FortiGate 防火牆常用命令

來源 https://www.cnblogs.com/kunlunsun/p/11423552.html

 

1. 命令結構

　　　　#config 對策略，對象等進行配置

　　　　#get  查看相關對象的參數

　　　　#show 查看配置文件

　　　　#diagnose 診斷命令 

　　　　#execute  常用的工具命令，如ping treacert,執行某條命令。

　　　　#exit  退出

　　　　#end 保存退出

 

　　2.常用命令

　　1、配置接口地址

　　　FortiGate # config system interface

　　　FortiGate (interface) # edit port1

　　　FortiGate (port1) # set ip 192.168.8.99/24

　　　FortiGate (port1) # end

 

　　2.配置靜態路由

　　FortiGate (static) # edit 1

       FortiGate (1) # set device wan1

       FortiGate (1) # set dst 10.0.0.0 255.0.0.0

       FortiGate (1) # set gateway 192.168.57.1

       FortiGate (1) # end

　　3.配置默認路由

　　FortiGate (1) # set gateway 192.168.57.1

       FortiGate (1) # set device wan1

       FortiGate (1) # end

　　4.添加地址

　　FortiGate # config firewall address

       FortiGate (address) # edit clientnet

        new entry 'clientnet' added

       FortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0

       FortiGate (clientnet) # end

　　5.添加ip池

　　FortiGate (ippool) # edit nat-pool

        new entry 'nat-pool' added

       FortiGate (nat-pool) # set startip 100.100.100.1

       FortiGate (nat-pool) # set endip 100.100.100.100

       FortiGate (nat-pool) # end

　　6.添加虛擬ip

　　FortiGate # config firewall vip

       FortiGate (vip) # edit webserver

        new entry 'webserver' added

       FortiGate (webserver) # set extip 202.0.0.167

       FortiGate (webserver) # set extintf wan1

       FortiGate (webserver) # set mappedip 192.168.0.168

       FortiGate (webserver) # end

 

  7、配置上網策略

       FortiGate # config firewall policy

       FortiGate (policy) # edit 1        

       FortiGate (1)#set srcintf internal //源接口

       FortiGate (1)#set dstintf wan1    //目的接口

       FortiGate (1)#set srcaddr all        //源地址

       FortiGate (1)#set dstaddr all       //目的地址

       FortiGate (1)#set action accept      //動作

       FortiGate (1)#set schedule always    //時間

       FortiGate (1)#set service ALL          //服務

       FortiGate (1)#set logtraffic disable     //日志開關

       FortiGate (1)#set nat enable               //開啟nat

       end

 

  8、配置映射策略

       FortiGate # config firewall policy

       FortiGate (policy) #edit 2

       FortiGate (2)#set srcintf wan1  //源接口

       FortiGate (2)#set dstintf internal //目的接口

       FortiGate (2)#set srcaddr all          //源地址

       FortiGate (2)#set dstaddr FortiGate1  //目的地址，虛擬ip映射，事先添加好的

       FortiGate (2)#set action accept     //動作

       FortiGate (2)#set schedule always //時間

       FortiGate (2)#set service ALL     //服務

       FortiGate (2)#set logtraffic all   //日志開關

       end

 

  9、把internal交換接口修改為路由口

       確保關於internal口的路由、dhcp、防火牆策略都刪除

       FortiGate # config system global

       FortiGate (global) # set internal-switch-mode interface

       FortiGate (global) #end

       重啟

--------------------------------------

     1、查看主機名，管理端口

            FortiGate # show system global

     2、查看系統狀態信息，當前資源信息

            FortiGate # get hardware status  // 查看設備硬件信息

            FortiGate # get system status  // 查看系統信息

            FortiGate # get system performance status  // 查看系統當前運行狀態

     3、查看應用流量統計

           FortiGate # get system performance firewall statistics

     4、查看arp表  

           FortiGate # get system arp

     5、查看arp豐富信息

           FortiGate # diagnose ip arp list

     6、清楚arp緩存

            FortiGate # execute clear system arp table

     7、 查看當前會話表

            FortiGate # diagnose sys session stat 或 FortiGate # diagnose sys session full-stat；

     8、 查看會話列表

            FortiGate # diagnose sys session list

     9、查看物理接口狀態

           FortiGate # get system interface physical

    10、查看默認路由配置

          FortiGate # show router static

    11、查看路由表中的靜態路由

          FortiGate # get router info routing-table static

    12、查看ospf相關配置

           FortiGate # show router ospf

    13、查看全局路由表

          FortiGate # get router info routing-table all

-----------------------------------------------

    1、查看HA狀態

        FortiGate # get system ha status

    2、查看主備機是否同步

     FortiGate # diagnose sys ha showcsum

---------------------------------------------------

   3.診斷命令：

      FortiGate # diagnose debug application ike -1

  ---------------------------------------------------

      execute 命令：

       FortiGate #execute  ping  8.8.8.8                                       //常規ping操作

       FortiGate #execute  ping-options source  192.168.1.200    //指定ping數據包的源地址 192.168.1.200

       FortiGate #execute  ping  8.8.8.8                                        //繼續輸入ping的目標地址，即可通過192.168.1.200的源地址執行ping操作

       FortiGate #execute  traceroute   8.8.8.8                  

       FortiGate #execute  telnet 2.2.2.2      //進行telnet訪問                  

       FortiGate #execute  ssh  2.2.2.2        //進行ssh 訪問

       FortiGate #execute  factoryreset        //恢復出廠設置

       FortiGate #execute  reboot              //重啟設備

       FortiGate #execute  shutdown            //關閉設備

 

===========

Fortinet防火牆命令行概述

來源 https://blog.51cto.com/it568/1910241

 

1. 可以通過SSH, Telnet, 或者serial console

2. CLI的配置是分級的結構，如下所示：
config system interface
edit "internal"
set vdom "root"
set ip 192.168.100.99 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
next
end

3. 命令行層次結構具體有下面這些關鍵字：

config

edit

next

end

exit

abort

4. 使用 “?” 可以查詢可用當前級別可以的指令

5. 使用 <tab> 可以將當前命令補齊

6. 設置wan2的IP:的例子：

FortiGate-60 # config system interface
(interface)# edit wan2
(wan2)# set ip 192.177.11.12 255.255.255.248
(wan2)# end
FortiGate-60 #

7. 可以用“get”命令顯示參數和當前值：
(internal)# get
name : internal
vdom : root
cli-conn-status : 0
mode : static
dhcp-relay-service :
dhcp-relay-ip :
dhcp-relay-type :
ip : 192.168.96.254 255.255.255.0
allowaccess : ping HTTPS HTTP telnet

8. 可以用“show”命令顯示當前配置：
FGT50B3 # config system interface
FGT50B3 (interface) # edit internal
FGT50B3 (internal) # show
config system interface
edit "internal"
set vdom "root"
set ip 192.168.100.99 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
next
end

9. 可以用“show full-configuration”命令顯示當前完全配置：
FGT50B3 # config system interface
FGT50B3 (interface) # edit internal
FGT50B3 (internal) # show full-configuration
config system interface
edit "internal"
set vdom "root"
set mode static
set dhcp-relay-service disable
unset dhcp-relay-ip
set dhcp-relay-type regular
set ip 192.168.100.99 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set gwdetect disable
unset detectserver
set ha-priority 0
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-redirect enable
set vlanforward enable
set stpforward disable
set ident-accept disable
set ipmac disable
set subst disable
set log disable
set fdp disable
set ddns disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set description ''
set alias ''
set l2tp-client disable
config ipv6
set autoconf disable
set ip6-address ::/0
unset ip6-allowaccess
set ip6-default-life 1800
set ip6-hop-limit 0
set ip6-link-mtu 0
set ip6-manage-flag disable
set ip6-max-interval 600
set ip6-min-interval 198
set ip6-other-flag disable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-send-adv disable
end
set idle-timeout 0
unset macaddr
set mtu-override disable
next
end

10. 執行某些命令，例如:
execute factoryreset
execute ping
execute backup
execute traceroute
execute reboot

========== End