You are on page 1of 5



Home ( About ( Contact ( <

Home ( Cisco ( Fortinet ( Genera !ecurity ( -security/) "inu# ( inu#/) $ews ( %i&erbe' ('/) !cripts ( (in'ows ('ows/)

Fortigate )ips an' )ric*s

January 27th, 2012 admin

MetaFlows - PF_Ring
Multithreaded IPS Systems And Purpose Built PF_Ring Appliances

Fortigate )ips an' )ric*s ('-tric*s/) This article presents some useful commands/tricks that you can do to your Fortigate.

+ebug A''resses: any times it happens that !e ha"e a lot of fire!all policies for one address defined in our address #ool. $et%s take an e&ample' (e ha"e )(((,!er&er* defined !ith the +# of -.2.-/.-.-0. To see !hat policies are using this ,ddress !e can use the follo!ing' #diag sys checkused firewall.address:name 'WWW_Server'
( ery/fortiguar'/chec*use'.1pg)

From the output you clearly see that the policy that is using this address is policy "14" n case our address is in an address group! we can find out where that address group is used "y e#ecuting the following commands: #diag sys checkused firewall.addgrp:name 'Server_Groups'

The fire!all from Fortinet has also sniffing capa-ilities.take that (ireshark /' #diag de"ug packet test nterface_$ame 'host %_&ost' '

+f !e !ould like to sniff all the interfaces on port 07 or 01 23# !e can try the follo!ing. #diag sniff packet any 'udp port () or udp port (*' ( To stop the sniffing issue C)%"2C. 3o not use t!ice or your putty session !ill die

Fortigate C34 or 5emory at -006 From time to time !e disco"er -ugs, or the 4#2/ emory goes to 1005 usage. Then !e are left !ith a re-oot and if that does not fi& it !e need to check !hat process is using all the memory. To do this !e can use the follo!ing' #diag de"ug en #get sys status #get sys perf status #diag sys top + +,, 67 let it run for 10618 seconds and then stop it -y pressing )9*. #diag hard sys mem
( ery/fortigate-anti&irus/systop.1pg)

$et%s say !e found out that the process )auth'* is using 1005 of the process. To re-oot it !e can use the follo!ing' :diag sys kill 11 proccess;id +n our case !e !ill perform the follo!ing command' :diag sys kill 11 81 This command !ill re6spa!n the auth' process. <ome other <ignal;+3s' 7 ca !8G98"" -: ca !8G);%5

3rob ems with Authentication< To test the authentication !e can use the follo!ing commands' ='iag test auth >type? >ser&er,name? >chap @ pap @ mschap @ mschap2? >username? >pw'? $ets say !e !ant to test an users= $3,# username and #,<<(>?3 !e !ill test !ith the follo!ing' ='iag test authser&er 'ap ser&er >ser&er,name? >username? >pw'?
f the authentication is succesful then that means that we are good to go- .he pro"lem is somewhere else.

AA!8C CB55A$+! To sho! the ,?# ta-le' #diag ip arp list To sho! the routing ta-le' #diag ip route list To check the @+4 status on the Fortigate' #diag hard dev nic port ###oA' #diag de"ug en #diag de"ug app ppp '

Bope this helpsC

Bappy fire!alling and please comment if you ha"e any Duestions. ThanksC

%e ate' 3osts
Fortinet 4sefu "in*s ( - in*s/) Creating a Fortigate C3$ ( Fortigate )roub eshooting D C3$ ( eshooting-&pn/) #osted in Fortigate (, Fortinet ( Tags' fortigate tips (, fortigate troub eshooting ( eshooting/), fortigate tutoria ( /), fortigate &pn (, fortinet tips (, fortinet troub eshooting ( eshooting/), fortinet tutoria ( /) E Fortigate @ Fortinet Anti&irus ( 8nsecure 5agaEine ( F Gou can ea&e a response (=respon'), or trac*bac* ('-tric*s/trac*bac*/) from your o!n site.

"ea&e a %ep y
@ame .reDuired/

ail .! ill not -e pu-lished/ .reDuired/


<u-mit 4omment <earch

(=) (http://www.a''*mar*.php<&F2:0GwinnameFa''thisGpubF#a-HaI:e-'7Jc'.:e7HGsourceFtb#2:0G ngFfrGsF'e iciousGur Fhttp6JA62F62Fwww.ipspace.eu62Ffortinet62Ffortigate-tips-an'tric*s62FGtit eFFortigate620)ips620an'620)ric*s6206.C620$etwor*62062I620!ecurity620A ogGateFA)-#aHaI:e-'7Jc'.:e7H/-/-/:00Ib2fJJ022cJ7I/-GfrommenuF-Gui'F:00Ib2fJ2'f2cff0GctF-GttF0) (=) (http://www.a''*mar*.php<&F2:0GwinnameFa''thisGpubF#aHaI:e-'7Jc'.:e7HGsourceFtb#2:0G ngFfrGsF'iggGur Fhttp6JA62F62Fwww.ipspace.eu62Ffortinet62Ffortigate-tips-an'tric*s62FGtit eFFortigate620)ips620an'620)ric*s6206.C620$etwor*62062I620!ecurity620A ogGateFA)-#a-HaI:e-'7Jc'.:e7H/-//:00Ib2fJJ022cJ7I/2GfrommenuF-Gui'F:00Ib2fJ0c0b7I':GctF-GttF0) (http://www.a''*mar*.php< &F2:0GwinnameFa''thisGpubF#a-HaI:e-'7Jc'.:e7HGsourceFtb#2:0G ngFfrGsFstumb euponGur Fhttp6JA62F62Fwww.ipspace.eu62Ffortinet62Ffortigate-tips-an'tric*s62FGtit eFFortigate620)ips620an'620)ric*s6206.C620$etwor*62062I620!ecurity620A ogGateFA)-#a-HaI:e-'7Jc'.:e7H//-/:00Ib2fJJ022cJ7I/JGfrommenuF-Gui'F:00Ib2fJJaIe.JafGctF-GttF0) (=) (=)

(!pace,eu)Fo ow 5e on )witterK (!pace,eu)



%ecent 3osts
Fortinet 4sefu "in*s
( - in*s/)

CC8; !ecurity &H A ueprint is out ( ueprint-is-out/) Creating a Fortigate C3$ ( ip!pace Forum < ( "inu# Fi e !ystem ( inu#/ inu#-fi e-system/)

A!A ( Ca 5anager ( manager/) Fortigate ( Fortinet ( Genera !ecurity ( -security/) "inu# ( inu#/) $ews ( (in'ows ('ows/)

A ogro
+anie s CC8; b og (http:// +arrenLs CC8; mission (http://me ow'.co.u*/ccie/) +e&irusare (http://'e&

%ecent Comments
%outer!ecure ( on )witter Account ( +anie ( on Fortigate 83! ( H-lastman on Fortigate 83! ( +anie ( on Creating a Fortigate C3$ (

A e# (http://a e#amaran' on 8nsecure 5agaEine (

Mune 20-2 ( 5ay 20-2 ( Apri 20-2 ( 5arch 20-2 ( February 20-2 ( Manuary 20-2 (

Feature' Ci'eo

4opyright I $etwor* G !ecurity A og ( 6 +t=s all a-out <ecurity #o!ered -y (or'3ress (http://wor' J 3esigned -y' !hare3oint Hosting ( ) J Thanks to Ausiness ;mai Hosting (http://businessemai, 3ro1ect !er&er Hosting (http://pro1ectser& and Hoste' Cirtua +es*top (http://&irtua 'es*topon'-'es*top/) A!A ( Ca 5anager ( manager/) Cata yst !witches ( FortiAna yEer ( yEer-fortinet/) Fortigate ( Fortimai ( /)