Fortigate Tips and Tricks

This article presents some useful commands/tricks that you can do to your Fortigate.

 

Debug Addresses:
Many times it happens that we have a lot of firewall policies for one address defined in our address Pool.
Let’s take an example:
We have “WWW_Server” defined with the IP of 172.18.1.10. To see what policies are using this Address we can use the following:

#diag sys checkused firewall.address:name ‘WWW_Server’
[singlepic id=8 w=320 h=240 float=]

From the output you clearly see that the policy that is using this address is policy "14"

In case our address is in an address group, we can find out where that address group is used by executing the following commands:

#diag sys checkused firewall.addgrp:name ‘Server_Groups’

 

The firewall from Fortinet has also sniffing capabilities(take that Wireshark 😀 ):

#diag debug packet Interface_Name ‘host IP_Host’ 3 test

If we would like to sniff all the interfaces on port 67 or 68 UDP we can try the following.

#diag sniff packet any ‘udp port 67 or udp port 68’ 6

To stop the sniffing issue CTRL+C. Do not use twice or your putty session will die 😉

 

 

Fortigate CPU or Memory at 100% 

From time to time we discover bugs, or the CPU/Memory goes to 100% usage. Then we are left with a reboot and if that does not fix it we need to check what process is using all the memory.

To do this we can use the following:

#diag debug en

#get sys status

#get sys perf status

#diag sys top 1 100

-> let it run for 10-15 seconds and then stop it by pressing “Q”.

#diag hard sys mem

[singlepic id=9 w=320 h=240 float=]

Let’s say we found out that the process “authd” is using 100% of the process. To reboot it we can use the following:

#diag sys kill 11 proccess_id

In our case we will perform the following command:

#diag sys kill 11 51

This command will re-spawn the authd process.
Some other Signal_IDs:
9 ca SIGKILL
15 ca SIGTERM

 

 

Problems with Authentication?

To test the authentication we can use the following commands:

#diag test auth <type> <server_name> <chap | pap | mschap | mschap2> <username> <pwd>

Lets say we want to test an users’ LDAP username and PASSWORD we will test with the following:

#diag test authserver ldap server <server_name> <username> <pwd>

If the authentication is succesful then that means that we are good to go! The problem is somewhere else.

 

 

BASIC COMMANDS
To show the ARP table:

#diag ip arp list

To show the routing table:

#diag ip route list

To check the NIC status on the Fortigate:

#diag hard dev nic port

PPPoE:

#diag debug en
#diag debug app ppp 3

 

Hope this helps!
Happy firewalling and please comment if you have any questions. Thanks!

Share: