDOM1) # diagnose debug flow filter saddr 192.168.250.50
FG1 (VDOM1) # diagnose debug flow filter daddr 192.168.100.220
FG1 (VDOM1) # diagnose debug enable
FG1 (VDOM1) # diagnose debug flow trace start
FG1 (VDOM1) # id=20085 trace_id=1 func=print_pkt_detail line=5517 msg="vd-VDOM1:0 received a packet(proto=6, 192.168.250.50:49988->192.168.100.220:22) from port4. flag [S], seq 2872570577, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5682 msg="allocate a new session-00018033"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.1.1.1 via IVL_VDOM1"
id=20085 trace_id=1 func=fw_forward_handler line=753 msg="Allowed by Policy-3:"
FG1 (VDOM1) #
Looks good from a routing and policy perspective in VDOM1.
We will be trying to ssh from VDOM1 IP 192.168.250.50 to a device in the root VDOM on IP 192.168.100.220.
The connection is failing. Below are a few things to look at in regards troubleshooting this scenario.
CHECK DEBUG FLOW FILTER.
FG1 (VDOM1) # diagnose debug flow filter saddr 192.168.250.50
FG1 (VDOM1) # diagnose debug flow filter daddr 192.168.100.220
FG1 (VDOM1) # diagnose debug enable
FG1 (VDOM1) # diagnose debug flow trace start
FG1 (VDOM1) # id=20085 trace_id=1 func=print_pkt_detail line=5517 msg="vd-VDOM1:0 received a packet(proto=6, 192.168.250.50:49988->192.168.100.220:22) from port4. flag [S], seq 2872570577, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5682 msg="allocate a new session-00018033"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.1.1.1 via IVL_VDOM1"
id=20085 trace_id=1 func=fw_forward_handler line=753 msg="Allowed by Policy-3:"
FG1 (VDOM1) #
Looks good from a routing and policy perspective in VDOM1.
Tuesday, April 28, 2020
Packet Capture and Debugs
In this post I will just show some examples of packet captures and debugs for reference.
Generally speaking we would use the packet capture "diagnose sniffer packet" for wanting to know about traffic coming or going from the firewall.
If some traffic is coming in and not coming out of the firewall we can use "debug flow filter" to see how the Forti is processing a packet and why it might be being dropped.
PACKET CAPTURE
Lets do an identical packet capture and see what the different verbosity levels can give us.
Verbosity level options:
FG1 # diagnose sniffer packet port2 'host 52.52.208.2 and tcp port 443'
<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
Generally speaking we would use the packet capture "diagnose sniffer packet" for wanting to know about traffic coming or going from the firewall.
If some traffic is coming in and not coming out of the firewall we can use "debug flow filter" to see how the Forti is processing a packet and why it might be being dropped.
PACKET CAPTURE
Lets do an identical packet capture and see what the different verbosity levels can give us.
Verbosity level options:
FG1 # diagnose sniffer packet port2 'host 52.52.208.2 and tcp port 443'
<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
Backup
In this blog we will take some backups via cli on the Fortigate and then do a restore.
We will try with FTP/TFTP and SCP.
First lets see what options we have with the execute backup command.
FG1 # execute backup
config config
disk disk
full-config full-config
ipsuserdefsig ipsuserdefsig
memory memory
FG1 #
We will try with FTP/TFTP and SCP.
First lets see what options we have with the execute backup command.
FG1 # execute backup
config config
disk disk
full-config full-config
ipsuserdefsig ipsuserdefsig
memory memory
FG1 #
Sunday, April 26, 2020
Syslog
This post will show how to get syslog messages from a Fortigate into a syslog server.
In this case I am using Splunk free for the syslog.
Our syslog server is running on 192.168.100.200 on UDP port 1514.
If you enable syslog in the gui you don't get many choices.
However, if we look in the cli we will see a lot more options to configure.
In this case I am using Splunk free for the syslog.
Our syslog server is running on 192.168.100.200 on UDP port 1514.
If you enable syslog in the gui you don't get many choices.
However, if we look in the cli we will see a lot more options to configure.
Friday, April 24, 2020
DHCP
In this post we will see how to config a basic DHCP scope to set the Fortigate as a DHCP server for a local interface and also how to monitor the assignment and check the leases.
First let's note we have no DHCP config. We will configure it for port2.
FG1 (server) # show
config system dhcp server
end
First let's note we have no DHCP config. We will configure it for port2.
FG1 (server) # show
config system dhcp server
end
NTP
In this post we will set NTP and timezone for our Fortigate
CONFIGURE NTP
First lets see the current NTP config
FG1 # show system ntp
config system ntp
set ntpsync enable
end
FG1 # show full-configuration system ntp
config system ntp
set ntpsync enable
set type fortiguard
set syncinterval 60
set source-ip 0.0.0.0
set source-ip6 ::
set server-mode disable
end
Find a suitable public NTP server and confirm reachability. In this case Google.
FG1 # execute ping time.google.com
PING time.google.com (216.239.35.8): 56 data bytes
64 bytes from 216.239.35.8: icmp_seq=0 ttl=43 time=142.7 ms
64 bytes from 216.239.35.8: icmp_seq=1 ttl=43 time=142.7 ms
64 bytes from 216.239.35.8: icmp_seq=2 ttl=43 time=142.2 ms
64 bytes from 216.239.35.8: icmp_seq=3 ttl=43 time=142.6 ms
64 bytes from 216.239.35.8: icmp_seq=4 ttl=43 time=143.0 ms
--- time.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 142.2/142.6/143.0 ms
FG1 #
CONFIGURE NTP
First lets see the current NTP config
FG1 # show system ntp
config system ntp
set ntpsync enable
end
FG1 # show full-configuration system ntp
config system ntp
set ntpsync enable
set type fortiguard
set syncinterval 60
set source-ip 0.0.0.0
set source-ip6 ::
set server-mode disable
end
Find a suitable public NTP server and confirm reachability. In this case Google.
FG1 # execute ping time.google.com
PING time.google.com (216.239.35.8): 56 data bytes
64 bytes from 216.239.35.8: icmp_seq=0 ttl=43 time=142.7 ms
64 bytes from 216.239.35.8: icmp_seq=1 ttl=43 time=142.7 ms
64 bytes from 216.239.35.8: icmp_seq=2 ttl=43 time=142.2 ms
64 bytes from 216.239.35.8: icmp_seq=3 ttl=43 time=142.6 ms
64 bytes from 216.239.35.8: icmp_seq=4 ttl=43 time=143.0 ms
--- time.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 142.2/142.6/143.0 ms
FG1 #
Subscribe to:
Posts (Atom)