介紹

Fortinet是全球領先的網路資訊安全和SD-WAN、有線及無線存取網路設備的供應商﹔其相關解決方案有存取控制、身份驗證、公共和私有雲安全性、端點安全性和使用AI驅動面向運營商的進階威脅防護、數據中心、企業和分佈式辦公室資訊安全等。而Fortigate是Fortinet旗下的防火墻產品。

基本上所有的防火墻、交換機路由器都提供CLI Console去進行Interface的設置

Command(config,show,get,exe) Sub-Command(edit,set) Object(interface)

進入CLI

在通過MGNT口(默認IP:192.168.1.99)或Console口連接Fortigate後,首先會看見

Hostname login:_

如果是首次登入,默認用戶名是admin,密碼為空。然後系統會要求更改默認密碼

添加用戶或設置已有用戶權限

config user local
edit user1
set type password
set password "ABC12345"

在執行edit user1後,如果沒有此用戶名時,系統將會新建一個名為"user1"的用戶

config user group
edit worker_group
set member user1 user2 user3
end

在執行set member user1 user2 user3後,user1 user2 user3就被加入了worker_group這個組內,執行end退出config user group

查看系統

FGVMEVMGX-PAXVDA # get system status 
Version: FortiGate-VM64 v7.2.3,build1262,221109 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2001-01-01 00:00)
Serial-Number: FGVMEVMGX-PAXVDA
License Status: Valid
VM Resources: 1 CPU/1 allowed, 2007 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FGVMEVMGX-PAXVDA
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1262
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Jan  4 14:31:52 2023
Last reboot reason: warm reboot

即可查看FortigateOS版本、Hostname、BIOS版本、系統時間等信息

    FGVMEVMGX-PAXVDA # show system interface 
config system interface
    edit "port1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set type physical
        set snmp-index 2
    next
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 3
    next
    edit "naf.root"
        set vdom "root"
        set type tunnel
        set src-check disable
        set snmp-index 11
    next
    edit "l2t.root"
        set vdom "root"
        set type tunnel
        set snmp-index 12
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 13
    next
    edit "fortilink"
        set vdom "root"
        set fortilink enable
        set ip 10.255.1.1 255.255.255.0
        set allowaccess ping fabric
        set type aggregate
        set lldp-reception enable
        set lldp-transmission enable
        set snmp-index 14
    next
end

即可查看防火墻上的網口設置,包括IP、備註、類型、角色等信息

FGVMEVMGX-PAXVDA # get system session list 
PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT 
udp     66     127.0.0.1:6826   -                127.0.0.1:9980   -               
igmp    488    10.255.1.1:0     -                224.0.0.22:0     -               
tcp     3580   192.168.0.104:8729 -                224.0.0.22:443 -               
tcp     0      127.0.0.1:12946  -                127.0.0.1:9980   -               
udp     161    192.168.0.104:1056 -                224.0.0.22:53 -               

即可查看目前系統上存在的session,包括協議、來源和目的等信息

FGVMEVMGX-PAXVDA # diagnose system top 
Run Time:  0 days, 0 hours and 6 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 2007T, 1288F
            node      174      S       0.2     2.1    0
       forticron      183      S       0.2     1.2    0
     openvmtools      218      S       0.2     0.1    0
       ipshelper      219      S <     0.0     1.9    0
          cw_acd      212      S       0.0     1.3    0
         miglogd      192      S       0.0     1.2    0
         cmdbsvr      143      S       0.0     1.1    0
          httpsd      173      S       0.0     1.1    0
           fgfmd      211      S       0.0     1.1    0
          newcli      328      S       0.0     1.1    0
            csfd      215      S       0.0     1.0    0
           autod      216      S       0.0     1.0    0
       forticldd      184      S       0.0     1.0    0
          httpsd      370      S       0.0     0.9    0
         miglogd      290      S       0.0     0.9    0
         reportd      193      S       0.0     0.9    0
 initXXXXXXXXXXX        1      S       0.0     0.9    0
         updated      196      S       0.0     0.7    0
        dnsproxy      217      S       0.0     0.7    0
          fnbamd      181      S       0.0     0.7    0

即可查看系統上正在運行的進程,後續也可以通過命令來終結特定進程,S代表Sleep、R代表Running

FGVMEVMGX-PAXVDA # get system performance status 
CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU0 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
Memory: 2055916k total, 490932k used (23.9%), 1318136k free (64.1%), 246848k freeable (12.0%)
Average network usage: 5 / 9 kbps in 1 minute, 13 / 37 kbps in 10 minutes, 10 / 31 kbps in 30 minutes
Maximal network usage: 14 / 18 kbps in 1 minute, 755 / 4283 kbps in 10 minutes, 755 / 4283 kbps in 30 minutes
Average sessions: 22 sessions in 1 minute, 31 sessions in 10 minutes, 27 sessions in 30 minutes
Maximal sessions: 26 sessions in 1 minute, 104 sessions in 10 minutes, 104 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Maximal session setup rate: 5 sessions per second in last 1 minute, 45 sessions per second in last 10 minutes, 45 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Maximal NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 0 days,  0 hours,  8 minutes

FGVMEVMGX-PAXVDA # get system performance firewall statistics 
getting traffic statistics...
Browsing: 4665 packets, 3228452 bytes
DNS: 266 packets, 53640 bytes
E-Mail: 0 packets, 0 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 0 packets, 0 bytes
VoIP: 0 packets, 0 bytes
Generic TCP: 4906 packets, 1403848 bytes
Generic UDP: 80 packets, 23542 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 24 packets, 1344 bytes

通過 get system performance [option] [option],即可參看特定的佔用或特定指標

FGVMEVMGX-PAXVDA # show system dhcp server 
config system dhcp server
    edit 1
        set ntp-service local
        set default-gateway 10.255.1.1
        set netmask 255.255.255.0
        set interface "fortilink"
        config ip-range
            edit 1
                set start-ip 10.255.1.2
                set end-ip 10.255.1.254
            next
        end
        set vci-match enable
        set vci-string "FortiSwitch" "FortiExtender"
    next
end

FGVMEVMGX-PAXVDA # show system dns 
config system dns
    set primary 96.45.45.45
    set secondary 96.45.46.46
end

通過 show system [option] [option],即可查看系統的特定Object設置

FGVMEVMGX-PAXVDA # get system dns 
primary             : 96.45.45.45
secondary           : 96.45.46.46
protocol            : cleartext 
ssl-certificate     : Fortinet_Factory 
domain              :
ip6-primary         : ::
ip6-secondary       : ::
timeout             : 5
retry               : 2
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable 
source-ip           : 0.0.0.0
interface-select-method: auto 
server-select-method: least-rtt 
alt-primary         : 0.0.0.0
alt-secondary       : 0.0.0.0
log                 : disable 
fqdn-cache-ttl      : 0
fqdn-min-refresh    : 60

同理,通過 get system [option] [option] 也可以實現同樣的操作

修改Hostname

FGVMEVMGX-PAXVDA # config system global 

FGVMEVMGX-PAXVDA (global) # set hostname "Hase-Fortigate"

FGVMEVMGX-PAXVDA (global) # end

Hase-Fortigate # 

Hostname 設置在system global中,所以通過 config system global,我們進入global的config界面後再執行set hostname "xxxx",即可將防火墻的名字改為xxxx