Fortigate防火墙常用命令
- 命令结构
#config 对策略,对象等进行配置
#get 查看相关对象的参数
#show 查看配置文件
#diagnose 诊断命令
#execute 常用的工具命令,如ping treacert,执行某条命令。
#exit 退出
#end 保存退出
2.常用命令
1、配置接口地址
FortiGate # config system interface
FortiGate (interface) # edit port1
FortiGate (port1) # set ip 192.168.8.99/24
FortiGate (port1) # end
2、配置静态路由
FortiGate (static) # edit 1
FortiGate (1) # set device wan1
FortiGate (1) # set dst 10.0.0.0 255.0.0.0
FortiGate (1) # set gateway 192.168.57.1
FortiGate (1) # end
3、配置默认路由
FortiGate (1) # set gateway 192.168.57.1
FortiGate (1) # set device wan1
FortiGate (1) # end
4、添加地址
FortiGate # config firewall address
FortiGate (address) # edit clientnet
new entry 'clientnet' added
FortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0
FortiGate (clientnet) # end
5、添加ip池
FortiGate (ippool) # edit nat-pool
new entry 'nat-pool' added
FortiGate (nat-pool) # set startip 100.100.100.1
FortiGate (nat-pool) # set endip 100.100.100.100
FortiGate (nat-pool) # end
6、添加虚拟ip
FortiGate # config firewall vip
FortiGate (vip) # edit webserver
new entry 'webserver' added
FortiGate (webserver) # set extip 202.0.0.167
FortiGate (webserver) # set extintf wan1
FortiGate (webserver) # set mappedip 192.168.0.168
FortiGate (webserver) # end
7、配置上网策略
FortiGate # config firewall policy
FortiGate (policy) # edit 1
FortiGate (1)#set srcintf internal //源接口
FortiGate (1)#set dstintf wan1 //目的接口
FortiGate (1)#set srcaddr all //源地址
FortiGate (1)#set dstaddr all //目的地址
FortiGate (1)#set action accept //动作
FortiGate (1)#set schedule always //时间
FortiGate (1)#set service ALL //服务
FortiGate (1)#set logtraffic disable //日志开关
FortiGate (1)#set nat enable //开启nat
end
8、配置映射策略
FortiGate # config firewall policy
FortiGate (policy) #edit 2
FortiGate (2)#set srcintf wan1 //源接口
FortiGate (2)#set dstintf internal //目的接口
FortiGate (2)#set srcaddr all //源地址
FortiGate (2)#set dstaddr FortiGate1 //目的地址,虚拟ip映射,事先添加好的
FortiGate (2)#set action accept //动作
FortiGate (2)#set schedule always //时间
FortiGate (2)#set service ALL //服务
FortiGate (2)#set logtraffic all //日志开关
end
9、把internal交换接口修改为路由口
确保关于internal口的路由、dhcp、防火墙策略都删除
FortiGate # config system global
FortiGate (global) # set internal-switch-mode interface
FortiGate (global) #end
重启
--------------------------------------
1、查看主机名,管理端口
FortiGate # show system global
2、查看系统状态信息,当前资源信息
FortiGate # get system performance status
3、查看应用流量统计
FortiGate # get system performance firewall statistics
4、查看arp表
FortiGate # get system arp
5、查看arp丰富信息
FortiGate # diagnose ip arp list
6、清楚arp缓存
FortiGate # execute clear system arp table
7、 查看当前会话表
FortiGate # diagnose sys session stat 或 FortiGate # diagnose sys session full-stat;
8、 查看会话列表
FortiGate # diagnose sys session list
9、查看物理接口状态
FortiGate # get system interface physical
10、查看默认路由配置
FortiGate # show router static
11、查看路由表中的静态路由
FortiGate # get router info routing-table static
12、查看ospf相关配置
FortiGate # show router ospf
13、查看全局路由表
FortiGate # get router info routing-table all
-----------------------------------------------
1、查看HA状态
FortiGate # get system ha status
2、查看主备机是否同步
FortiGate # diagnose sys ha showcsum
---------------------------------------------------
3.诊断命令:
FortiGate # diagnose debug application ike -1
---------------------------------------------------
execute 命令:
FortiGate #execute ping 8.8.8.8 //常规ping操作
FortiGate #execute ping-options source 192.168.1.200 //指定ping数据包的源地址 192.168.1.200
FortiGate #execute ping 8.8.8.8 //继续输入ping的目标地址,即可通过192.168.1.200的源地址执行ping操作
FortiGate #execute traceroute 8.8.8.8
FortiGate #execute telnet 2.2.2.2 //进行telnet访问
FortiGate #execute ssh 2.2.2.2 //进行ssh 访问
FortiGate #execute factoryreset //恢复出厂设置
FortiGate #execute reboot //重启设备
FortiGate #execute shutdown //关闭设备
转载自:https://www.cnblogs.com/kunlunsun/p/11423552.html