Fortigate: Hardware Offloading Prozessor

Die Fortigate ist mit einem ASIC ausgestattet, der bestimmte Prozesse übernehmen kann (Offloading). Welcher Prozessor eingebaut ist, kann man so einsehen: FG-PH-Arnstadt # get hardware status Model name: FortiGate-30D ASIC version: CP0 ASIC SRAM: 64M CPU: FortiSOC2 Number of CPUs: 1 RAM: 932 MB Compact Flash: 3879 MB /dev/sda Hard disk: not available USB Flash: not available

Fortigate: Debug / Troubleshoot / Fehlersuche VPN

VPN Tunnel zurücksetzen: diag vpn tunnel reset <phase1 name> get vpn ike gateway <name> get vpn ipsec tunnel name <name> get vpn ipsec tunnel details diagnose vpn tunnel list diagnose vpn ipsec status           #shows all crypto devices with counters that are used by the VPN get router info routing–table all diagnose debug reset diagnose vpn ike log–filter clear diagnose vpn ike log–filter ? diagnose vpn ike log–filter dst–addr4 diagnose debug app ike 255          #shows phase 1 and phase 2 output diagnose debug enable               #after enough output, disable the debug: diagnose debug disable      

Fortigate: Routing Tabelle anzeigen / Show Routing table

FG-PH-Arnstadt # get router info routing-table all Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default S* [10/0] is directly connected, ERFURT C is directly connected, lan4 S [10/0] via, wan C is directly connected, wan

Fortigate: VPN Troubleshooting / Fehlersuche

IPsec VPN Troubleshooting This section contains tips to help you with some common challenges of IPsec VPNs.   A VPN connection has multiple stages that can be confirmed to ensure the connection is working properly. It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly. Otherwise, you will need to work back through the stages to see where the problem is located. When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place. If you can determine the connection is working properly then any problems are likely problems with your applications. …

weiterlesen ….Fortigate: VPN Troubleshooting / Fehlersuche

Fortigate: Eingebauter Sniffer / Packet Trace / TcpDump

Einführung Alle FortiGate Firewalls verfügen über einen performanten Packet Sniffer. Wer sich mit tcpdump auskennt, wird den Sniffer auch mögen. Basics Der Packet Sniffer sitzt innerhalb der FortiGate und kann den Datenverkehr auch einem bestimmten Interface oder auf allen Interfaces sniffen. Es gibt 3 unterschiedliche Ausgabestufen (Verbose Levels) 1 bis 3 (1 wenig, 3 viel Output) 1: print Header 2: print header and data from IP of packets 3: print header and data from Ethernet of packets 4: print header of packets with interface name 5: print header and data from IP of packets with interface name 6: print header and data from Ethernet of packets with interface name Der erste Befehl # diag sniffer packet <interface> <‘filter’> <verbose> <count> …

weiterlesen ….Fortigate: Eingebauter Sniffer / Packet Trace / TcpDump