Посмотреть ограничения на конкретной модели
print tablesize
There are 3 numbers associated with each table value:
1. The first number refers to the maximum number allowed for the child table in its parent entry.
2. The second number refers to maximum number allowed per VDOM limit.
3. The third number refers to the system global limit.
Через сайт
https://docs.fortinet.com/max-value-tableОтключить проверку обновлений
config system autoupdate schedule
set status disable
end
Сменить мак на интерфесах
config sys int
edit <interface>
set macaddr <MAC address>
end
#### [Если FG в кластере](https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/564710/cluster-virtual-mac-addresses.)
config system ha
set group-id <integer>
end
информация о платформе
get system status
get system status | grep Serial-Number
удалить arp запись
diag ip arp delete port1 10.40.16.2
посмотреть таблицу мак адресов
diagnose netlink brctl name host root.b
Передернуть туннели
Сбросить все
diagnose vpn ike restart
Сбросить конкретный туннель
diagnose vpn ike gateway clear name spoke2_backup_2
Debug ipsec
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 10.0.1.6
diagnose debug app ike 255
diagnose debug enable
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 10.0.8.130
diagnose debug app ike 255
diagnose debug enable
diagnose debug disable
[https://www.fortinetguru.com/2017/10/ipsec-troubleshooting/](https://www.fortinetguru.com/2017/10/ipsec-troubleshooting/.
NTP
[link](https://kb.fortinet.com/kb/viewContent.do?externalId=FD33783.
diagnose sniffer packet any 'port 123' 4
diag sys ntp status
Отложенный возврат конфига
https://kb.fortinet.com/kb/documentLink.do?externalID=FD30912
Дырявые SSL VPN версии фортиков
NOTE
A hacker published a list of 50,000 credentials stolen from vulnerable Fortinet SSL VPNs. The data leak contained a list of one-line exploits for Fortinet’s FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 bug. The vulnerability allows an attacker to steal VPN credentials from the SSL VPN web portal. The latest breach is considered “the most complete sslvpn websession exploit” with both usernames and passwords. A hacker named “pumpedkicks” was suspected of stealing the data on November 19.
Смотрим статистику по link-monitor
dia sys link-monitor status
Ловим пакеты
diagnose sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1
ARP
get sys arp
Debug vpn
diagnose test authserver ldap DSZ_AD_10 dsz_tsz Qwerty12#
dia de en
dia de res
dia de app sslvpn -1
Debug vpn
diagnose debug disable
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 185.127.150.29
diagnose debug app ike 255
diagnose debug enable
diag vpn tunnel reset IPsec_to_France
diagnose vpn ike gateway list
diagnose vpn ike errors
diagnose vpn tunnel list name IPsec_to_France
Не поднимается ipsec phase 2
[https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611](https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611. [https://kb.fortinet.com/kb/documentLink.do?externalID=FD46526](https://kb.fortinet.com/kb/documentLink.do?externalID=FD46526.
Debug flow
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter addr 89.208.38.2
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
diagnose debug flow filter addr 172.20.33.130
diagnose debug disa
Откатить до предыдущей версии
[https://kb.fortinet.com/kb/documentLink.do?externalID=FD36165](https://kb.fortinet.com/kb/documentLink.do?externalID=FD36165. diag sys flash list execute set-next-reboot <primary/secondary> exec reboot
Связь с AD
NOTE
проверить учетку в AD
diagnose test authserver ldap 10.60.0.54 read-bot 0aXc498MhJHcN diagnose test authserver ldap-direct 10.60.0.54 diagnose debug duration 480 diagnose debug application fnbamd 255 diagnose debug enableИщем [786] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839. LDAP Error Code 49 Related content Still need help? The Atlassian Community is here for you. [Ask the community](https://community.atlassian.com/t5/custom/page/page-id/create-post-step-1?add-tags=Atlassian+Support. Symptoms Users are unable to log in. The following error is encountered: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 701, v1db0] Causes There could be many reasons for this issue. Please check the error code (in the example above, it’s 701. and match it with the description in the following table: Error Code Description 525 user not found 52e invalid credentials 530 not permitted to logon at this time 531 not permitted to logon at this workstation 532 password expired (remember to check the user set in osuser.xml also. 533 account disabled 701 account expired 773 user must reset password 775 user account locked In the example above, the error code is 701 (account expired..
Посмотреть NAT сессии
get system session list
Сбросить NAT сессии при их зависании
diagnose sys session clear
CPU
diag sys top
diag sys kill 11 id process
Ipsmonitor
diagnose test application ipsmonitor
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor
see also that there is a listening connection on port 9999:
diagnose sys tcpsock | grep 9999
iperf client
[link](https://kb.fortinet.com/kb/documentLink.do?externalID=FD45599.
diag traffictest client-intf port15
diag traffictest server-intf port15
diag traffictest port 5201
diag traffictest run -c 31.192.104.200
iperf client
[link](https://kb.fortinet.com/kb/documentLink.do?externalID=FD45599.
diag traffictest client-intf port15
diag traffictest server-intf port15
diag traffictest port 5201
diag traffictest run -c 31.192.104.200 -P 10
или 91.144.184.232 (скорость не понятна.
BGP
Посмотреть что отдает твой роутер соседу get router info bgp neighbors 10.0.4.17 advertised-routes Посмотреть что отдает сосед тебе
get router info bgp neighbors 10.0.4.17 routes
get router info bgp neighbors 10.0.5.2 routes
get router info bgp neighbors 10.0.5.6 routes
diagnose sniffer packet
diagnose sniffer packet any 'dst host 192.168.2.78 and icmp' 4
Посмотреть счетчики на интtрефейсе
diag hardware deviceinfo nic wan1
diagnose netlink interface list wan1
diagnose netlink interface clear wan1
fnsysctl ifconfig -a LAN - MTU и счетчики
Зайти на 2 ноду кластера и синхронизировать
exe ha manage 0
execute ha synchronize start
Сбросить bgp соседство
execute router clear bgp all soft out
execute router clear bgp ip х.х.х
Посмотреть маршруты отдаваемые по BGP соседу
get router info bgp neighbors 10.0.6.23 advertised-routes
get router info bgp neighbors 172.17.0.146 advertised-routes
get router info bgp neighbors 198.18.28.5 advertised-routes
get router info bgp neighbors 198.18.28.9 advertised-routes
get router info bgp neighbors 172.17.40.25 advertised-routes
get router info bgp neighbors 10.0.16.10 advertised-routes
Посмотреть маршруты получаемые от BGP соседа
get router info bgp neighbors 10.0.6.23 routes
get router info bgp neighbors 172.17.0.2 routes
get router info bgp neighbors 198.18.28.5 routes
get router info bgp neighbors 198.18.28.9 routes
get router info bgp neighbors 172.17.240.25 routes
get router info bgp neighbors 10.20.0.0 routes
Посмотреть маршруты BGP подпадающие под roadmap
get router info bgp route-map test
Сбросить в ноль
exec factoryreset
Смотрим arp таблицу
get system arp
Смотрим есть ли обмен OSPF пакетами
diagnose sniffer packet any "proto 89" 4
Debug routing (RIP, OSPF, BGP, static routes, ECMP.
[Debug routing](https://kb.fortinet.com/kb/documentLink.do?externalID=FD31207.
Сингал lte модема
diagnose sys lte-modem sim-info
Перезапуск службы SNMP
diagnose test application snmpd 99
Выключить vlan-switch
config system global
set virtual-switch-vlan disable
end
Передернуть snmp
diagnose test application snmpd 99
Сменить master на slave без перезагрузки
поменять приоритет
diagnose sys ha reset-uptime - сбросить uptime
Обновляем кластер одновременно
config system ha
set uninterruptible-upgrade enable
end
Смотрим логи Link monitor
evetn - system event - фильтр Masage Link monitor