04 Şub 2011

Fortinet Console Commands

 

 Fortinet Cihazlarında Kullanılabilecek Console Komutları
 Fortinet Arayüzde SSH,TELNET ile Kullanılabilecek Komutların Görevi ve işlevi aşağıda belirtilmiştir. 
 
 

Fortinet Arayüz SSH,TELNET Komutları  
diagnose sniffer packet any “host 213.199.186.202” 4  Çıktısı Yanda

diagnose sniffer packet port1 “tcp and port 514 and host 10.1.2.2” 4

interfaces=[any]
filters=[host 213.199.186.202]
7.034907 port2 in 10.0.0.106.1421 -> 213.199.186.202.80: syn 2279801009
7.035372 port2 out 213.199.186.202.80 -> 10.0.0.106.1421: syn 89562169 ack 2279801010
7.035379 eth0 out 213.199.186.202.80 -> 10.0.0.106.1421: syn 89562169 ack 2279801010
7.036228 port2 in 10.0.0.106.1421 -> 213.199.186.202.80: ack 89562170
7.036656 wan1 out 91.93.143.15.37637 -> 213.199.186.202.80: syn 3514595903
7.036855 port2 in 10.0.0.106.1421 -> 213.199.186.202.80: psh 2279801010 ack 89562170
7.037625 port2 out 213.199.186.202.80 -> 10.0.0.106.1421: ack 2279802384

Debug Flow

 

Dia debug flow filter
Dia debug flow show consol enable
Dia debug flow show function-name enable
Dia debug flow trace start 1000
Dia debug enable 
Filter dan sonra ? ile neleri filtreleyeceğini görebilirsin.
Dia debug flow trace start 1000 ise 1000 kaydı göster demek.
diagnose sniffer packet “wan2” ‘port 80’

diagnose sniffer packet “wan2” ‘port 110’
diagnose sniffer packet “wan2” ‘port 25’

 
diagnose sys top Run Time: 3 days, 15 hours and 43 minutes
3U, 4S, 92I; 1009T, 636F, 205KF
ipsengine       54 S          < 2.3              6.4
scanunitd     18240 S      < 0.9              1.3
thttp              47 S            0.7               7.4
urlfilter           55 S            0.3               2.3
miglogd         32 S            0.3                1.2
httpsd            63 S            0.0                2.0
httpsd 78 S 0.0 1.9
cmdbsvr 21 S 0.0 1.6
httpsd 33 S 0.0 1.4
newcli 14260 R 0.0 1.2
newcli 14257 S 0.0 1.2
fgfmd 5134 S 0.0 1.2
cw_acd 74 S 0.0 1.1
sslvpnd 61 S 0.0 1.1
merged_daemons 49 S 0.0 1.0
authd 58 S 0.0 1.0
fdsmgmtd 65 S 0.0 1.0
scanunitd 28064 S < 0.0 1.0
iked 62 S 0.0 1.0
 
get sys performance status CPU states: 10% user 1% system 0% nice 89% idle
Memory states: 32% used
Average network usage: 5524 kbps in 1 minute, 4357 kbps in 10 minutes, 2957 kbps in 30 minutes
Average sessions: 1713 sessions in 1 minute, 1644 sessions in 10 minutes, 1639 sessions in 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 3 days, 15 hours, 45 minutes
diagnose hardware deviceinfo nic port2 diagnose hardware deviceinfo nic port10

bu komut ile nic durumumuzu görürüz

diagnose hardware deviceinfo nic port2
Description bcm_sw Ethernet driver1.0
System_Device_Name port2
io_base f040
cpu_port 25
vlanid 3
member_map 0x00000002
num_ports 1
cfg 1-0xa1
Current_HWaddr 00:09:0f:c4:83:e9
Permanent_HWaddr 00:09:0f:c4:83:e9
State up
Link up
Speed 100
Duplex full
Rx_Packets 27717912
Tx_Packets 37159691
Rx_Bytes 4975581572
Tx_Bytes 27869540568

dia sys session clear Bir kullanıcının veya tüm sessionları temizlemek için kullanılır
dia sys session filter src 10.1.0.23 ile bu ip nin sessionlarını clear edersiniz
execute dhcp lease-clear Fortigate Dhcp Serverdan Kullanıcı Listesi Temizlemek ici Asagidaki islemi yapmalisiniz.Bu komut ile dhcp serverdaki client listesi temizlenir
kullanicilarda ip adresini yenilemek gerekecektir.
In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli. The command syntax:

diagnose sniffer packet {interface | all} ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’ [options]

You can narrow your search by filtering on any or the following:

net/prefix : print a whole netblock
host : print only one host
port : print only a specific port number
and/or : allows additional options

The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

Option ‘4′ is particularly useful, in that it shows the associated interface for the directional traffic

diagnose sniffer packet any ‘net 10.0.0.0/8 and host 172.16.16.14 and port 3389′

diagnose sniffer packet any ‘host 10.4.131.97 and host 172.16.16.14 and port 3389′ 4

Komut listesi için ? işaretini consoleda yazarsanız yandaki ekranı alırsınız

config ? config te çalışıcak liste
diag ? çalıştırılabilir listesi
get ? çalıştırılabilir listesi

config config object
get get dynamic and system information
show show configuration
diagnose diagnose facility
execute execute static commands
exit exit CLI