comandos Fortinet

Captura de trafico diag sniffer packet port1 'host 10.84.162.9' 4 2 Niveles detallados en detalle: 1: encabezado de impr

Views 251 Downloads 10 File size 140KB

Report DMCA / Copyright

DOWNLOAD FILE

Recommend stories

Fortinet

19 0 3MB Read more

Fortinet

45 4 430KB Read more

Examen Fortinet

Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Ch

233 0 413KB Read more

Fortinet Exam

PRINCIPIOS FIREWALL, STATEFULL, STATELESS Un firewall es un dispositivo de seguridad, veamos exactamente lo que hace y e

417 50 638KB Read more

Manual Fortinet

125 7 4MB Read more

Fortinet Spanish

39 2 2MB Read more

WIFI - FORTINET

63 0 163KB Read more

Laboratorio Fortinet-Dual ISP

24 0 2MB Read more

Fortinet Enterprise Security.pdf

13 0 5MB Read more

Kapacitacion Fortinet 2 3

56 0 2MB Read more

Author / Uploaded
Hector Efrain Tovar Ibarra

Citation preview

Captura de trafico diag sniffer packet port1 'host 10.84.162.9' 4 2 Niveles detallados en detalle: 1: encabezado de impresión de los paquetes 2: encabezado de impresión y datos de IP de los paquetes 3: encabezado de impresión y datos de Ethernet de paquetes 4: encabezado de impresión de los paquetes con nombre de la interfaz 5: encabezado de impresión y datos de IP de los paquetes con nombre de la interfaz 6: cabecera de impresión y los datos de Ethernet de paquetes con nombre de la interfaz

diag sniffer packet a Interface es la interface por la que se va a capturar trafico. Filter Filtro de la traza a capturar Verbose nivel de detalle cómo se ha descrito ya Count numero de paquetes a capturar Ejemplos # Paquete sniffer diag ninguno interna 4 3 interna en 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 1949135261 ack interna en 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816 1949135261 ack interna a cabo 192.168. 0.30.1144 -> 192.168.0.1.22: ack 2859918884

diag sniffer packet internal none 5 1 internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2867817048 ack 1951061933 0x0000 0x0010 0x0020 0x0030 0x0040 0x0050

4510 c0a8 5018 3eaf 08a9 bd9c

005c 001e 0b5c 3804 7907 b649

8eb1 0016 8ab9 3fee 202d 5318

4000 0478 0000 2555 5898 7fc5

4006 aaef 9819 8deb a85c c415

2a6b 6a58 880b 24da facb 5a59

c0a8 0001 E..\..@.@.*k.... 744a d7ad .......x..jXtJ.. f465 62a8 P..\.........eb. dd0d c684 >.8.?.%U..$..... 8c0a f9e5 ..y..-X..\...... ...IS.....ZY

# diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 1 192.168.0.130.3426 -> 192.168.0.1.80: 192.168.0.1.80 -> 192.168.0.130.3426: 192.168.0.130.3426 -> 192.168.0.1.80: 192.168.0.130.3426 -> 192.168.0.1.80: 192.168.0.1.80 -> 192.168.0.130.3426:

syn syn ack psh ack

1325244087 3483111189 ack 1325244088 3483111190 1325244088 ack 3483111190 1325244686

192.168.0.130.1035 -> 192.168.0.1.53: udp 26 192.168.0.130.1035 -> 192.168.0.1.53: udp 42 192.168.0.130.1035 -> 192.168.0.1.53: udp 42 192.168.0.130 -> 192.168.0.1: icmp: echo request 192.168.0.130.3426 -> 192.168.0.1.80: psh 1325244686 ack 3483111190 192.168.0.1.80 -> 192.168.0.130.3426: ack 1325244735 192.168.0.130 -> 192.168.0.1: icmp: echo request

# diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1 and tcp' 1 192.168.0.130.3569 -> 192.168.0.1.23: syn 1802541497 192.168.0.1.23 -> 192.168.0.130.3569: syn 4238146022 ack 1802541498 192.168.0.130.3569 -> 192.168.0.1.23: ack 4238146023

# diag sniffer packet internal 'host 192.168.0.130 and icmp' 1 192.168.0.130 -> 192.168.0.1: icmp: echo request 192.168.0.1 -> 192.168.0.130: icmp: echo reply

# diag sniffer packet internal 'host 192.168.0.130 or 192.168.0.1 and tcp port 80' 1 192.168.0.130.3625 -> 192.168.0.1.80: 192.168.0.1.80 -> 192.168.0.130.3625: 192.168.0.130.3625 -> 192.168.0.1.80: 192.168.0.130.3625 -> 192.168.0.1.80: 192.168.0.1.80 -> 192.168.0.130.3625:

syn syn ack psh ack

2057246590 3291168205 ack 2057246591 3291168206 2057246591 ack 3291168206 2057247265

Filtrada se puede utilizar para mostrar paquetes basándose en su contenido, utilizando posición de byte hexadecimal. Match TTL = 1

# diagnose sniffer packet port2 "ip[8:1] = 0x01" Match Source IP address = 192.168.1.2:

# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)" Match Source MAC = 00:09:0f:89:10:ea

# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)" Match Destination MAC = 00:09:0f:89:10:ea

# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

Match ARP packets only

# diagnose sniffer packet internal "ether proto 0x0806" TCP or UDP flags can be addressed using the following: Match packets with RST flag set:

# diagnose sniffer packet internal "tcp[13] & 4 != 0" Match packets with SYN flag set:

# diagnose sniffer packet internal "tcp[13] & 2 != 0" Match packets with SYN-ACK flag set:

# diagnose sniffer packet internal "tcp[13] = 18"

Enlace documentacion tecnica http://docs.fortinet.com

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1



Ver parámetros de la interface diagnose hardware deviceinfo nic port1



Mostrar la configuración general del appliance y estado de los módulos get sys status

myfirewall1 # get sys status Version: Fortigate-50B v4.0,build0535,120511 (MR3 Patch 7) Virus-DB: 14.00000(2011-08-24 17:17) Extended DB: 14.00000(2011-08-24 17:09) IPS-DB: 3.00150(2012-02-15 23:15) FortiClient application signature package: 1.529(2012-10-09 10:00) Serial-Number: FGT50B1234567890 BIOS version: 04000010 Log hard disk: Not available Hostname: myfirewall1 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Distribution: International Branch point: 234 Release Version Information: MR3 Patch 7 System time: Thu Nov 15 13:12:30 2012



Mostrar las estadísticas del tráfico hasta el momento:

get system performance firewall statistics 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7

myfirewall1 # get system performance firewall statistics getting traffic statistics... Browsing: 544083 packets, 80679942 bytes DNS: 19333 packets, 2400831 bytes E-Mail: 52 packets, 3132 bytes FTP: 0 packets, 0 bytes Gaming: 0 packets, 0 bytes IM: 0 packets, 0 bytes Newsgroups: 0 packets, 0 bytes P2P: 0 packets, 0 bytes Streaming: 0 packets, 0 bytes TFTP: 0 packets, 0 bytes VoIP: 0 packets, 0 bytes Generic TCP: 13460 packets, 1301879 bytes Generic UDP: 7056 packets, 647156 bytes Generic ICMP: 172 packets, 11804 bytes Generic IP: 26 packets, 832 bytes



2 3 4 5 6 7 8 9 1 0

myfirewall1 # get system performance status CPU states: 0% user 0% system 0% nice 100% idle CPU0 states: 0% user 0% system 0% nice 100% idle Memory states: 48% used Average network usage: 1 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes Average sessions: 0 sessions in 1 minute, 0 sessions in 10 minutes, 0 sessions in 30 minutes Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 24 days, 11 hours, 25 minutes



1 2 3 4 5 6 7 8 9 1 0

Mostrar el estado del CPU y tiempo prendido: get system performance status

Mostrar el uso del CPU ordenado por los procesos de mayor peso: get system performance top

myfirewall1 # get system performance top Run Time: 24 days, 11 hours and 26 minutes 0U, 0S, 100I; 249T, 119F, 60KF initXXXXXXXXXXX 1 S 0.0 4.5 cmdbsvr 23 S 0.0 6.8 zebos_launcher 27 S 0.0 4.7 uploadd 28 S 0.0 4.6 miglogd 29 S 0.0 5.9 miglogd 30 S 0.0 4.6 httpsd 31 S 0.0 7.0 nsm 32 S 0.0 1.1

1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3

ripd 33 S 0.0 0.9 ripngd 34 S 0.0 0.9 ospfd 35 S 0.0 0.9 proxyd 36 S 0.0 4.6 wad_diskd 37 S 0.0 4.6 scanunitd 38 S < 0.0 4.9 ospf6d 39 S 0.0 0.9 bgpd 40 S 0.0 1.0 isisd 41 S 0.0 0.9 proxyacceptor 42 S 0.0 0.7 proxyworker 43 S 0.0 1.8 getty 44 S < 0.0 4.6

 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2

myfirewall1 # get sys ha status Model: 311 Mode: a-p Group: 0 Debug: 0 ses_pickup: enable Master:254 myfirewall1 FG311B1111111111 0 Slave :128 myfirewall2 FG311B1111111112 1 number of vcluster: 1 vcluster 1: work 10.0.0.1 Master:0 FG311B1111111111 Slave :1 FG311B1111111112



1 2 3 4 5 6 7

Mostrar el estado del módulo de High Availability: get sys ha status

Verificar la tabla de sesiones del Firewall: diag sys session full-stat

myfirewall1 # diag sys session full-stat session table: table_size=65536 max_depth=1 used=2 expect session table: table_size=1024 max_depth=0 used=0 misc info: session_count=1 setup_rate=0 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=0/16368 removeable=0 ha_scan=0 delete=0, flush=0, dev_down=0/0 TCP sessions:

8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1

1 in ESTABLISHED state firewall error stat: error1=00000000 error2=00000000 error3=00000000 error4=00000000 tt=00000000 cont=00000000 ids_recv=00000000 url_recv=00000000 av_recv=00000000 fqdn_count=00000000 tcp reset stat: syncqf=0 acceptqf=0 no-listener=11025 data=0 ses=0 ips=0