Learning Fortigate

1. Configuring fortigate interface and allowing ssh

config system interface

edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
set snmp-index 6
next
End

2. Verify interface config

Show system interface port1

Enabling and disabling of paging in Fortigate in case to take full

backup of config so continuous output can be obtained without
pressing space.

Following command will enable continuous output on console.

Config system console
Set output standard
End

Following command will disable continuous output and will set

restriction to specific number of lines at console, further output
can be availed after pressing space.

Config system console

Set output more
End

The baud rate of the local console connection can be changed from its
default value of 9600.

To change the baud rate:

config system console set baudrate {9600 | 19200 | 38400 | 57600 |

115200}
end

3. Creating firewall policy via cli

config firewall policy

edit 0
......
next
end

4. Edit firewall policy

config firewall policy

edit 27
....
next
end

5. Delete a firewall policy

Config firewall policy

Delete 30
End

6. Table values can be cleared with ‘purged’ command and this

isn’t reversible and can only be restored via previous backup.

7. Changing location of a firewall policy

Config firewall policy

Move 27 to 30
End

8. copying an existing firewall policy

Config firewall policy

Clone 27 to 30
End

9. Rename and administrator e.g. from Flank to Frank

Config system admin

Rename Flank to Frank
End

10. To view the existing firewall policy

Config firewall policy
Get

11. configure the host name in CLI

Config system global

Set hostname 200F_YVR
End

12. Configure the default route in the CLI

Config router static

Edit 0
Set gateway 192.168.1.254
Set device port1
Next
End

13. To backup the configuration using the CLI

Use one of the following commands:

Execute backup config management-station <comment>

or
Execute backup config usb <backup_filename> [backup_password]
or for FTP, note that port number, username are optional depending on
the FTP site:
Execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>]
[user_name>] [<password>] [<backup_password>]
Or for TFTP:
Execute backup config tftp <backup_filename> <tftp_servers>
[<backup_password>]
Or for SFTP:
Execute backup config sftp <backup_filename>
<sftp_servers>[<:sftp_port] <user> <password> [<backup_password>]

Use the same commands to backup a VDOM configuration by first

entering the commands:

Config vdom
Edit <vdom_name>
Restoring a configuration

To restore the Fortigate configuration using the CLI

Execute restore config management-station normal 0

Or

Execute restore config usb <backup_filename> [backup_password>]

Or for TFTP:

Execute restore config tftp <backup_filename> <tftp_server>

[<backup_password>]

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key

together as a password protected PKCS12 file. The export file is
created through a customer-supplied TFTP server Ensure that ourTFTP
server is running and accessible to the Fortigate before we enter the
command.

To back up the local certificates:

Connect to the CLI and use the following command:

Execute vpn certificate local export tftp <cert_name> <filename>

<tftp_ip>

Where:
<cert_name> is the name of the server certificate.
<filename> is a name for the output file.
<tftp_ip> is the IP address assigned to the TFTP server host
interface.

To Restore the local certificates using the CLI:

Execute vpn certificates local import tftp <filename> <tftp_ip>

Restore factory defaults

Execute factoryreset
When prompted, type y to confirm the reset

Alternatively, in the CLI we can reset the factory defaults but

retain the interface and VDOM configuration with the following
command:

Execute factoryreset2

To view the routing table in the CLI:

#get route info routing-table all

To look up a firewall route in the CLI:

#diagnose firewall proute list

To view the DHCP lease list in the CLI:

#execute dhcp lease-list

To view the IPsec monitor in the CLI:

#diagnose vpn tunnel list

To monitor SSL-VPN users in the CLI:

#get vpn ssl monitor

To view firewall users in the CLI:

#diagnose firewall auth list

To configure logging to disk:

Config log disk setting

Set status enable
End

To include sniffer traffic and local-deny traffic when Fortiview from

Disk:

Config report setting

 Set report-source forward-traffic sniffer-traffic local-deny-
traffic
End

Troubleshooting

Use ‘execute report flush-cache’ and ‘execute report recreate-db’

to clear up any irregularities that may be caused by upgrading or
cache issues.

Traffic logs
To view traffic logs from disk:

1. Go to Log & Report, and select either the Forward Traffic, Local
Traffic, or Sniffer Traffic views.
2. In the top menu bar, click Log location and select Disk.

To view session data using the CLI:

#diagnose sys session list

The session table output in the CLI is very large. We can use the
supported filters in the CLI to show only the data you need.

To view session data with filters using the CLI:

#diagnose sys session filter <option>

To enable address object UUID logging in the CLI:

Config system global

Set log-uuid-address enable

To configure an interface in the CLI:

config system interface

edit <name>
set vdom <VDOM_name>
set mode {static | dhcp | pppoe}
set ip <IP_address/netmask>
set security-mode {none | captive-portal | 802.1X}
set egress-shaping-profile <profile>
set device-identification {enable | disable}
set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response
fabric ftm}
set secondary-IP enable
config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
next
End

To create an aggregate interface in the CLI:

config system interface
edit "aggregate"
set vdom "root"
set ip 10.1.1.123 255.255.255.0
set allowaccess https ssh
set type aggregate
set member "port4" "port5" "port6"
set snmp-index 45
next
end

To create a redundant interface in the CLI:

config system interface
edit "redundant"
set vdom "root"
set ip 10.13.101.100 255.255.255.0
set allowaccess https http
set type redundant
set member "port4" "port5" "port6"
set snmp-index 9
next
End

Enhanced hashing for LAG member selection- (Personal notes:- look for hashing in more details on
google)

config system npu

set lag-out-port-select {enable | disable}
config sw-eh-hash
set computation {xor4 | xor8 | xor16 | crc16}
set ip-protocol {include | exclude}
set source-ip-upper-16 {include | exclude}
set source-ip-lower-16 {include | exclude}
set destination-ip-upper-16 {include | exclude}
set destination-ip-lower-16 {include | exclude}
set source-port {include | exclude}
set destination-port {include | exclude}
set netmask-length {0 - 32}
end
End

For example, to use XOR16 and include all of the fields in the 5-tuple to compute the link in the LAG
interface that the
packet is distributed to:
config system npu
set lag-out-port-select enable
config sw-eh-hash
set computation xor16
set ip-protocol include
set source-ip-upper-16 include
set source-ip-lower-16 include
set destination-ip-upper-16 include
set destination-ip-lower-16 include
set source-port include
set destination-port include
set netmask-length 32
end
End

To configure the external interface:

config system interface
edit external
set mode static
set ip 172.16.21.2 255.255.255.0
next
end
To add VLAN subinterfaces:
config system interface
edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping
next
end
To add the firewall addresses:
config firewall address
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
next
End

To add security policies:

Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
end

VLANs in Transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services
such as antivirus scanning, web filtering, spam filtering, and intrusion protection to traffic. Some
limitations of transparent mode is that we cannot use SSL VPN, PPTP/L2TP VPN, DHCP server,
or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks
passing through the unit

Add static route on Fortinet..

config router static

edit 1
set dst 10.20.20.0/24
set gateway 10.30.30.1
set distance 1
 set device
end