Fortigate
# Checar atualizações no FortiGuard
get system fortiguard-services status
diagnose autoupdate <status | version>
# Forçar comunicação com FortiGuard
execute update-now
# verificar warning depois de upgrade
diagnose debug config-error-log read
# Ativar timestamp e filtro, iniciar o trace e debug
diagnose debug console timestamp enable
diagnose debug flow filter saddr <ip_origem>
diagnose debug flow filter daddr <ip_destino>
diagnose debug flow filter proto <numero_protocolo_transporte>
diagnose debug flow filter port <numero_porta_destino>
diagnose debug flow trace start <qtd_filtrada_1_a_999>
diagnose debug enable
# Desativar filtro e parar debug após uso
# Parar trace, limpar filtro e desabilitar o Debug
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug disable
# Limpar as sessões de uma política filtrada
diagnose sys session filter clear
diagnose sys session filter policy <numero_da_regra>
diagnose sys session clear
# Verificar trafego
diag sniff pack any 'host <ip_do_host> and <protocolo_exemplo_icmp>' 4
# Testar acesso aos Serviços Fortiguard
exec ping service.fortiguard.net
exec ping update.fortiguard.net
exec ping guard.fortinet.net
#
diagnose debug application update -1
diagnose debug enable
execute update-now
# trabalhando com sessões
show system session-helper
diagnose sys session <stat | list | filter | clear>
get system session <status|list>
show system <session-helper|session-ttl>
show full-configuration system global | grep timer
diagnose firewall ippool-all <list [ip_pool_name] | stats]
# Captura 10 pacotes de qualquer interface filtrado pelo protocolo ICMP e host 10.0.1.10, con nível de verbose 4 (print header of packets with interface name)
diagnose sniffer packet any "icmp and host 10.0.1.10" 4 10
# Checando endereço IP
diagnose ip address list
show system interface ?
get system interface physical
show firewall vip
# Rotas ativas
get router info routing-table <all | ospf | static | connected | rip | isis | bgp >
# Todas as Rotas na base de dados (ativas aparecem com sinal *>
get router info routing-table database
# Policy Route
diagnose firewall proute list
# LDAP Authentication
diagnose test authserver ldap <obj_ldap_name> <user> <password>
# Logging and Monitoring
diagnose sys logdisk <status|usage|quota>
diagnose test application miglogd 6
diagnose log kernel-stats
diagnose log test
execute log filter ....
execute log display
# Checar comunicação com Fortiguard e status do Webfilter
diagnose debug rating
get webfilter status
# Estatísticas Fortiguard e Webfilter
diagnose webfilter fortiguard statistics list
#Atualizar base através do Fortiguard
checar se Fortigate é capaz de resolver update.fortiguard.net (porta 443)
execute update-now
#Checar versão de assinaturas
diagnose autoupdate status
diagnose autoupdate version
#Real time update debug
diagnose debug application update -1
diagnose deb unable
execute update-av
# mostra estatística de vírus no último minuto
get system performance status
#mostra informações da base de dados atual do antivírus
diagnose antivirus database-info
#Mostra versão atual do antivirus e assinaturas
diagnose autoupdate versions
#Mostra o tempo de scan em arquivos infectados
diagnome antivirus test "get scantime"
#Força checagem de atualização do antivirus
execute update-av
#SSL VPN
diagnose debug enable
diagnose vpn ssl <list | info | statistics | debug-filter | hw-acceleration-status>
diagnose debug application sslvpn -1
# para visualizar o status da aceleração por hardware
get vpn status ssl hw-acceleration-status
# para visualizar os usuários autenticados, seus grupos e IPs
get vpn ssl monitor
# Checar a saúde do link SD-WAN
diagnose sys virtual-wan-link health-check
# Executar comandos globais e por VDOM de qualquer contexto
sudo <global | vdom-name> <diagnose | execute | show | get>
# VPN Phase 1 Status
get vpn ike gateway <nomeTunel>
# Checar IPsec VPN hardware acceleration
diagnose vpn tunnel list
# Real time debug VPN (phase 1 e 2)
diagnose vpn ike log filter dst-addr <remote_peer_IP>
diagnose debug application ike -1
diagnose debug enable
.....
diagnose debug reset
diagnose debug disable
# Checar usuários FSSO logados
diagnose firewall auth < list | filter | clear...>
diagnose debug authd fsso <filter | list | regresh-groups | summary | clear-logons | refresh-logons | server-status>
diagnose debug authd fsso list
execute fsso refresh
# Checar conectividade entre collector agent e Fortigate
diagnose debug enable
diagnose debug authd fsso server-status
# Polling Mode
# Status do polls do Fortigate para o DC
diagnose debug fsso-polling detail
#Active FSSO users
diagnose debug fsso-polling refresh-user
#Sniff polls
diagnose sniffer packet any ‘host ipAddress and tcp port 445’
diagnose debug application fssod -1
#HA
get system ha status
diagnose sys ha status
diagnose sys ha checksum < cluster | show | recalculate >
get system ha status
execute ha manage ?
execute ha manage <HA_device_index>
Reset uptime
diag sys ha reset-uptime
diagnose debug enable
diagnose debug application hatalk 0
diagnose debug application hatalk 255
,....
diagnose debug application hatalk 0
diagnose debug disable
# Diagnostics
get system status
get hardware nic <interface_name>
get system arp
execute ping-options
execute ping [ipv4_address | host_fqdn]
execute traceroute [ipv4_address | host_fqdn]
get system performance status
diagnose sys top 1
diagnose hardware sysinfo conserve
diagnose debug crashlog history
diagnose debug crashlog read