介紹
Fortinet是全球領先的網路資訊安全和SD-WAN、有線及無線存取網路設備的供應商﹔其相關解決方案有存取控制、身份驗證、公共和私有雲安全性、端點安全性和使用AI驅動面向運營商的進階威脅防護、數據中心、企業和分佈式辦公室資訊安全等。而Fortigate是Fortinet旗下的防火墻產品。
基本上所有的防火墻、交換機路由器都提供CLI Console去進行Interface的設置
Command(config,show,get,exe) Sub-Command(edit,set) Object(interface)
進入CLI
在通過MGNT口(默認IP:192.168.1.99)或Console口連接Fortigate後,首先會看見
Hostname login:_
如果是首次登入,默認用戶名是admin,密碼為空。然後系統會要求更改默認密碼
添加用戶或設置已有用戶權限
config user local
edit user1
set type password
set password "ABC12345"
在執行edit user1後,如果沒有此用戶名時,系統將會新建一個名為"user1"的用戶
config user group
edit worker_group
set member user1 user2 user3
end
在執行set member user1 user2 user3後,user1 user2 user3就被加入了worker_group這個組內,執行end退出config user group
查看系統
FGVMEVMGX-PAXVDA # get system status
Version: FortiGate-VM64 v7.2.3,build1262,221109 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2001-01-01 00:00)
Serial-Number: FGVMEVMGX-PAXVDA
License Status: Valid
VM Resources: 1 CPU/1 allowed, 2007 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FGVMEVMGX-PAXVDA
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1262
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Jan 4 14:31:52 2023
Last reboot reason: warm reboot
即可查看FortigateOS版本、Hostname、BIOS版本、系統時間等信息
FGVMEVMGX-PAXVDA # show system interface
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 11
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 12
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 13
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 14
next
end
即可查看防火墻上的網口設置,包括IP、備註、類型、角色等信息
FGVMEVMGX-PAXVDA # get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
udp 66 127.0.0.1:6826 - 127.0.0.1:9980 -
igmp 488 10.255.1.1:0 - 224.0.0.22:0 -
tcp 3580 192.168.0.104:8729 - 224.0.0.22:443 -
tcp 0 127.0.0.1:12946 - 127.0.0.1:9980 -
udp 161 192.168.0.104:1056 - 224.0.0.22:53 -
即可查看目前系統上存在的session,包括協議、來源和目的等信息
FGVMEVMGX-PAXVDA # diagnose system top
Run Time: 0 days, 0 hours and 6 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 2007T, 1288F
node 174 S 0.2 2.1 0
forticron 183 S 0.2 1.2 0
openvmtools 218 S 0.2 0.1 0
ipshelper 219 S < 0.0 1.9 0
cw_acd 212 S 0.0 1.3 0
miglogd 192 S 0.0 1.2 0
cmdbsvr 143 S 0.0 1.1 0
httpsd 173 S 0.0 1.1 0
fgfmd 211 S 0.0 1.1 0
newcli 328 S 0.0 1.1 0
csfd 215 S 0.0 1.0 0
autod 216 S 0.0 1.0 0
forticldd 184 S 0.0 1.0 0
httpsd 370 S 0.0 0.9 0
miglogd 290 S 0.0 0.9 0
reportd 193 S 0.0 0.9 0
initXXXXXXXXXXX 1 S 0.0 0.9 0
updated 196 S 0.0 0.7 0
dnsproxy 217 S 0.0 0.7 0
fnbamd 181 S 0.0 0.7 0
即可查看系統上正在運行的進程,後續也可以通過命令來終結特定進程,S代表Sleep、R代表Running
FGVMEVMGX-PAXVDA # get system performance status
CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU0 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
Memory: 2055916k total, 490932k used (23.9%), 1318136k free (64.1%), 246848k freeable (12.0%)
Average network usage: 5 / 9 kbps in 1 minute, 13 / 37 kbps in 10 minutes, 10 / 31 kbps in 30 minutes
Maximal network usage: 14 / 18 kbps in 1 minute, 755 / 4283 kbps in 10 minutes, 755 / 4283 kbps in 30 minutes
Average sessions: 22 sessions in 1 minute, 31 sessions in 10 minutes, 27 sessions in 30 minutes
Maximal sessions: 26 sessions in 1 minute, 104 sessions in 10 minutes, 104 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Maximal session setup rate: 5 sessions per second in last 1 minute, 45 sessions per second in last 10 minutes, 45 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Maximal NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 0 days, 0 hours, 8 minutes
FGVMEVMGX-PAXVDA # get system performance firewall statistics
getting traffic statistics...
Browsing: 4665 packets, 3228452 bytes
DNS: 266 packets, 53640 bytes
E-Mail: 0 packets, 0 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 0 packets, 0 bytes
VoIP: 0 packets, 0 bytes
Generic TCP: 4906 packets, 1403848 bytes
Generic UDP: 80 packets, 23542 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 24 packets, 1344 bytes
通過 get system performance [option] [option],即可參看特定的佔用或特定指標
FGVMEVMGX-PAXVDA # show system dhcp server
config system dhcp server
edit 1
set ntp-service local
set default-gateway 10.255.1.1
set netmask 255.255.255.0
set interface "fortilink"
config ip-range
edit 1
set start-ip 10.255.1.2
set end-ip 10.255.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
end
FGVMEVMGX-PAXVDA # show system dns
config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
end
通過 show system [option] [option],即可查看系統的特定Object設置
FGVMEVMGX-PAXVDA # get system dns
primary : 96.45.45.45
secondary : 96.45.46.46
protocol : cleartext
ssl-certificate : Fortinet_Factory
domain :
ip6-primary : ::
ip6-secondary : ::
timeout : 5
retry : 2
dns-cache-limit : 5000
dns-cache-ttl : 1800
cache-notfound-responses: disable
source-ip : 0.0.0.0
interface-select-method: auto
server-select-method: least-rtt
alt-primary : 0.0.0.0
alt-secondary : 0.0.0.0
log : disable
fqdn-cache-ttl : 0
fqdn-min-refresh : 60
同理,通過 get system [option] [option] 也可以實現同樣的操作
修改Hostname
FGVMEVMGX-PAXVDA # config system global
FGVMEVMGX-PAXVDA (global) # set hostname "Hase-Fortigate"
FGVMEVMGX-PAXVDA (global) # end
Hase-Fortigate #
Hostname 設置在system global中,所以通過 config system global,我們進入global的config界面後再執行set hostname "xxxx",即可將防火墻的名字改為xxxx