Fortigate Commands

I configure/support Fortigate firewalls on a daily basis, the baby 60DSL’s, the  200A’s, but mostly the big 3016B’s.

Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I’ll share the commands I use often.

Monitoring commands:

show

  • Show global or vdom config

sh system interface

  • Equivalent to show run interface

diagnose hardware deviceinfo nic

  • Equivalent to show interface

get system status

  • show version information

sh firewall policy 6

  • show firewall rule numer 6

sh router policy

  • Show Policy Routing rules

diagnose system session list

  • Show the excisting translations

diagnose system session clear

  • Clears all xlate/translations

diagnose ip arp list

  • Shows the arp table of connected hosts

get router info routing-table all

  • Equivalent to ‘show ip route’

diagnose system top

  • Show System Processes running with PIDs

diagnose system kill 9 <id>

  • Kill the specific PID

diag test auth ldap <server_name> <username> <password>

  • Ldap test query from the Forti to the AD

Advertisements

Find Pix VPN password

Ok, so an interesting problem I came across today, I needed to confirm what the password for a IPSEC tunnel was on a pix, without changing it. The dilemma was that it shows as *******, not very useful!?

–snip–
crypto map IPSEC interface outside
isakmp enable outside
isakmp key ******** address 10.11.12.13 netmask 255.255.255.255 no-xauth
isakmp policy 100 authentication pre-share
–snip–

To find the password do the following

Setup a TFTP-server and create a file to upload the pix config to. Make sure you have write and access permission to that file, and also confirm that the pix can reach the tftp-server beforehand.

Then from the pix:

Pix 6.35 Syntax

tftp-server [<if_name>] <ip> <directory>
write net [<tftp_ip>]:<filename>

Example:

(config)# tftp-server outside 196.23.0.9 /
(config)# write net 196.1.1.1:myfw
Building configuration…
TFTP write ‘//myfw’ at 196.1.1.1 on interface 0
[OK]

The file containing the config “myfw” should list the password in plain text.

–snip–
crypto map IPSEC interface outside
isakmp enable outside
isakmp key qweRTY!@# address 10.11.12.13 netmask 255.255.255.255 no-xauth
isakmp policy 100 authentication pre-share
–snip–