Посмотреть ограничения на конкретной модели
из cli
print tablesize
Info
There are 3 numbers associated with each table value:
- The first number refers to the maximum number allowed for the child table in its parent entry.
- The second number refers to maximum number allowed per VDOM limit.
- The third number refers to the system global limit.
Через сайт
Отключить проверку обновлений
config system autoupdate schedule
set status disable
end
Сменить мак на интерфейсах
config sys int
edit <interface>
set macaddr <MAC address>
end
Если FG в кластере
config system ha
set group-id <integer>
end
информация о платформе
get system status
get system status | grep Serial-Number
удалить arp запись
diag ip arp delete port1 10.40.16.2
посмотреть таблицу мак адресов
diagnose netlink brctl name host root.b
Передернуть туннели
Сбросить все
diagnose vpn ike restart
Сбросить конкретный туннель
diagnose vpn ike gateway clear name <имя_туннеля>
Debug ipsec
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 10.0.1.6
diagnose debug app ike 255
diagnose debug enable
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 10.0.8.130
diagnose debug app ike 255
diagnose debug enable
diagnose debug disable
Ссылка
NTP
Ссылка
diagnose sniffer packet any 'port 123' 4
diag sys ntp status
Отложенный возврат конфига
Ссылка
Дырявые SSL VPN версии фортиков
Warning
A hacker published a list of 50,000 credentials stolen from vulnerable Fortinet SSL VPNs. The data leak contained a list of one-line exploits for Fortinet’s
FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12bug. The vulnerability allows an attacker to steal VPN credentials from the SSL VPN web portal. The latest breach is considered “the most complete sslvpn websession exploit” with both usernames and passwords. A hacker named “pumpedkicks” was suspected of stealing the data on November 19.
Смотрим статистику по link-monitor
dia sys link-monitor status
Ловим пакеты
diagnose sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1
port1 - имя интерфейса
ARP
get sys arp
Debug vpn
diagnose test authserver ldap DSZ_AD_10 dsz_tsz Qwerty12#
dia de en
dia de res
dia de app sslvpn -1
Debug vpn
diagnose debug disable
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 185.127.150.29
diagnose debug app ike 255
diagnose debug enable
diag vpn tunnel reset IPsec_to_France
diagnose vpn ike gateway list
diagnose vpn ike errors
diagnose vpn tunnel list name IPsec_to_France
Не поднимается ipsec phase 2
Ссылка
Ссылка
Debug flow
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter addr 89.208.38.2
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
diagnose debug flow filter addr 172.20.33.130
diagnose debug disa
Откатить до предыдущей версии
Ссылка
diag sys flash list
execute set-next-reboot <primary/secondary>
exec reboot
Связь с AD
проверить учетку в AD
diagnose test authserver ldap 10.60.0.54 read-bot 0aXc498MhJHcN
diagnose test authserver ldap-direct 10.60.0.54
diagnose debug duration 480
diagnose debug application fnbamd 255
diagnose debug enable
Ищем
[786] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839)
LDAP Error Code 49
-
Symptoms Users are unable to log in. The following error is encountered: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 701, v1db0]
-
Causes There could be many reasons for this issue. Please check the error code (in the example above, it’s 701) and match it with the description in the following table:
| Error Code | Description |
|---|---|
| 525 | user not found |
| 52e | invalid credentials |
| 530 | not permitted to logon at this time |
| 531 | not permitted to logon at this workstation |
| 532 | password expired (remember to check the user set in osuser.xml also) |
| 533 | account disabled |
| 701 | account expired |
| 773 | user must reset password |
| 775 | user account locked |
In the example above, the error code is 701 (account expired).
Посмотреть NAT сессии
get system session list
Сбросить NAT сессии при их зависании
diagnose sys session clear
CPU
diag sys top
diag sys kill 11 id process
Ipsmonitor
diagnose test application ipsmonitor
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor
see also that there is a listening connection on port 9999:
diagnose sys tcpsock | grep 9999
iperf client
Ссылка
diag traffictest client-intf port15
diag traffictest server-intf port15
diag traffictest port 5201
diag traffictest run -c 31.192.104.200
BGP
Посмотреть что отдает твой роутер соседу
get router info bgp neighbors <neighbor_ip> advertised-routes
Посмотреть что отдает сосед тебе
get router info bgp neighbors <neighbor_ip> routes
diagnose sniffer packet
diagnose sniffer packet any 'dst host 192.168.2.78 and icmp' 4
Посмотреть счетчики на интерфейсе
diag hardware deviceinfo nic wan1
diagnose netlink interface list wan1
diagnose netlink interface clear wan1
MTU и счетчики
fnsysctl ifconfig -a LAN
Зайти на 2 ноду кластера и синхронизировать
exe ha manage 0
execute ha synchronize start
Сбросить bgp соседство
execute router clear bgp all soft out
execute router clear bgp ip х.х.х
Посмотреть маршруты отдаваемые по BGP соседу
get router info bgp neighbors 10.0.6.23 advertised-routes
get router info bgp neighbors 172.17.0.146 advertised-routes
get router info bgp neighbors 198.18.28.5 advertised-routes
get router info bgp neighbors 198.18.28.9 advertised-routes
get router info bgp neighbors 172.17.40.25 advertised-routes
get router info bgp neighbors 10.0.16.10 advertised-routes
Посмотреть маршруты получаемые от BGP соседа
get router info bgp neighbors 10.0.6.23 routes
get router info bgp neighbors 172.17.0.2 routes
get router info bgp neighbors 198.18.28.5 routes
get router info bgp neighbors 198.18.28.9 routes
get router info bgp neighbors 172.17.240.25 routes
get router info bgp neighbors 10.20.0.0 routes
Посмотреть маршруты BGP подпадающие под route-map
get router info bgp route-map test
Сбросить в ноль
exec factoryreset
Смотрим arp таблицу
get system arp
Смотрим есть ли обмен OSPF пакетами
diagnose sniffer packet any "proto 89" 4
Debug routing (RIP, OSPF, BGP, static routes, ECMP)
Ссылка
Сигнал lte модема
diagnose sys lte-modem sim-info
Перезапуск службы SNMP
diagnose test application snmpd 99
Выключить vlan-switch
config system global
set virtual-switch-vlan disable
end
Передернуть snmp
diagnose test application snmpd 99
Сменить master на slave без перезагрузки
- поменять приоритет
- сбросить uptime
diagnose sys ha reset-uptime
Обновляем кластер одновременно
config system ha
set uninterruptible-upgrade enable
end
Смотрим логи Link monitor
Tip
Log & Report → System Events → фильтр Message Link monitor