Fortinet: Difference between revisions
From Cheatsheet
Jump to navigationJump to search
(→Common) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 7: | Line 7: | ||
== CLI Configuration == | == CLI Configuration == | ||
'''Don't forget to enter the proper vDOM when applicable''' | |||
=== DHCP server === | === DHCP server === | ||
'''edit 0''' will cause the first available ID to be assigned to this range. | '''edit 0''' will cause the first available ID to be assigned to this range. | ||
| Line 55: | Line 57: | ||
* https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway | * https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Show phase 1 configuration for a specific interface. | # Show phase 1 configuration for a specific interface. | ||
show vpn ipsec phase1-interface <PHASE1NAME> | show vpn ipsec phase1-interface <PHASE1NAME> | ||
| Line 69: | Line 71: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Enable VPN phase-1 debug mode and display logs in the console | # Enable VPN phase-1 debug mode and display logs in the console | ||
diagnose vpn ike log filter name <phase1-name> | diagnose vpn ike log filter name <phase1-name> | ||
| Line 81: | Line 83: | ||
=== Syslog === | === Syslog === | ||
<section begin="fortinetsyslog"/> | <section begin="fortinetsyslog"/> | ||
<syntaxhighlight | <syntaxhighlight> | ||
# Test logging capability | # Test logging capability | ||
diag log test | diag log test | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<section end="fortinetsyslog"/> | <section end="fortinetsyslog"/> | ||
Latest revision as of 15:21, 31 July 2023
Links
- https://docs.fortinet.com/product/fortigate/6.4
- https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started
- https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options
CLI Configuration
Don't forget to enter the proper vDOM when applicable
DHCP server
edit 0 will cause the first available ID to be assigned to this range.
config system dhcp server
edit 0
set lease-time 86400
set default-gateway 192.168.20.1
set netmask 255.255.255.0
set interface "VDOM-LAN01"
config ip-range
edit 1
set start-ip 192.168.20.10
set end-ip 192.168.20.254
next
end
set dns-server1 192.168.20.2
set dns-server2 8.8.8.8
next
Checks
Common
# Ping IP 8.8.8.8 execute ping 8.8.8.8 # Ping from a specific interface IP execute ping-options source 10.0.25.1 # Ping for a certain amount of times execute ping-options repeat-count # Traceroute to IP 1.1.1.1 execute traceroute 1.1.1.1 # List all available interfaces diagnose netlink interface list # Show detailed interface statistics diagnose netlink interface list name <INTERFACE>
VPN
- https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495/ipsec-vpn-troubleshooting
- https://www.fortinetguru.com/2017/10/ipsec-phase-2-parameters/
- https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway
# Show phase 1 configuration for a specific interface. show vpn ipsec phase1-interface <PHASE1NAME> # Ping for a certain amount show vpn ipsec phase2-interface <PHASE2NAME> # Show summary of VPN tunnel when within a vDom get vpn ipsec tunnel summary # Show detailed phase 1 information of a VPN. diagnose vpn ike gateway list name <Phase1name>
# Enable VPN phase-1 debug mode and display logs in the console diagnose vpn ike log filter name <phase1-name> diagnose debug app ike -1 diagnose debug enable # Disable debug mode diagnose debug disable
Syslog
# Test logging capability diag log test
