sniffer 和 debug flow 复制模板,直接修改IP即可使用:
diagnose sys session filter clear
diagnose sys session filter proto 6
diagnose sys session filter dport 3389
diagnose sys session filter dst 119.100.1.200
diagnose sys session clear
diagnose debug flow filter clear
diagnose debug flow filter addr 13.33.231.17
diagnose debug flow filter proto 17
diagnose debug flow filter sport 1263
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter proto 1
diagnose sys session filter dst 202.106.1.100
diagnose sys session clear
diagnose sniffer packet any "host 202.106.1.100 and icmp" 4
diagnose sys session filter proto 1
diagnose sys session filter d 202.106.1.100
diagnose sys session clear
diagnose debug flow filter addr 10.100.151.1
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sniffer packet any "host 111.204.123.112 or host 192.168.30.167 and !port 22345 and !port 44300" 4
diagnose sniffer packet any "host 114.114.114.114 and icmp" 4
diagnose sniffer packet any "host 111.204.123.112 and !port 22 and !port 45328" 4
diagnose sniffer packet any "port 161 and host 111.204.123.116 or host 192.168.168.1" 4
----------------------------
GUI优化脚本:
config system settings
set inspection-mode flow
set gui-multiple-utm-profiles enable
set gui-allow-unnamed-policy enable
set gui-multiple-interface-policy enable
end
config system global
set admintimeout 30
set language simch
set timezone 55
set revision-backup-on-logout enable
end
--------------------
IPsec VPN黑洞路由脚本:
config firewall address
edit "Private_IP_10.0.0.0/8"
set allow-routing enable
set subnet 10.0.0.0 255.0.0.0
next
edit "Private_IP_172.16.0.0/12"
set allow-routing enable
set subnet 172.16.0.0 255.240.0.0
next
edit "Private_IP_192.168.0.0/16"
set allow-routing enable
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit "LAN_Private_IP_Group"
set member "Private_IP_10.0.0.0/8" "Private_IP_172.16.0.0/12" "Private_IP_192.168.0.0/16"
set allow-routing enable
next
end
config router static
edit 0
set distance 254
set blackhole enable
set dstaddr "LAN_Private_IP_Group"
next
end
--------------------------
//说明介绍//
Sniffer抓包命令使用:
diagnose sniffer packet any "host 192.168.200.102 and icmp" 4
关于sniffer抓包需注意:如果数据已经被NP加速了,则可能sniffer抓不出来,为了准确的抓到数据,可能需要注意调整一下NP加速和已经建立好的Session:
sniffer注意1:在相关的VPN业务流量的策略下临时关闭NP加速(抓包完毕再打开NP加速):
FGT # config firewall policy
FGT (policy) # edit 1 (假设业务相关策略的策略ID为1)
FGT (1) # set auto-asic-offload disable
FGT (1) # end
这样所有与策略相关的数据处理会全部走CPU,因此sniffer才可以完整的抓到数据流。
sniffer注意2:对于已经建立起来的会话(数据已经走了NP处理),即便关闭了 NP,也抓不到包,因此需先将此session过滤出来然后再清除掉这条session,让其再新建就抓到包了:
FGT#diagnose sys session filter dst 192.168.200.102 (过滤 目的IP)
FGT#diagnose sys session filter proto 1 (过滤协议 1:ICMP 其中包括了ping)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT# diagnose sys session filter clear //清除session过滤条件
FGT#diagnose sys session filter dst 192.168.200.102 (过滤 目的IP)
FGT#diagnose sys session filter proto 6 (过滤协议 6: TCP)
FGT#diagnose sys session filter dport 443 (过滤 TCP Port 443端口)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT#diagnose sys session filter src 192.168.200.102 (过滤 源IP)
FGT#diagnose sys session filter proto 6 (过滤协议 6: TCP)
FGT#diagnose sys session filter dport 443 (过滤 TCP Port 443端口)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT# diagnose sys session filter clear //清除session过滤条件
FGT#diagnose sys session filter dst 192.168.200.102 (过滤 目的IP)
FGT#diagnose sys session filter proto 17 (过滤协议 17: UDP)
FGT#diagnose sys session filter dport 500 (过滤 UDP Port 500端口)
FGT#diagnose sys session clear (清除过滤后的Session)
FGT# diagnose sys session filter clear //清除session过滤条件
最后开启抓包,FortiGate抓包命令如下:
FGT#diagnose sniffer packet any "host 192.168.200.102 and icmp" 4
FGT#diagnose sniffer packet any "host 218.203.193.18 and esp” 4
FGT#diagnose sniffer packet any "port 500 or port 4500 and host 1.1.1.1" 4
FGT#diagnose sniffer packet any "host 10.101.2.2 or host 111.204.123.112 and port 22" 4
FGT#diagnose sniffer packet any "host 60.31.254.5 and port 53" 4
FGT#diagnose sniffer packet any "host 192.168.118.57 and icmp" 4
FGT#diagnose sniffer packet any "port 9999" 4
----------------------------
Debug Flow的使用:
Debug Flow 通常用于定位调试穿过或访问FortiGate数据流的处理过程,如果不通,可以使用debug flow协助定位,非常好用的数据流分析工具。
Debug flow的命令解析:
#diagnose debug flow filter addr x.x.x.x //过滤某个IP
#diagnose debug flow show console enable //在串口上显示trace内容
#diagnose debug flow show function-name enable //显示功能模块名称
#diagnose debug flow trace start 999 //开启debug flow trace并显示999条debug信息
#diagnose debug enable //开启debug命令
#diagnose debug flow trace stop //关闭debug flow trace
#diagnose debug flow filter clear //清除过滤条件
#diagnose debug disable //关闭debug命令
#diagnose debug reset //重置所有的debug命令
最关键的Debug flow的过滤条件,举例:
1.过滤ping流量
#diagnose debug flow filter proto 1
改变相应的proto就可以过滤相应的协议流量
proto 1 为ICMP协议
proto 6 为TCP协议
proto 17 为UDP协议
2.过滤某个IP的ping流量
#diagnose debug flow filter addr 192.168.1.100
#diagnose debug flow filter proto 1
过滤192.168.1.100的ping流量
3.过滤某个端口号
#diagnose debug flow filter port 8080
过滤port为8080的流量
4.过滤某个IP的Port8080流量
#diagnose debug flow filter addr 192.168.1.100
#diagnose debug flow filter port 8080
过滤192.168.1.100的port8080的流量
5.过滤源端口/目的端口
#diagnose debug flow filter sport 80 ----->过滤源端口80 //
#diagnose debug flow filter dport 25 ----->过滤目的端口25
6.过滤源IP/目的IP
#diagnose debug flow filter saddr x.x.x.x -----> 过滤源IP x.x.x.x //
#diagnose debug flow filter daddr y.y.y.y ----->过滤目的IP y.y.y.y
常用debug flow举例1:抓取10.10.10.100且ICMP的流量
diagnose debug flow filter addr 101.231.244.193
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
常用debug flow举例2:抓取10.10.10.100且TCP端口为10443的流量
diagnose debug flow filter addr 10.10.10.100
diagnose debug flow filter proto 6
diagnose debug flow filter port 10443
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
常用debug flow举例3:抓取10.10.10.100且UDP端口为500的流量
diagnose debug flow filter addr 10.10.10.100
diagnose debug flow filter proto 17
diagnose debug flow filter port 500
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
常用的debug flow复制粘贴脚本:
diagnose sys session filter dst 10.3.10.1
diagnose sys session filter proto 1
diagnose sys session clear
diagnose debug flow filter addr 10.3.10.1
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter dst 10.255.16.114
diagnose sys session clear
diagnose debug flow filter addr 10.255.16.114
diagnose debug flow filter proto 6
diagnose debug flow filter port 443
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
//
diagnose debug flow filter port 53
diagnose debug flow filter proto 17
diagnose debug flow filter port 80
//
diagnose debug flow filter addr 103.17.88.71
diagnose debug flow filter proto 6
diagnose debug flow filter port 57720
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter src 172.40.1.252
diagnose sys session clear
diagnose debug flow filter addr 124.89.90.125
diagnose debug flow filter proto 17
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
diagnose sys session filter dst 116.90.243.115
diagnose sys session clear
diagnose debug flow filter addr 222.92.132.166
diagnose debug flow filter proto 6
diagnose debug flow filter port 3134
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 6
diagnose debug enable
diagnose debug flow filter addr 192.168.1.1
diagnose debug flow filter proto 17
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 6
diagnose debug enable
diagnose sys session filter src 172.40.1.252
diagnose sys session clear
diagnose sys session filter policy 5
diagnose sys session list
diagnose debug flow filter addr 58.18.31.148
diagnose debug flow filter proto 17
diagnose debug flow filter port 161
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
------------------------
CPU/MEM 过高,查看进程,以及临时Kill进程命令:
查看进程,并kill进程命令:
diag sys top-summary
diagnose sys top 5 33
diagnose sys kill 9 <PID>
--------------------
IPsec VPN隧道起不来的问题定位:
首先,sniffer抓包确认UDP 500/4500 双方通信是否正常
diagnose sniffer packet any "host 116.6.100.241 and ( port 500 or port 4500)" 4
diagnose sniffer packet any "host 202.106.1.35 and ( port 500 or port 4500)" 4
//IP换成对方公网IP
UDP 500 或 UDP 4500 这两个端口是IPsec VPN协商协议IKE会使用的端口,一定要互通要通畅,否则VPN无法正常建立,确认互通正常在进行下一步定位
然后,通过日志,debug app ike 确认问题是出在第一阶段还是第二阶段
diagnose vpn ike log-filter name ipsec_wuxian1 // 第一阶段名称
diagnose vpn ike log-filter dst-addr4 124.65.148.86 //IP换成对方公网IP
diagnose debug application ike -1
diagnose debug enable
注意事项:debug app ike的时候要注意,自己不要主动发起连接,需要把第一阶段/第二阶段的自动协商关闭
注意一:可能需要关掉一阶段第二阶段的自动协商
如果是5.6之后的版本,只需要一条命令就可以完全关闭自己的主动发起的IKE连接请求:
config vpn ipsec phase1-interface
edit VPN-P1(第一阶段名称)
set passive-mode enable //永远不主动发起IKE请求,即便使用流量触发,也不主动发起
next
end
如果是旧版本(5.2/5.4)则需要分别关闭第一阶段和第二阶段的自动协商:
BJLab-240D # config vpn ipsec phase1-interface
BJLab-240D (phase1-interface) # edit VPN-P1(第一阶段名称)
BJLab-240D (VPN) # set auto-negotiate disable
BJLab-240D (VPN) # end
BJLab-240D # config vpn ipsec phase2-interface
BJLab-240D (phase1-interface) # edit VPN-P2 (第二阶段名称)
BJLab-240D (VPN) # set auto-negotiate disable
BJLab-240D (VPN) # end
注意二:有时候需要重置IPsec VPN的连接(请谨慎使用,所有的VPN都会重新连接IKE,一般不需要使用这个命令)
diagnose vpn ike restart //重新主动发起连接
diagnose vpn tunnel reset //重置第二阶段
diagnose vpn ike restart
diagnose vpn ike gateway clear
重置IPsec VPN通道,有VDOM的情况下:
FG200D4615810562 # config vdom
FG200D4615810562 (vdom) # edit root
FG200D4615810562 (root) # diagnose vpn tunnel reset
FG200D4615810562 (root) # diagnose vpn ike restart
查看IPsec VPN状态命令:
diagnose vpn ike gateway list
diagnose vpn tunnel list
----------------------
常用的debug application命令:
debug L2TP VPN命令:
diagnose debug application l2tp -1
diagnose debug enable
debug SSL VPN命令:
diagnose debug application sslvpn -1
diagnose debug enable
debug IPsec VPN命令:
# diagnose debug console timestamp enable
# diagnose debug application ike -1
# diagnose debug enable
# diagnose debug application ike 0 // 关闭debug
# diagnose debug disable //关闭debug
# diagnose debug reset //关闭debug
debug Radius/TACACS+认证命令:
diagnose test authserver radius radius-server user 1 123456
diagnose test authserver tacacs+ tacacs-server user1 123456
diagnose debug application fnbamd -1
diagnose debug enable
debug LDAP认证命令:
diagnose test authserver ldap ldap-server user1 123456
diagnose debug application fnbamd -1
diagnose debug enable
debug fortguard更新命令:
execute update-now
diagnose debug application update -1
diagnose debug enable
关闭debug命令:
# diagnose debug disable
# diagnose debug reset
--------------------------
查看接口错包以及接口MAC地址:
# diagnose netlink device list
# get hardware nic wan1
Driver Name :Fortinet NP4Lite Driver
Version :1.0.1
Admin :up
Current_HWaddr 08:5b:0e:6f:d9:76
Permanent_HWaddr 08:5b:0e:6f:d9:76
Status :up
Speed :100
Duplex :Full
Host Rx Pkts :3095836
Host Rx Bytes :432192732
Host Tx Pkts :773199
Host Tx Bytes :125268953
Rx Pkts :4389000
Rx Bytes :1112122188
Tx Pkts :1888066
Tx Bytes :251656337
rx_buffer_len :2048
Hidden :No
cmd_in_list : 0
promiscuous : 1
enabled 802.1x : 0
authorized : 0
mac bypass : 0
-----------------------------
L2TP/PPTP VPN配置脚本:
config vpn l2tp
set status enable
set eip 172.16.252.254
set sip 172.16.252.200
set usrgrp "Guest-group"
end
config vpn pptp
set status enable
set eip 172.16.253.254
set sip 172.16.253.200
set usrgrp "Guest-group"
end
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config user local
edit "guest"
set type password
set passwd 1q2w3e4r
next
end
L2TP Over IPsec 配置脚本:
config vpn l2tp
set status enable
set eip 172.16.254.254
set sip 172.16.254.200
set usrgrp "Guest-group"
end
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config user local
edit "guest"
set type password
set passwd 1q2w3e4r
next
end
config vpn ipsec phase1-interface
edit "L-O-I"
set type dynamic
set interface "port1"
set keylife 3600
set peertype any
set psksecret 1q2w3e4r
next
end
config vpn ipsec phase2-interface
edit "L-O-I"
set phase1name "L-O-I"
set pfs disable
set encapsulation transport-mode
set l2tp enable
set keylifeseconds 3600
next
end
config firewall policy
edit 0
set name "L2TP_Over_IPsec"
set srcintf "L-O-I"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
--------------------------
设备flash里OS查看以及系统常用命令:
升级版本时会保留升级前的版本和配置文件在非活动分区(‘Active列’的‘No’对应的)
FGT90D3Z14014233 # diagnose sys flash list 查看当前运行版本和配置文件所在分区
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT90D-5.04-FW-build1011-151221 253871 37344 15% No
2 FGT90D-5.02-FW-build701-151203 253871 33078 13% Yes
3 ETDB-1.00000 1388840 4456 0% No
Image build at Dec 3 2015 04:50:38 for b0701
FGT90D3Z14014233 #
“Partition”列 1是primary分区 2是secondary分区
“Active”列 yes对应是每次启动时用的版本和配置文件分区
FGT90D3Z14014233 # exec set-next-reboot ?
<primary/secondary> partition
FGT90D3Z14014233 # exec set-next-reboot primary(或secondary,注意不同情况下此处输入的不一样);将启动分区改更为primary分区(分区1)
FGT90D3Z14014233 # exec reboot ;用primary分区(分区1)的版本和配置文件重启设备-----回退到升级前的版本和配置文件
BJFG300D # get system admin list
username local device vdom profile remote started
admin ssh SE25(FSW):60.247.121.248:22 root super_admin 192.168.118.25:51208 2016-12-02 09:57:15
FG100D3G13828247 # diagnose sys tcpsock
0.0.0.0:10400->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:10401->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:10402->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
FG100D3G13828247 # diagnose hardware deviceinfo disk
Disk Internal ref: 255 29.8GB type: SSD [ATA 32GB SATA Flash] dev: /dev/sda
Disk SYSTEM(boot) ref: 1.9GB type: USB [FORTINET 67_V060324_002] dev: /dev/sdb
partition ref: 247.0MB, 208.0MB free mounted: N label: dev: /dev/sdb1(boot) start: 0
partition ref: 247.0MB, 197.0MB free mounted: Y label: dev: /dev/sdb2(boot) start: 0
partition ref: 19 1.3GB, 1.3GB free mounted: Y label: 0BEC4ED9705DC13A dev: /dev/sdb3 start: 0
Total available disks: 2
Max SSD disks: 1 Available storage disks: 0
# diag hardware smartctl /dev/sda -a 查看Flash损耗
100D的负载如何,记录一下下面的命令的输出
get sys status
get sys perf status(执行5次)
get hard status
exec disk list
sho log disk set
sho log disk filter
diag sys session full-stat(执行5次)
diag sys top (运行1分钟)
diag vpn tunnel list
# get hardware status
# get system status
# get system performance status
# diagnose sys flash list
# diagnose autoupdate versions
# diagnose hardware sysinfo memory
# diagnose hardware sysinfo shm
# diagnose debug crashlog read
# diagnose hardware deviceinfo disk
# diagnose sys session stat
# diagnose sys top 5 40 (press "q" to quit the sys top)
# diagnose sys top-summary (press "q" to quit the sys top)
# get hardware memory
# diagnose hardware sysinfo memory
# diag hardware sysinfo slab
# fnsyctl df -h
# execute log delete-all
------------------
link-monitor配置:
FOS 5.4中的网关检测功能:
config system link-monitor
edit "LT"
set srcintf "wan1"
set server 222.249.171.217
set gateway-ip 222.249.171.217
set interval 3
end
------------------------
IPS进程定位命令:
2) Enable memory tracking.
diag ips memory track-size 1536 1792
diag ips memory track enable
3) run following commands:
get sys status
diag autoupdate version
get sys per status
diag sys top-summary "-n 30 -i 5 -s mem"
diag sys top 99 5
diag hard sys mem
diag hard sys shm
diag hardware sysinfo slab
diag ips memory status
diag ips memory track-print
diag ips session content
diag ips session performance
diag ips session status
diag ips session content
diagnose ips raw status
diag test application ipsmonitor 3
diag test application ipsmonitor 1
Please also collect the output of these diagnose commands:
# fnsysctl df -h
Find the process id of ips engine daemon, then run these commands:
# fnsysctl cat /proc/[process id]/status
# fnsysctl cat /proc/[process id]/maps
# fnsysctl cat /proc/[process id]/smaps
# fnsysctl cat /proc/[process id]/statm
------------------
命令行grep过滤查看使用:
FGVM000000091991 # show full-configuration | grep 10000
set database-overflow-max-lsas 10000
FGVM000000091991 # show full-configuration | grep -f 10000
config router ospf
set abr-type standard
set auto-cost-ref-bandwidth 1000
set bfd disable
set database-overflow disable
set database-overflow-max-lsas 10000 <---
set database-overflow-time-to-recover 300
set default-information-metric 10
set default-information-metric-type 2
set default-information-originate disable
set default-information-route-map ''
set default-metric 10
set distance 110
set distance-external 110
set distance-inter-area 110
set distance-intra-area 110
set distribute-list-in ''
set restart-mode none
set restart-period 120
set rfc1583-compatible disable
set router-id 0.0.0.0
set spf-timers 5 10
end
------------------
常用系统排错命令,CPU/MEM过高:
# get system status
# get system performance status
# diagnose hardware sysinfo memory
MemTotal: 995012 kB
MemFree: 376716 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 995012 kB
LowFree: 376716 kB
# diagnose hardware sysinfo slab
kmem_cache 80 80 248 5 5 1 0 : 252 126
tcp_session 106 416 960 45 104 1 622 : 124 62
ip_session 98 148 896 37 37 1 1024 : 124 62
tcp_open_request 20 20 192 1 1 1 38 : 252 126
ip_dst_cache 126 312 320 26 26 1 195 : 124 62
ip_fib_hash 23 112 32 1 1 1 0 : 252 126
arp_cache 15 15 256 1 1 1 0 : 252 126
# diagnose sys top 10
Run Time: 1 days, 18 hours and 55 minutes
1U, 0N, 0S, 99I; 3951T, 2633F
ipsengine 453 S < 0.9 1.8
ipsengine 454 S < 0.4 1.8
reportd 81 S 0.0 3.5
miglogd 64 S 0.0 1.5
miglogd 118 S 0.0 1.1
pyfcgid 6619 S 0.0 0.8
pyfcgid 6620 S 0.0 0.8
pyfcgid 6621 S 0.0 0.8
pyfcgid 6617 S 0.0 0.8
httpsd 5319 S 0.0 0.7
cmdbsvr 45 S 0.0 0.7
newcli 6594 S 0.0 0.7
httpsd 6390 S 0.0 0.6
ipshelper 75 S < 0.0 0.6
httpsd 66 S 0.0 0.5
wad 404 S 0.0 0.5
httpsd 116 S 0.0 0.5
newcli 6624 R 0.0 0.4
newcli 6592 S 0.0 0.4
forticron 76 S 0.0 0.4
模块名字 进程号 状态 CPU MEM
shift + P 按照CPU使用率排序
shift + M 按照MEM使用率排序
Ctrl + C 中断
FG200D3915803188 # diagnose sys top-summary
CPU [|||||||||||||||||||| ] 50.0%
Mem [||||||||||||| ] 34.0% 1353M/3951M
Processes: 20 (running=1 sleeping=96)
PID RSS ^CPU% MEM% FDS TIME+ NAME
* 400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]
401 14M 0.0 0.4 19 00:00.60 urlfilter
670 12M 0.0 0.3 14 00:00.10 ovrd
35 3M 0.0 0.1 5 00:00.00 mrvl3135_worker
45 29M 0.0 0.7 12 00:35.18 cmdbsvr
51 13M 0.0 0.3 89 00:01.10 zebos_launcher [x12]
6332 11M 0.0 0.3 35 00:00.00 iked
63 12M 0.0 0.3 12 00:00.00 uploadd
64 60M 0.0 1.5 55 00:38.76 miglogd [x2]
65 12M 0.0 0.3 8 00:00.00 kmiglogd
66 34M 0.0 0.9 19 00:05.30 httpsd [x4]
68 12M 0.0 0.3 8 00:00.00 getty
69 147M 0.0 3.7 107 13:55.58 ipsmonitor [x4]
72 12M 0.0 0.3 11 00:00.00 merged_daemons
73 13M 0.0 0.3 12 00:00.10 fnbamd
74 12M 0.0 0.3 12 00:00.20 fclicense
76 17M 0.0 0.4 22 00:00.20 forticron
77 14M 0.0 0.4 15 00:00.98 forticldd
78 13M 0.0 0.4 39 00:00.19 authd [x3]
79 13M 0.0 0.3 19 00:00.00 foauthd
FG200D3915803188 # diagnose sys top-summary "-n 100"
CPU [|||||||||||||||||||| ] 50.0%
Mem [||||||||||||| ] 34.0% 1353M/3951M
Processes: 46 (running=1 sleeping=96)
PID RSS ^CPU% MEM% FDS TIME+ NAME
* 400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]
401 14M 0.0 0.4 19 00:00.60 urlfilter
670 12M 0.0 0.3 14 00:00.10 ovrd
35 3M 0.0 0.1 5 00:00.00 mrvl3135_worker
45 29M 0.0 0.7 12 00:35.18 cmdbsvr
51 13M 0.0 0.3 89 00:01.10 zebos_launcher [x12]
6332 12M 0.0 0.3 35 00:00.00 iked
63 12M 0.0 0.3 12 00:00.00 uploadd
64 60M 0.0 1.5 55 00:38.76 miglogd [x2]
65 12M 0.0 0.3 8 00:00.00 kmiglogd
66 34M 0.0 0.9 19 00:05.40 httpsd [x4]
68 12M 0.0 0.3 8 00:00.00 getty
69 147M 0.0 3.7 107 13:56.40 ipsmonitor [x4]
72 12M 0.0 0.3 11 00:00.00 merged_daemons
73 13M 0.0 0.3 12 00:00.10 fnbamd
74 12M 0.0 0.3 12 00:00.20 fclicense
76 17M 0.0 0.4 22 00:00.20 forticron
77 14M 0.0 0.4 15 00:00.98 forticldd
78 13M 0.0 0.4 39 00:00.19 authd [x3]
79 13M 0.0 0.3 19 00:00.00 foauthd
80 12M 0.0 0.3 9 00:00.12 httpclid
81 140M 0.0 3.6 16 00:12.38 reportd
83 14M 0.0 0.4 32 00:00.10 voipd
399 22M 0.0 0.6 606 07:35.60 wad [x3]
398 12M 0.0 0.3 48 00:00.25 proxyd [x2]
88 14M 0.0 0.4 13 00:35.36 updated
6617 48M 0.0 1.2 13 00:00.44 pyfcgid [x5]
91 13M 0.0 0.3 13 00:00.37 snmpd
92 13M 0.0 0.3 21 00:00.60 dhcpd
94 12M 0.0 0.3 16 00:00.60 ntpd
95 44M 0.0 1.1 19 00:01.23 sshd [x6]
96 12M 0.0 0.3 10 00:00.00 telnetd
97 12M 0.0 0.3 13 00:00.80 quard
98 12M 0.0 0.3 10 00:00.30 alertmail
99 14M 0.0 0.4 28 00:09.36 dnsproxy
103 13M 0.0 0.3 11 00:00.20 eap_proxy
104 16M 0.0 0.4 16 00:00.10 fgfmd
105 16M 0.0 0.4 23 00:00.90 cw_acd
108 12M 0.0 0.3 12 00:00.00 wpad_ac
109 12M 0.0 0.3 13 00:00.10 fortilinkd
110 14M 0.0 0.4 19 00:00.50 cu_acd
111 12M 0.0 0.3 11 00:00.10 swctrl_authd
112 12M 0.0 0.3 13 00:00.00 flcfgd
113 764K 0.0 0.0 13 00:00.00 usbmuxd
114 12M 0.0 0.3 11 00:00.00 fsd
115 12M 0.0 0.3 11 00:00.00 radius-das
FG200D3915803188 # diagnose sys top-summary "-s mem -i 60 -n 10"
CPU [|||||||||||||||||||| ] 50.0%
Mem [||||||||||||| ] 34.0% 1368M/3951M
Processes: 10 (running=1 sleeping=96)
PID RSS CPU% ^MEM% FDS TIME+ NAME
* 69 147M 0.0 3.7 107 14:00.60 ipsmonitor [x4]
81 140M 0.0 3.6 16 00:12.43 reportd
64 60M 0.0 1.5 55 00:38.97 miglogd [x2]
6617 56M 0.0 1.4 13 00:00.73 pyfcgid [x5]
95 44M 0.0 1.1 19 00:01.31 sshd [x6]
66 34M 0.0 0.9 19 00:05.27 httpsd [x4]
45 29M 0.0 0.7 12 00:35.18 cmdbsvr
399 22M 0.0 0.6 536 07:36.87 wad [x3]
400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]
76 17M 0.0 0.4 22 00:00.20 forticron
-------------------------
# diagnose hardware sysinfo shm
SHM counter: 62032
SHM allocated: 38210422
SHM total: 3637624832
conservemode: 0 NO System/Proxy | 1 Proxy conserve mode | 2 System/Kernel conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 3715198976
SHM FS free: 3675385856
SHM FS avail: 3675385856
SHM FS alloc: 39813120
2 System/Kernel conserve mode
MEM LowTotal<1GB
Red : LowFree <20% LowTotal Green : LowFree >30% LowTotal
MEM LowTotal >= 1GB
Red : LowFree=200M Green : LowFree = 300M
Actions:
Proxies are bypassed
FortiGate configuration cannot be changed
1 Proxy conserve mode
# get system arp
# get system performance firewall statistics
# get system performance firewall packet-distribution
# get system session status
# get system session list
配置FortiManger管理:
config system central-management
set type fortimanager
set fmg "192.168.147.250"
set fmg-source-ip 101.1.1.2
end
----------------
FGT最常用命令
# config system global
# set hostname “FGT-Master“ //设备命名
# set language simch //语言切换成简体中文
# set timezone 55 //时区切换为(GMT+8)
# set tcp-halfclose-timer 120 //TCP会话空闲时长调整
# set tcp-halfopen-timer 10
# set tcp-timewait-timer 1
# set udp-idle-timer 180 //UDP会话空闲时长调整
# end
# config system session-ttl //TCP established空闲时长调整
# set default 3600
# end
# get system status //查看系统状态
# get router info routing-table all //查看路由表
# get system arp //查看ARP表
# diagnose ip address list //查看接口IP_list
# get system performance status //查看设备运行性能状态(CPU/MEM/新建/并发)
# get system performance top //查看系统允许top进程
---------------
config ips global
set sync-session-ttl disable
config system npu
set dedicated-management-cpu enable
set np6-cps-optimization-mode disable
// 单物理CPU(多核CPU),开启优化后,性能提升30%,多个物理CPU(多核CPU),现实项目中不建议使用这条命令,提供了CPU的新建能力 ||NGFW优化
IPS/AV不能使用proxy和flow的混合使用
密码恢复:
maintainer
bcpbFG900D3917800436
bcpbFG1K2D3I17800162
报文乱序:
开启了这个命令:
set delay-tcp-npu-session enable
config firewall policy
edit 141
set srcintf "VLAN4" "VLAN1010" "VLAN3000"
set dstintf "VLAN3"
set srcaddr "192.168.121.187"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set delay-tcp-npu-session enable
set nat enable
set ippool enable
set poolname "58.213.19.157"
next
end
------------------------
FG100E4Q16003872 # get sys perf stat
CPU states: 2% user 2% system 0% nice 96% idle 0% iowait 0% irq 0% softirq
CPU0 states: 4% user 2% system 0% nice 94% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU2 states: 6% user 5% system 0% nice 89% idle 0% iowait 0% irq 0% softirq
CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 3112996k total, 1182116k used (37%), 1857320k free (59%), 73560k freeable (2%)
Average network usage: 317 / 284 kbps in 1 minute, 293 / 206 kbps in 10 minutes, 220 / 63 kbps in 30 minutes
Average sessions: 364 sessions in 1 minute, 279 sessions in 10 minutes, 145 sessions in 30 minutes
Average session setup rate: 26 sessions per second in last 1 minute, 18 sessions per second in last 10 minutes, 6 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 4 days, 11 hours, 14 minutes
修改接口MTU TCP_MSS 查看接口MTU
diagnose netlink interface list | grep mtu
FG100E4Q16003872 # diagnose netlink interface list | grep mtu
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
if=nturbo_rx family=00 type=1 index=3 mtu=1500 link=0 master=0
if=nturbo_tx family=00 type=1 index=4 mtu=1500 link=0 master=0
if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0
if=mgmt family=00 type=1 index=6 mtu=1500 link=0 master=0
if=wan1 family=00 type=1 index=7 mtu=1500 link=0 master=0
if=wan2 family=00 type=1 index=8 mtu=1500 link=0 master=0
if=ha1 family=00 type=1 index=9 mtu=1500 link=0 master=0
if=ha2 family=00 type=1 index=10 mtu=1500 link=0 master=0
if=port1 family=00 type=1 index=11 mtu=1500 link=0 master=32
if=port2 family=00 type=1 index=12 mtu=1500 link=0 master=32
if=port3 family=00 type=1 index=13 mtu=1500 link=0 master=0
if=port4 family=00 type=1 index=14 mtu=1500 link=0 master=0
if=port5 family=00 type=1 index=15 mtu=1500 link=0 master=0
if=port6 family=00 type=1 index=16 mtu=1500 link=0 master=0
if=port7 family=00 type=1 index=17 mtu=1500 link=0 master=0
if=port8 family=00 type=1 index=18 mtu=1500 link=0 master=0
if=port9 family=00 type=1 index=19 mtu=1500 link=0 master=0
if=port10 family=00 type=1 index=20 mtu=1500 link=0 master=0
if=port11 family=00 type=1 index=21 mtu=1500 link=0 master=0
if=port12 family=00 type=1 index=22 mtu=1500 link=0 master=0
if=port13 family=00 type=1 index=23 mtu=1500 link=0 master=0
if=port14 family=00 type=1 index=24 mtu=1500 link=0 master=0
if=port15 family=00 type=1 index=25 mtu=1500 link=0 master=0
if=port16 family=00 type=1 index=26 mtu=1500 link=0 master=0
if=npu0_vlink0 family=00 type=1 index=27 mtu=15324 link=0 master=0
if=npu0_vlink1 family=00 type=1 index=28 mtu=15324 link=0 master=0
if=modem family=00 type=512 index=29 mtu=1500 link=0 master=0
if=root family=00 type=772 index=30 mtu=16436 link=0 master=0
if=ssl.root family=00 type=65534 index=31 mtu=1500 link=0 master=0
if=BOND1 family=00 type=1 index=32 mtu=1500 link=0 master=0
if=vsw.BOND1 family=00 type=1 index=33 mtu=1500 link=0 master=0
if=qtn.BOND1 family=00 type=1 index=34 mtu=1500 link=0 master=0
if=VLAN100 family=00 type=1 index=35 mtu=1500 link=0 master=0
if=VLAN200 family=00 type=1 index=36 mtu=1500 link=0 master=0
if=VLAN901 family=00 type=1 index=37 mtu=1500 link=0 master=0
if=VLAN12 family=00 type=1 index=38 mtu=1500 link=0 master=0
if=VLAN13 family=00 type=1 index=39 mtu=1500 link=0 master=0
if=lan family=00 type=1 index=40 mtu=1500 link=0 master=0
if=vsys_ha family=00 type=772 index=41 mtu=16436 link=0 master=0
if=port_ha family=00 type=1 index=42 mtu=1496 link=0 master=0
if=vsys_fgfm family=00 type=772 index=43 mtu=16436 link=0 master=0
if=tun_fgfm family=00 type=65534 index=44 mtu=1492 link=0 master=0
if=B family=00 type=768 index=45 mtu=1438 link=0 master=0
FG100E4Q16003872 # config system interface
FG100E4Q16003872 (interface) # edit wan1
FG100E4Q16003872 (wan1) # set tcp-mss 1452
FG100E4Q16003872 (wan1) # end
FG100E4Q16003872 # config firewall policy
FG100E4Q16003872 (policy) # edit 1
FG100E4Q16003872 (1) # set tcp-mss-sender 1452
FG100E4Q16003872 (1) # set tcp-mss-receiver 1452
FG100E4Q16003872 (1) # end
https://live.paloaltonetworks.com/t5/Learning-Articles/TCP-MSS-adjustment-for-IPSec-traffic/ta-p/74988
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Verify-MTU-Size-Exceeded/ta-p/58989
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Improve-Performance-for-IPSec-Traffic/ta-p/53301
清除策略匹配统计计数:
To show the statistics of policy <policy_id>:
# diag firewall iprope show 100004 <policy_id>
For example:
# diag firewall iprope show 100004 2
idx=2 pkts/bytes=1732/262451
To clear the statistics for this policy:
# diag firewall iprope clear 100004 2
# diag firewall iprope show 100004 2
idx=2 pkts/bytes=0/0
Link-monitor配置:
config system link-monitor
edit "Monitor_WAN1_DX"
set srcintf "wan1"
set server "www.189.cn"
set gateway-ip 116.228.1.25
set source-ip 116.228.1.26
set failtime 3
set recoverytime 3
next
edit "Monitor_WAN2"
set srcintf "wan2"
set server "www.10010.com"
set gateway-ip 210.13.66.117
set source-ip 210.13.66.118
set failtime 3
set recoverytime 3
next
end
报文乱序:
TCP 乱序
config firewall policy
edit 1
set name "TO_Internet_Policy"
set srcintf "port11"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set delay-tcp-npu-session enable
set nat enable
next
end
https://mantis.fortinet.com/bug_view_page.php?bug_id=0365497
B1026 : possible packet out-of-order with NP6 during TCP session establishment - (new CLI)
[ History ]
- Issue was first reported by Bouygues Telecom with a FortiGate-3950B (NP4)
- Further testing was made with a FortiGate-1500D (NP6) where the problem can still be reproduced in the lab (FortiOS 5.4 GA)
- As suggested, opening a bug to track the issue.
[ Problem Description ]
When the host interface is busy (packets queuing in the FIFO), it is possible that the 3rd tcp session establishment ack received from the client is transmitted to the server
after data packets. This may or may not cause an issue to the server depending on the cases :
1) one single DATA segment managed to sneak before the 3rd handshake ACK :
Since the segment relative sequence number is 1 (just like the 3rd ack packet), it may be seen by the server as a TCP handshake 3rd ack containing data (piggyback).
When the real 3rd ack then arrives, it is considered as a duplicate ack but does not cause real problem to the application.
Note : If a stateful firewall exists between the FortiGate and the server, this may be a problem and generate a Reset causing the failure of the TCP session.
2) more than 1 DATA segments manage to sneak before the 3rd handshake ACK :
If 2 data packets sneak, the sequence number for the second packet is higher than 1 (depending on data length from the the first packet). In this scenario, the server may not consider the
tcp session handshake to be completed and sends a reset causing the session to fail.
These 2 scenario were observed and reproduced in the lab using traffic stressers.
It is not systematic to all sessions and require a busy host.
Reason for TCP handshake ACK out-of-order :
The reason for these scenario is explained in attached document "NP6_OOO_on_busy_CPU_v2.pdf"
Please note this document is for internal use only.
[ Diagram ]
See Diagram.png
[ Reproduction Scenario ]
This is reproduction from the lab run by Vincent.
Use an FortiGate-1500D running 5.4 GA with 4 ports where :
- 2 ports Port39 and Port36 are used to generate http 21k traffic (11K session per seconds, 2Gbps) passing through a UTM/IPS policy from an avalanche
=> The only goal of this traffic is to create a busy host interface condition.
- 2 ports Port33 and Port38 with a firewall only policy connected to avalanche generating SIP traffic.
=> SIP is chosen here because it allows to have the client sending more than 1 DATA packets immediately after the client has sent its 3rd ACK handshake packet.
A Breaking Point is used as a 'network probe' receiving traffic on the FortiGate server side from the switch configured with SPAN port.
Attached pcap files 'client.pcap' and 'server.pcap' are extracted from the breaking point in lab testing.
Other trace
[ Attached files ]
- NP6_OOO_on_busy_CPU_v2.pdf : Explanation of the cause
Lab files/traces with FortiGate-1500D :
- Diagram.png
- NPI_default.spf : Avalanche test file
- config_1500D_nturbo_ips_cps.conf : FortiGate configuration
- vince-mirror.bpt : Breacking point test file (used to capture mirrored traffic from the switch)
- client.pcap : pcap extracted from the switch port mirror, client side
- server.pcap : pcap extracted from the switch port mirror, server side
[ Expected Behavior ]
Fortigate should not create out-of-order packet during the TCP handshake.
所有报文乱序:
config port-cpu-map
edit "port9"
set cpu-core "3"
next
edit "port11"
set cpu-core "3"
next
end
FG900D3915800574 # get hardware status
Model name: FortiGate-900D
ASIC version: CP8
ASIC SRAM: 64M
CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Number of CPUs: 4
RAM: 16065 MB
Compact Flash: 1925 MB /dev/sda
Hard disk: 244198 MB /dev/sdb
USB Flash: not available
Network Card chipset: FortiASIC NP6 Adapter (rev.)
G900D3915800574 # get system performance status
CPU states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU2 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 16450708k total, 3300036k used (20%), 13150672k free (80%)
Average network usage: 49 / 4 kbps in 1 minute, 46 / 1 kbps in 10 minutes, 46 / 0 kbps in 30 minutes
Average sessions: 49 sessions in 1 minute, 35 sessions in 10 minutes, 32 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Average NPU sessions: 1 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 1 days, 19 hours, 20 minutes
异常不建立会话的日志:
看到不建立会话的异常包的日志,比如SYN+ACK/FIN+ACK等等,或RPF检查失败的日志。
config log setting
set log-invalid-packet enable
end
config log disk filter
set severity warning
set forward-traffic enable
end
date=2018-02-08 time=21:14:13 logid=0000000007 type=traffic subtype=forward level=warning vd=root srcip=124.124.125.27 srcport=46311 srcintf="port24" dstip=133.133.133.122 dstport=80 dstintf=unknown-0 proto=6 action=deny policyid=0 dstcountry="Japan" srccountry="India" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"
date=2018-02-08 time=21:49:19 logid=0000000007 type=traffic subtype=forward level=warning vd=root srcip=124.124.124.255 srcport=15062 srcintf="port24" dstip=133.133.133.122 dstport=80 dstintf=unknown-0 sessionid=2095719319 proto=6 action=deny policyid=0 dstcountry="Japan" srccountry="India" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check fail(bad src),drop"
mantis:0473183
丢弃的数据包也建立会话,并且保持30s。某些时候可以缓解某些ddos攻击。
config system settings
set ses-denied-traffic enable
end
BJFG300D (settings) # set ses-denied-traffic
enable Include denied sessions in the session table.
disable Do not add denied sessions to the session table.
BJFG300D (global) # get | grep sess
auth-session-limit : block-new
av-failopen-session : disable
block-session-timer : 30
proxy-re-authentication-mode: session
reset-sessionless-tcp: disable
strict-dirty-session-check: enable
sandbox new包 可能需要FQ:
http://192.241.194.166/downloader
Technical Note: Technical support on customization on various Fortinet products
http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD33500
Custom IPS signatures from Fortinet
Customizing reports generated by FortiGate
会话长连接:
Technical Note : Changing the TCP session TTL (time to live) on a FortiGate
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30171&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234697&stateId=1%200%2047236305
Technical Note: Priority of session-ttl settings in FortiGate
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37296&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234747&stateId=1%200%2047236355
Technical Note: Session TTL values and Policy RST for Sessions
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36001&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234747&stateId=1%200%2047236355
光模块功率:
查看光纤光衰,光模块功率。
FG3K2D3Z17800004 # get sys interface transceiver
Interface port5: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX16430003258
Interface port6: SFP/SFP+
Vendor Name: OEM
Part No. : DEM-431TX
Serial No. : H08LA0039
Interface port7: SFP/SFP+
Vendor Name: OEM
Part No. : SFP-T-F
Serial No. : F80T061
Interface port8: SFP/SFP+
Vendor Name: OEM
Part No. : SFP-GE-T
Serial No. : CSGETG40333
Interface port17: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX15190014113
Interface port18: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX15190014090
Interface port19: SFP/SFP+
Vendor Name: Axcen Photonics
Part No. : AXXE-5886-05B1
Serial No. : AX15190014109
Interface port25: SFP/SFP+
Vendor Name: OPLINK
Part No. : TPP1XGDS0E000E2
Serial No. : 7331850
Optical Optical Optical
SFP/SFP+ Temperature Voltage Tx Bias Tx Power Rx Power
Interface (Celsius) (Volts) (mA) (dBm) (dBm)
------------ ----------- --------- --------- --------- --------
port5 32.5 3.31 6.07 -1.8 -1.4
port6 35.4 3.23 6.10 -1.8 -2.5
port7 N/A N/A N/A N/A N/A
port8 N/A N/A N/A N/A N/A
port17 34.0 3.31 5.78 -1.9 -1.0 +
port18 33.8 3.32 7.43 -1.9 -1.8
port19 34.1 3.30 6.27 -1.8 -1.3
port25 23.0 3.27 5.18 -2.6 -1.7
++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.
FGT1KD3915801542 # execute sensor list
1 CPU VCCP alarm=0 value=1.7743 threshold_status=0
2 PVDDQ alarm=0 value=1.52 threshold_status=0
3 DDR VTT alarm=0 value=0.768 threshold_status=0
4 CPU VCORE alarm=0 value=1.776 threshold_status=0
5 NCT 3VDD alarm=0 value=3.36 threshold_status=0
6 NCT VCC3 alarm=0 value=3.312 threshold_status=0
7 NCT 3VSB_HM alarm=0 value=3.312 threshold_status=0
8 NCT CPU_Vtt alarm=0 value=1.008 threshold_status=0
9 NCT VBAT alarm=0 value=3.168 threshold_status=0
10 PCB Temp. alarm=0 value=28 threshold_status=0 //主板温度
11 D1 alarm=0 value=42 threshold_status=0
12 D2 alarm=0 value=40 threshold_status=0
13 TR3 alarm=0 value=27 threshold_status=0
14 DTS CPU alarm=0 value=53 threshold_status=0//CPU温度
15 CPU Core 0 alarm=0 value=54 threshold_status=0//CPU core温度
16 CPU Core 1 alarm=0 value=52 threshold_status=0
17 CPU Core 2 alarm=0 value=54 threshold_status=0
18 CPU Core 3 alarm=0 value=51 threshold_status=0
19 Sys Fan 1 alarm=0 value=3200 threshold_status=0//主板上的风扇,转速3200
20 Sys Fan 2 alarm=0 value=3200 threshold_status=0//主板上的风扇,转速3200
21 Sys Fan 3 alarm=0 value=3200 threshold_status=0//主板上的风扇,转速3200
22 PS1 Ambient Temp alarm=0 (scanning disabled)
23 PS1 Comp Temp alarm=0 (scanning disabled)
24 PS1 Fan 1 alarm=0 (scanning disabled)//没有值,说明没有该电源PS1风扇不转或没有没有插电源
25 PS1 VIN alarm=0 (scanning disabled)
26 PS1 VOUT_12V alarm=0 (scanning disabled)
27 PS1 Status alarm=0 (not detected)//PS1模块没有插入
28 PS2 Ambient Temp alarm=0 value=33 threshold_status=0
29 PS2 Comp Temp alarm=0 value=35 threshold_status=0
30 PS2 Fan 1 alarm=0 value=12160 threshold_status=0// 电源PS2的风扇,转速为12160
31 PS2 VIN alarm=0 value=230 threshold_status=0
32 PS2 VOUT_12V alarm=0 value=12.284 threshold_status=0
33 PS2 Status alarm=0//PS2电源模块工作时长
Technical Note: Enable creation of TCP session on the firewall without checking for a SYN packet
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40929&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234673&stateId=1%200%2047236281
diagnose log test 这个命令就能生成各种各样的日志,包括攻击
IPsec VPN证书认证失败
IPsec VPN证书认证存在分片,对方无法正常重组IKE报文,拿到完整的证书内容:
IPS的session和内存的session进行TTL同步:
config ips global
set sync-session-ttl enable
end
ips的会话表查看:
dia ips session list
huayun.py
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# Date: 2018
import re, getpass
import string, time, winsound
from telnetlib import Telnet
def login(host, port, username, password):
try:
tn = Telnet(host, port, timeout=5)
tn.read_until(b"login:")
tn.write(username.encode('ascii') + b"\r\n")
tn.read_until(b"Password:")
tn.write(password.encode('ascii') + b"\r\n")
tn.read_until(b"#")
tn.write(b"\r\n")
tn.read_until(b"#")
tn.write(b"config global" + b"\n")
tn.read_until(b"#")
except Exception as e:
raise
return tn
def get_system_status(tn):
# 注意防火墙不能一次性输出全部信息的情况
# 需要配置 config system console / set output standard 以避免这种情况
tn.write(b"get sys status\n")
sysinfo = tn.read_until(b"#").decode('ascii')
sysinfo = re.split(r'[\r]+', sysinfo)
for line in sysinfo:
if 'Version' in line:
System_Info['platform'] = re.split(r'[\s]+', line)[2]
System_Info['version'] = re.split(r'[\s]+', line)[3]
if 'Serial-Number' in line:
System_Info['serialNumber'] = re.split(r'[:]+', line)[1]
continue
if 'Virtual domain configuration' in line:
System_Info['vdom'] = re.split(r'[:]+', line)[1]
continue
if 'Current HA mode' in line:
System_Info['haMode'] = re.split(r'[:]+', line)[1]
break
def get_sys_cpuMem(tn):
tn.write(b"get sys perf status\n")
usage = tn.read_until(b"#").decode('ascii')
if System_Info['version'][0:4] == 'v5.2' or System_Info['version'][0:4] == 'v5.4':
cpuUsage = re.findall(r'CPU states:(.*)', usage)[0].strip(' ')
cpuUsage = int(re.split(r'[\s\-\(\>\)]+', cpuUsage)[0].strip('%')) + int(re.split(r'[\s\-\(\>\)]+', cpuUsage)[2].strip('%'))
memUsage = re.findall(r'Memory states: (.*) used', usage)[0].strip('%')
return cpuUsage, memUsage
if System_Info['version'][0:4] == 'v5.6':
cpuUsage = re.findall(r'CPU states:(.*)', usage)[0].strip(' ')
memUsage = re.findall(r'Memory: (.*)', usage)[0].rstrip('\r')
cpuUsage = re.split(r'[\s\-\(\>\)]+', cpuUsage)[2].strip('%')
memUsage = re.split(r'[\s]+', memUsage)[4].lstrip('(').rstrip('%),')
return cpuUsage, memUsage
if System_Info['version'][0:4] == 'v6.0':
pass
host = '10.139.130.72'
port = '23'
username = raw_input('Please input username: ')
password = getpass.getpass('Please input password: ')
System_Info = {'platform': '', 'serialNumber': '', 'version': '', 'vdom': '', 'haMode': ''}
filetime = time.strftime('%Y%m%d-%Hh%Mm%Ss')
f = open('ips_' + filetime + '.txt', 'w')
"""
在python2.7.14, 3.6.4测试通过
"""
if __name__ == '__main__':
"""
get_system_status(tn) 获取防火墙型号的版本、vdom、是否HA等信息,以供后续模块调用
注意 config system console / set output standard (缺省是more,可能导致不能期待出现 #号的情况)
"""
cpuhigh = 48
memhigh = 75
tn = login(host, port, username, password)
get_system_status(tn)
while True:
cpuUsage, memUsage = get_sys_cpuMem(tn)
print("CPU usage = %s, MEM usage = %s" % (cpuUsage, memUsage))
# tn.write(b"config global" + b"\n")
tn.write(b"exec date" + b"\n")
temp = tn.read_until(b"#").decode('ascii')
tn.write(b"exec time" + b"\n")
temp = temp + tn.read_until(b"#").decode('ascii')
tn.write(b"get sys performance status" + b"\n")
temp = temp + tn.read_until(b"#").decode('ascii')
tn.write(b"get system session-info statistics" + b"\n")
temp = temp + tn.read_until(b"#").decode('ascii')
tn.write(b"diagnose ips session status" + b"\n")
temp = temp + tn.read_until(b"#").decode('ascii')
tn.write(b"diagnose ips memory status" + b"\n")
temp = temp + tn.read_until(b"#").decode('ascii')
f.write(temp + '\n')
if int(cpuUsage) >= cpuhigh:
tn.write(b"diagnose sys top 2 99" + b"\n")
time.sleep(6)
tn.write(b"q")
cputemp = tn.read_until(b"#").decode('ascii')
tn.write(b"dia ips session performance" + b"\n")
cputemp = cputemp + tn.read_until(b"#").decode('ascii')
tn.write(b"dia ips session list" + b"\n")
cputemp = cputemp + tn.read_until(b"#").decode('ascii')
tn.write(b"dia sys process trace 15705" + b"\n")
# time.sleep(6)
cputemp = cputemp + tn.read_until(b"#").decode('ascii')
tn.write(b"dia sys process trace 15706" + b"\n")
# time.sleep(6)
cputemp = cputemp + tn.read_until(b"#").decode('ascii')
f.write('cpu high //////////////////////////\n' + cputemp + '\n')
if int(memUsage) >= memhigh:
tn.write(b"diagnose sys top 2 99" + b"\n")
time.sleep(6)
tn.write(b"q")
memtemp = tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl df -h" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"dia ips memory status" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"dia ips packet status" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"dia ips session status" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl cat /proc/15705/status" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl cat /proc/15705/maps" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl cat /proc/15705/smaps" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl cat /proc/15706/status" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl cat /proc/15706/maps" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
tn.write(b"fnsysctl cat /proc/15706/smaps" + b"\n")
memtemp = memtemp + tn.read_until(b"#").decode('ascii')
f.write('mem high //////////////////////////\n' + memtemp + '\n')
tn.write(b"diagnose sys ha reset-uptime" + b"\n")
break
time.sleep(10)
f.close()
testSMTP.py
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# Author : Jerry Liu
# Date: 2018
import getpass
import smtplib
try:
sm = smtplib.SMTP('mail.fortinet.com', 25, timeout=3)
except Exception as e:
raise e
try:
emailpwd = getpass.getpass('Please input email password: ')
authcode = sm.login('mliu', emailpwd)
except smtplib.SMTPAuthenticationError as e:
raise e
msg = 'From: mliu@fortinet.com\n' \
'To: mliu@fortinet.com; ftnt@qq.com\n' \
'Subject: test python\n' \
'HA failover just now !!!\n' \
'HA failover just now !!!\n'
tolist = ["mliu@fortinet.com", "ftnt@qq.com"]
if authcode[0] == 235:
sm.sendmail('mliu@fortinet.com', tolist, msg)
else:
sm.quit()
BJLab-240D-90-254 # fnsysctl df -h
Filesystem Size Used Available Use% Mounted on
rootfs 1.9G 78.8M 1.8G 4% /
tmpfs 1.9G 78.8M 1.8G 4% /
none 3.4G 1.3M 3.4G 0% /tmp
none 3.4G 37.1M 3.4G 1% /dev/shm
none 3.4G 16.6M 3.4G 0% /dev/cmdb
/dev/sda1 247.9M 41.7M 193.4M 18% /data
/dev/sda3 14.1G 52.5M 13.4G 0% /data2
/dev/sdb1 58.6G 17.6G 38.0G 32% /var/log
代理模式 TCP_OPTION选项设置:
fgt-3700D-LAB # config system global
fgt-3700D-LAB (global) # get | grep tcp
reset-sessionless-tcp: disable
tcp-halfclose-timer : 120
tcp-halfopen-timer : 10
tcp-option : enable
tcp-timewait-timer : 1
fgt-3700D-LAB (global) # set tcp-option
enable Enable TCP option.
disable Disable TCP option.
fgt-3700D-LAB (global) # set tcp-option
enable Enable TCP option.
disable Disable TCP option.
==================== End
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
