Fortinet: Difference between revisions
From Cheatsheet
Jump to navigationJump to search
(Created page with "Cheatsheets == Links == * https://docs.fortinet.com/product/fortigate/6.4 * https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started * https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options == Checks == === Common === <syntaxhighlight lang="bash"> # Ping IP 8.8.8.8 execute ping 8.8.8.8 # Ping from a specific interface IP execute ping-options source 10.0.25.1 # P...") |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
* https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started | * https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started | ||
* https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options | * https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options | ||
== CLI Configuration == | |||
'''Don't forget to enter the proper vDOM when applicable''' | |||
=== DHCP server === | |||
'''edit 0''' will cause the first available ID to be assigned to this range. | |||
<syntaxhighlight> | |||
config system dhcp server | |||
edit 0 | |||
set lease-time 86400 | |||
set default-gateway 192.168.20.1 | |||
set netmask 255.255.255.0 | |||
set interface "VDOM-LAN01" | |||
config ip-range | |||
edit 1 | |||
set start-ip 192.168.20.10 | |||
set end-ip 192.168.20.254 | |||
next | |||
end | |||
set dns-server1 192.168.20.2 | |||
set dns-server2 8.8.8.8 | |||
next | |||
</syntaxhighlight> | |||
== Checks == | == Checks == | ||
=== Common === | === Common === | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Ping IP 8.8.8.8 | # Ping IP 8.8.8.8 | ||
execute ping 8.8.8.8 | execute ping 8.8.8.8 | ||
| Line 34: | Line 57: | ||
* https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway | * https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Show phase 1 configuration for a specific interface. | # Show phase 1 configuration for a specific interface. | ||
show vpn ipsec phase1-interface <PHASE1NAME> | show vpn ipsec phase1-interface <PHASE1NAME> | ||
| Line 48: | Line 71: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Enable VPN phase-1 debug mode and display logs in the console | # Enable VPN phase-1 debug mode and display logs in the console | ||
diagnose vpn ike log filter name <phase1-name> | diagnose vpn ike log filter name <phase1-name> | ||
| Line 60: | Line 83: | ||
=== Syslog === | === Syslog === | ||
<section begin="fortinetsyslog"/> | <section begin="fortinetsyslog"/> | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Test logging capability | # Test logging capability | ||
diag log test | diag log test | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<section end="fortinetsyslog"/> | <section end="fortinetsyslog"/> | ||
Latest revision as of 15:21, 31 July 2023
Links
- https://docs.fortinet.com/product/fortigate/6.4
- https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started
- https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options
CLI Configuration
Don't forget to enter the proper vDOM when applicable
DHCP server
edit 0 will cause the first available ID to be assigned to this range.
config system dhcp server
edit 0
set lease-time 86400
set default-gateway 192.168.20.1
set netmask 255.255.255.0
set interface "VDOM-LAN01"
config ip-range
edit 1
set start-ip 192.168.20.10
set end-ip 192.168.20.254
next
end
set dns-server1 192.168.20.2
set dns-server2 8.8.8.8
next
Checks
Common
# Ping IP 8.8.8.8 execute ping 8.8.8.8 # Ping from a specific interface IP execute ping-options source 10.0.25.1 # Ping for a certain amount of times execute ping-options repeat-count # Traceroute to IP 1.1.1.1 execute traceroute 1.1.1.1 # List all available interfaces diagnose netlink interface list # Show detailed interface statistics diagnose netlink interface list name <INTERFACE>
VPN
- https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495/ipsec-vpn-troubleshooting
- https://www.fortinetguru.com/2017/10/ipsec-phase-2-parameters/
- https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway
# Show phase 1 configuration for a specific interface. show vpn ipsec phase1-interface <PHASE1NAME> # Ping for a certain amount show vpn ipsec phase2-interface <PHASE2NAME> # Show summary of VPN tunnel when within a vDom get vpn ipsec tunnel summary # Show detailed phase 1 information of a VPN. diagnose vpn ike gateway list name <Phase1name>
# Enable VPN phase-1 debug mode and display logs in the console diagnose vpn ike log filter name <phase1-name> diagnose debug app ike -1 diagnose debug enable # Disable debug mode diagnose debug disable
Syslog
# Test logging capability diag log test
