Fortinet: Difference between revisions
From Cheatsheet
Jump to navigationJump to search
(→Syslog) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 83: | Line 83: | ||
=== Syslog === | === Syslog === | ||
<section begin="fortinetsyslog"/> | <section begin="fortinetsyslog"/> | ||
<syntaxhighlight> | <syntaxhighlight> | ||
# Test logging capability | # Test logging capability | ||
diag log test | diag log test | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==== Custom UDP Configuration ==== | |||
Example has Syslog traffic going over a VPN-interface and an IP-address specified that's allowed to travel over it. | |||
<syntaxhighlight> | |||
config log syslogd setting | |||
set status enable | |||
set server "192.168.77.88" | |||
set port 1514 | |||
set source-ip "192.168.77.1" | |||
set interface-select-method specify | |||
set interface "My_VPN_interface" | |||
end | |||
</syntaxhighlight> | |||
==== TCP Configuration ==== | |||
The set mode command support multiple RFC-compliant Syslog message structures. | |||
<syntaxhighlight> | |||
config log syslogd setting | |||
set status enable | |||
set server "logger.brammerloo.nl" | |||
set mode reliable | |||
set port 1515 | |||
end | |||
</syntaxhighlight> | |||
<section end="fortinetsyslog"/> | <section end="fortinetsyslog"/> | ||
Latest revision as of 14:55, 24 January 2026
Links
- https://docs.fortinet.com/product/fortigate/6.4
- https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started
- https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options
CLI Configuration
Don't forget to enter the proper vDOM when applicable
DHCP server
edit 0 will cause the first available ID to be assigned to this range.
config system dhcp server
edit 0
set lease-time 86400
set default-gateway 192.168.20.1
set netmask 255.255.255.0
set interface "VDOM-LAN01"
config ip-range
edit 1
set start-ip 192.168.20.10
set end-ip 192.168.20.254
next
end
set dns-server1 192.168.20.2
set dns-server2 8.8.8.8
next
Checks
Common
# Ping IP 8.8.8.8 execute ping 8.8.8.8 # Ping from a specific interface IP execute ping-options source 10.0.25.1 # Ping for a certain amount of times execute ping-options repeat-count # Traceroute to IP 1.1.1.1 execute traceroute 1.1.1.1 # List all available interfaces diagnose netlink interface list # Show detailed interface statistics diagnose netlink interface list name <INTERFACE>
VPN
- https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495/ipsec-vpn-troubleshooting
- https://www.fortinetguru.com/2017/10/ipsec-phase-2-parameters/
- https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway
# Show phase 1 configuration for a specific interface. show vpn ipsec phase1-interface <PHASE1NAME> # Ping for a certain amount show vpn ipsec phase2-interface <PHASE2NAME> # Show summary of VPN tunnel when within a vDom get vpn ipsec tunnel summary # Show detailed phase 1 information of a VPN. diagnose vpn ike gateway list name <Phase1name>
# Enable VPN phase-1 debug mode and display logs in the console diagnose vpn ike log filter name <phase1-name> diagnose debug app ike -1 diagnose debug enable # Disable debug mode diagnose debug disable
Syslog
# Test logging capability diag log test
Custom UDP Configuration
Example has Syslog traffic going over a VPN-interface and an IP-address specified that's allowed to travel over it.
config log syslogd setting
set status enable
set server "192.168.77.88"
set port 1514
set source-ip "192.168.77.1"
set interface-select-method specify
set interface "My_VPN_interface"
end
TCP Configuration
The set mode command support multiple RFC-compliant Syslog message structures.
config log syslogd setting
set status enable
set server "logger.brammerloo.nl"
set mode reliable
set port 1515
end
