sniffer 和 debug flow
生活随笔
收集整理的這篇文章主要介紹了
sniffer 和 debug flow
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
sniffer 和 debug flow
sniffer 和 debug flow 復制模板,直接修改IP即可使用: diagnose sys session filter clear diagnose sys session filter proto 6 diagnose sys session filter dport 3389 diagnose sys session filter dst 119.100.1.200 diagnose sys session cleardiagnose debug flow filter cleardiagnose debug flow filter addr 13.33.231.17 diagnose debug flow filter proto 17 diagnose debug flow filter sport 1263 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable diagnose sys session filter proto 1diagnose sys session filter dst 202.106.1.100diagnose sys session cleardiagnose sniffer packet any "host 202.106.1.100 and icmp" 4diagnose sys session filter proto 1diagnose sys session filter d 202.106.1.100diagnose sys session cleardiagnose debug flow filter addr 10.100.151.1 diagnose debug flow filter proto 1 diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable diagnose sniffer packet any "host 111.204.123.112 or host 192.168.30.167 and !port 22345 and !port 44300" 4 diagnose sniffer packet any "host 114.114.114.114 and icmp" 4 diagnose sniffer packet any "host 111.204.123.112 and !port 22 and !port 45328" 4 diagnose sniffer packet any "port 161 and host 111.204.123.116 or host 192.168.168.1" 4----------------------------?
GUI優化腳本: config system settingsset inspection-mode flowset gui-multiple-utm-profiles enableset gui-allow-unnamed-policy enableset gui-multiple-interface-policy enable end config system globalset admintimeout 30set language simchset timezone 55set revision-backup-on-logout enable end--------------------?
IPsec VPN黑洞路由腳本: config firewall addressedit "Private_IP_10.0.0.0/8"set allow-routing enableset subnet 10.0.0.0 255.0.0.0nextedit "Private_IP_172.16.0.0/12"set allow-routing enableset subnet 172.16.0.0 255.240.0.0nextedit "Private_IP_192.168.0.0/16"set allow-routing enableset subnet 192.168.0.0 255.255.0.0next end config firewall addrgrpedit "LAN_Private_IP_Group"set member "Private_IP_10.0.0.0/8" "Private_IP_172.16.0.0/12" "Private_IP_192.168.0.0/16"set allow-routing enablenext end config router staticedit 0set distance 254set blackhole enableset dstaddr "LAN_Private_IP_Group"next end--------------------------?
//說明介紹// Sniffer抓包命令使用: diagnose sniffer packet any "host 192.168.200.102 and icmp" 4?
關于sniffer抓包需注意:如果數據已經被NP加速了,則可能sniffer抓不出來,為了準確的抓到數據,可能需要注意調整一下NP加速和已經建立好的Session: sniffer注意1:在相關的VPN業務流量的策略下臨時關閉NP加速(抓包完畢再打開NP加速): FGT # config firewall policy FGT (policy) # edit 1 (假設業務相關策略的策略ID為1) FGT (1) # set auto-asic-offload disable FGT (1) # end 這樣所有與策略相關的數據處理會全部走CPU,因此sniffer才可以完整的抓到數據流。sniffer注意2:對于已經建立起來的會話(數據已經走了NP處理),即便關閉了 NP,也抓不到包,因此需先將此session過濾出來然后再清除掉這條session,讓其再新建就抓到包了: FGT#diagnose sys session filter dst 192.168.200.102 (過濾 目的IP) FGT#diagnose sys session filter proto 1 (過濾協議 1:ICMP 其中包括了ping) FGT#diagnose sys session clear (清除過濾后的Session) FGT# diagnose sys session filter clear //清除session過濾條件FGT#diagnose sys session filter dst 192.168.200.102 (過濾 目的IP) FGT#diagnose sys session filter proto 6 (過濾協議 6: TCP) FGT#diagnose sys session filter dport 443 (過濾 TCP Port 443端口) FGT#diagnose sys session clear (清除過濾后的Session) FGT#diagnose sys session filter src 192.168.200.102 (過濾 源IP) FGT#diagnose sys session filter proto 6 (過濾協議 6: TCP) FGT#diagnose sys session filter dport 443 (過濾 TCP Port 443端口) FGT#diagnose sys session clear (清除過濾后的Session) FGT# diagnose sys session filter clear //清除session過濾條件FGT#diagnose sys session filter dst 192.168.200.102 (過濾 目的IP) FGT#diagnose sys session filter proto 17 (過濾協議 17: UDP) FGT#diagnose sys session filter dport 500 (過濾 UDP Port 500端口) FGT#diagnose sys session clear (清除過濾后的Session) FGT# diagnose sys session filter clear //清除session過濾條件最后開啟抓包,FortiGate抓包命令如下: FGT#diagnose sniffer packet any "host 192.168.200.102 and icmp" 4 FGT#diagnose sniffer packet any "host 218.203.193.18 and esp” 4 FGT#diagnose sniffer packet any "port 500 or port 4500 and host 1.1.1.1" 4 FGT#diagnose sniffer packet any "host 10.101.2.2 or host 111.204.123.112 and port 22" 4 FGT#diagnose sniffer packet any "host 60.31.254.5 and port 53" 4 FGT#diagnose sniffer packet any "host 192.168.118.57 and icmp" 4 FGT#diagnose sniffer packet any "port 9999" 4----------------------------?
Debug Flow的使用: Debug Flow 通常用于定位調試穿過或訪問FortiGate數據流的處理過程,如果不通,可以使用debug flow協助定位,非常好用的數據流分析工具。 Debug flow的命令解析: #diagnose debug flow filter addr x.x.x.x //過濾某個IP #diagnose debug flow show console enable //在串口上顯示trace內容 #diagnose debug flow show function-name enable //顯示功能模塊名稱 #diagnose debug flow trace start 999 //開啟debug flow trace并顯示999條debug信息 #diagnose debug enable //開啟debug命令#diagnose debug flow trace stop //關閉debug flow trace #diagnose debug flow filter clear //清除過濾條件 #diagnose debug disable //關閉debug命令 #diagnose debug reset //重置所有的debug命令最關鍵的Debug flow的過濾條件,舉例: 1.過濾ping流量 #diagnose debug flow filter proto 1 改變相應的proto就可以過濾相應的協議流量 proto 1 為ICMP協議 proto 6 為TCP協議 proto 17 為UDP協議 2.過濾某個IP的ping流量 #diagnose debug flow filter addr 192.168.1.100 #diagnose debug flow filter proto 1 過濾192.168.1.100的ping流量 3.過濾某個端口號 #diagnose debug flow filter port 8080 過濾port為8080的流量 4.過濾某個IP的Port8080流量 #diagnose debug flow filter addr 192.168.1.100 #diagnose debug flow filter port 8080 過濾192.168.1.100的port8080的流量 5.過濾源端口/目的端口 #diagnose debug flow filter sport 80 ----->過濾源端口80 // #diagnose debug flow filter dport 25 ----->過濾目的端口25 6.過濾源IP/目的IP #diagnose debug flow filter saddr x.x.x.x -----> 過濾源IP x.x.x.x // #diagnose debug flow filter daddr y.y.y.y ----->過濾目的IP y.y.y.y常用debug flow舉例1:抓取10.10.10.100且ICMP的流量 diagnose debug flow filter addr 101.231.244.193 diagnose debug flow filter proto 1 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable 常用debug flow舉例2:抓取10.10.10.100且TCP端口為10443的流量 diagnose debug flow filter addr 10.10.10.100 diagnose debug flow filter proto 6 diagnose debug flow filter port 10443 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable 常用debug flow舉例3:抓取10.10.10.100且UDP端口為500的流量 diagnose debug flow filter addr 10.10.10.100 diagnose debug flow filter proto 17 diagnose debug flow filter port 500 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable 常用的debug flow復制粘貼腳本: diagnose sys session filter dst 10.3.10.1 diagnose sys session filter proto 1 diagnose sys session clear diagnose debug flow filter addr 10.3.10.1 diagnose debug flow filter proto 1 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable diagnose sys session filter dst 10.255.16.114 diagnose sys session clear diagnose debug flow filter addr 10.255.16.114 diagnose debug flow filter proto 6 diagnose debug flow filter port 443 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 100 diagnose debug enable // diagnose debug flow filter port 53 diagnose debug flow filter proto 17 diagnose debug flow filter port 80 //diagnose debug flow filter addr 103.17.88.71 diagnose debug flow filter proto 6 diagnose debug flow filter port 57720 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable diagnose sys session filter src 172.40.1.252 diagnose sys session clear diagnose debug flow filter addr 124.89.90.125 diagnose debug flow filter proto 17 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable diagnose sys session filter dst 116.90.243.115 diagnose sys session clear diagnose debug flow filter addr 222.92.132.166 diagnose debug flow filter proto 6 diagnose debug flow filter port 3134 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 6 diagnose debug enable diagnose debug flow filter addr 192.168.1.1 diagnose debug flow filter proto 17 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 6 diagnose debug enable diagnose sys session filter src 172.40.1.252 diagnose sys session clear diagnose sys session filter policy 5 diagnose sys session listdiagnose debug flow filter addr 58.18.31.148 diagnose debug flow filter proto 17 diagnose debug flow filter port 161 diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug enable ------------------------?
CPU/MEM 過高,查看進程,以及臨時Kill進程命令: 查看進程,并kill進程命令: diag sys top-summary diagnose sys top 5 33 diagnose sys kill 9 <PID>--------------------?
IPsec VPN隧道起不來的問題定位: 首先,sniffer抓包確認UDP 500/4500 雙方通信是否正常 diagnose sniffer packet any "host 116.6.100.241 and ( port 500 or port 4500)" 4 diagnose sniffer packet any "host 202.106.1.35 and ( port 500 or port 4500)" 4 //IP換成對方公網IP UDP 500 或 UDP 4500 這兩個端口是IPsec VPN協商協議IKE會使用的端口,一定要互通要通暢,否則VPN無法正常建立,確認互通正常在進行下一步定位然后,通過日志,debug app ike 確認問題是出在第一階段還是第二階段 diagnose vpn ike log-filter name ipsec_wuxian1 // 第一階段名稱diagnose vpn ike log-filter dst-addr4 124.65.148.86 //IP換成對方公網IP diagnose debug application ike -1 diagnose debug enable 注意事項:debug app ike的時候要注意,自己不要主動發起連接,需要把第一階段/第二階段的自動協商關閉注意一:可能需要關掉一階段第二階段的自動協商 如果是5.6之后的版本,只需要一條命令就可以完全關閉自己的主動發起的IKE連接請求: config vpn ipsec phase1-interfaceedit VPN-P1(第一階段名稱)set passive-mode enable //永遠不主動發起IKE請求,即便使用流量觸發,也不主動發起next end如果是舊版本(5.2/5.4)則需要分別關閉第一階段和第二階段的自動協商: BJLab-240D # config vpn ipsec phase1-interface BJLab-240D (phase1-interface) # edit VPN-P1(第一階段名稱) BJLab-240D (VPN) # set auto-negotiate disable BJLab-240D (VPN) # endBJLab-240D # config vpn ipsec phase2-interface BJLab-240D (phase1-interface) # edit VPN-P2 (第二階段名稱) BJLab-240D (VPN) # set auto-negotiate disable BJLab-240D (VPN) # end注意二:有時候需要重置IPsec VPN的連接(請謹慎使用,所有的VPN都會重新連接IKE,一般不需要使用這個命令) diagnose vpn ike restart //重新主動發起連接 diagnose vpn tunnel reset //重置第二階段diagnose vpn ike restart diagnose vpn ike gateway clear重置IPsec VPN通道,有VDOM的情況下: FG200D4615810562 # config vdom FG200D4615810562 (vdom) # edit root FG200D4615810562 (root) # diagnose vpn tunnel reset FG200D4615810562 (root) # diagnose vpn ike restart 查看IPsec VPN狀態命令: diagnose vpn ike gateway list diagnose vpn tunnel list ----------------------?
常用的debug application命令: debug L2TP VPN命令: diagnose debug application l2tp -1 diagnose debug enable debug SSL VPN命令: diagnose debug application sslvpn -1 diagnose debug enable debug IPsec VPN命令: # diagnose debug console timestamp enable # diagnose debug application ike -1 # diagnose debug enable # diagnose debug application ike 0 // 關閉debug # diagnose debug disable //關閉debug # diagnose debug reset //關閉debugdebug Radius/TACACS+認證命令: diagnose test authserver radius radius-server user 1 123456 diagnose test authserver tacacs+ tacacs-server user1 123456diagnose debug application fnbamd -1 diagnose debug enable debug LDAP認證命令: diagnose test authserver ldap ldap-server user1 123456diagnose debug application fnbamd -1 diagnose debug enabledebug fortguard更新命令: execute update-now diagnose debug application update -1 diagnose debug enable關閉debug命令: # diagnose debug disable # diagnose debug reset --------------------------?
查看接口錯包以及接口MAC地址: # diagnose netlink device list # get hardware nic wan1 Driver Name :Fortinet NP4Lite Driver Version :1.0.1 Admin :up Current_HWaddr 08:5b:0e:6f:d9:76 Permanent_HWaddr 08:5b:0e:6f:d9:76 Status :up Speed :100 Duplex :Full Host Rx Pkts :3095836 Host Rx Bytes :432192732 Host Tx Pkts :773199 Host Tx Bytes :125268953 Rx Pkts :4389000 Rx Bytes :1112122188 Tx Pkts :1888066 Tx Bytes :251656337 rx_buffer_len :2048 Hidden :No cmd_in_list : 0 promiscuous : 1 enabled 802.1x : 0 authorized : 0 mac bypass : 0-----------------------------?
L2TP/PPTP VPN配置腳本: config vpn l2tpset status enableset eip 172.16.252.254set sip 172.16.252.200set usrgrp "Guest-group" end config vpn pptpset status enableset eip 172.16.253.254set sip 172.16.253.200set usrgrp "Guest-group" end config firewall policy edit 0set srcintf "wan1" set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set nat enablenext end config user localedit "guest"set type passwordset passwd 1q2w3e4rnext endL2TP Over IPsec 配置腳本: config vpn l2tpset status enableset eip 172.16.254.254set sip 172.16.254.200set usrgrp "Guest-group" end config firewall policy edit 0set srcintf "wan1"set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set nat enablenext end config user localedit "guest"set type passwordset passwd 1q2w3e4rnext end config vpn ipsec phase1-interfaceedit "L-O-I"set type dynamicset interface "port1"set keylife 3600set peertype any set psksecret 1q2w3e4rnext end config vpn ipsec phase2-interfaceedit "L-O-I"set phase1name "L-O-I"set pfs disableset encapsulation transport-modeset l2tp enableset keylifeseconds 3600next end config firewall policy edit 0set name "L2TP_Over_IPsec"set srcintf "L-O-I"set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set nat enablenext end--------------------------?
設備flash里OS查看以及系統常用命令: 升級版本時會保留升級前的版本和配置文件在非活動分區(‘Active列’的‘No’對應的) FGT90D3Z14014233 # diagnose sys flash list 查看當前運行版本和配置文件所在分區 Partition Image TotalSize(KB) Used(KB) Use% Active 1 FGT90D-5.04-FW-build1011-151221 253871 37344 15% No 2 FGT90D-5.02-FW-build701-151203 253871 33078 13% Yes 3 ETDB-1.00000 1388840 4456 0% No Image build at Dec 3 2015 04:50:38 for b0701 FGT90D3Z14014233 #“Partition”列 1是primary分區 2是secondary分區“Active”列 yes對應是每次啟動時用的版本和配置文件分區FGT90D3Z14014233 # exec set-next-reboot ? <primary/secondary> partitionFGT90D3Z14014233 # exec set-next-reboot primary(或secondary,注意不同情況下此處輸入的不一樣);將啟動分區改更為primary分區(分區1) FGT90D3Z14014233 # exec reboot ;用primary分區(分區1)的版本和配置文件重啟設備-----回退到升級前的版本和配置文件BJFG300D # get system admin list username local device vdom profile remote started admin ssh SE25(FSW):60.247.121.248:22 root super_admin 192.168.118.25:51208 2016-12-02 09:57:15FG100D3G13828247 # diagnose sys tcpsock 0.0.0.0:10400->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0 0.0.0.0:10401->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0 0.0.0.0:10402->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0FG100D3G13828247 # diagnose hardware deviceinfo disk Disk Internal ref: 255 29.8GB type: SSD [ATA 32GB SATA Flash] dev: /dev/sda Disk SYSTEM(boot) ref: 1.9GB type: USB [FORTINET 67_V060324_002] dev: /dev/sdbpartition ref: 247.0MB, 208.0MB free mounted: N label: dev: /dev/sdb1(boot) start: 0partition ref: 247.0MB, 197.0MB free mounted: Y label: dev: /dev/sdb2(boot) start: 0partition ref: 19 1.3GB, 1.3GB free mounted: Y label: 0BEC4ED9705DC13A dev: /dev/sdb3 start: 0Total available disks: 2 Max SSD disks: 1 Available storage disks: 0# diag hardware smartctl /dev/sda -a 查看Flash損耗100D的負載如何,記錄一下下面的命令的輸出 get sys status get sys perf status(執行5次) get hard status exec disk list sho log disk set sho log disk filter diag sys session full-stat(執行5次) diag sys top (運行1分鐘) diag vpn tunnel list# get hardware status # get system status # get system performance status # diagnose sys flash list # diagnose autoupdate versions # diagnose hardware sysinfo memory # diagnose hardware sysinfo shm # diagnose debug crashlog read # diagnose hardware deviceinfo disk # diagnose sys session stat # diagnose sys top 5 40 (press "q" to quit the sys top) # diagnose sys top-summary (press "q" to quit the sys top)# get hardware memory # diagnose hardware sysinfo memory # diag hardware sysinfo slab # fnsyctl df -h# execute log delete-all------------------?
link-monitor配置: FOS 5.4中的網關檢測功能: config system link-monitoredit "LT"set srcintf "wan1"set server 222.249.171.217set gateway-ip 222.249.171.217set interval 3end------------------------?
IPS進程定位命令: 2) Enable memory tracking. diag ips memory track-size 1536 1792 diag ips memory track enable 3) run following commands: get sys status diag autoupdate version get sys per status diag sys top-summary "-n 30 -i 5 -s mem" diag sys top 99 5 diag hard sys mem diag hard sys shm diag hardware sysinfo slab diag ips memory status diag ips memory track-print diag ips session content diag ips session performance diag ips session status diag ips session content diagnose ips raw status diag test application ipsmonitor 3 diag test application ipsmonitor 1 Please also collect the output of these diagnose commands:# fnsysctl df -hFind the process id of ips engine daemon, then run these commands:# fnsysctl cat /proc/[process id]/status # fnsysctl cat /proc/[process id]/maps # fnsysctl cat /proc/[process id]/smaps # fnsysctl cat /proc/[process id]/statm------------------?
命令行grep過濾查看使用: FGVM000000091991 # show full-configuration | grep 10000set database-overflow-max-lsas 10000FGVM000000091991 # show full-configuration | grep -f 10000 config router ospfset abr-type standardset auto-cost-ref-bandwidth 1000set bfd disableset database-overflow disableset database-overflow-max-lsas 10000 <---set database-overflow-time-to-recover 300set default-information-metric 10set default-information-metric-type 2set default-information-originate disableset default-information-route-map ''set default-metric 10set distance 110set distance-external 110set distance-inter-area 110set distance-intra-area 110set distribute-list-in ''set restart-mode noneset restart-period 120set rfc1583-compatible disableset router-id 0.0.0.0set spf-timers 5 10 end------------------?
常用系統排錯命令,CPU/MEM過高: # get system status # get system performance status # diagnose hardware sysinfo memoryMemTotal: 995012 kB MemFree: 376716 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 995012 kB LowFree: 376716 kB# diagnose hardware sysinfo slab kmem_cache 80 80 248 5 5 1 0 : 252 126 tcp_session 106 416 960 45 104 1 622 : 124 62 ip_session 98 148 896 37 37 1 1024 : 124 62 tcp_open_request 20 20 192 1 1 1 38 : 252 126 ip_dst_cache 126 312 320 26 26 1 195 : 124 62 ip_fib_hash 23 112 32 1 1 1 0 : 252 126 arp_cache 15 15 256 1 1 1 0 : 252 126# diagnose sys top 10 Run Time: 1 days, 18 hours and 55 minutes 1U, 0N, 0S, 99I; 3951T, 2633Fipsengine 453 S < 0.9 1.8ipsengine 454 S < 0.4 1.8reportd 81 S 0.0 3.5miglogd 64 S 0.0 1.5miglogd 118 S 0.0 1.1pyfcgid 6619 S 0.0 0.8pyfcgid 6620 S 0.0 0.8pyfcgid 6621 S 0.0 0.8pyfcgid 6617 S 0.0 0.8httpsd 5319 S 0.0 0.7cmdbsvr 45 S 0.0 0.7newcli 6594 S 0.0 0.7httpsd 6390 S 0.0 0.6ipshelper 75 S < 0.0 0.6httpsd 66 S 0.0 0.5wad 404 S 0.0 0.5httpsd 116 S 0.0 0.5newcli 6624 R 0.0 0.4newcli 6592 S 0.0 0.4forticron 76 S 0.0 0.4模塊名字 進程號 狀態 CPU MEMshift + P 按照CPU使用率排序 shift + M 按照MEM使用率排序 Ctrl + C 中斷FG200D3915803188 # diagnose sys top-summaryCPU [|||||||||||||||||||| ] 50.0%Mem [||||||||||||| ] 34.0% 1353M/3951MProcesses: 20 (running=1 sleeping=96)PID RSS ^CPU% MEM% FDS TIME+ NAME* 400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]401 14M 0.0 0.4 19 00:00.60 urlfilter670 12M 0.0 0.3 14 00:00.10 ovrd35 3M 0.0 0.1 5 00:00.00 mrvl3135_worker45 29M 0.0 0.7 12 00:35.18 cmdbsvr51 13M 0.0 0.3 89 00:01.10 zebos_launcher [x12]6332 11M 0.0 0.3 35 00:00.00 iked63 12M 0.0 0.3 12 00:00.00 uploadd64 60M 0.0 1.5 55 00:38.76 miglogd [x2]65 12M 0.0 0.3 8 00:00.00 kmiglogd66 34M 0.0 0.9 19 00:05.30 httpsd [x4]68 12M 0.0 0.3 8 00:00.00 getty69 147M 0.0 3.7 107 13:55.58 ipsmonitor [x4]72 12M 0.0 0.3 11 00:00.00 merged_daemons73 13M 0.0 0.3 12 00:00.10 fnbamd74 12M 0.0 0.3 12 00:00.20 fclicense76 17M 0.0 0.4 22 00:00.20 forticron77 14M 0.0 0.4 15 00:00.98 forticldd78 13M 0.0 0.4 39 00:00.19 authd [x3]79 13M 0.0 0.3 19 00:00.00 foauthdFG200D3915803188 # diagnose sys top-summary "-n 100"CPU [|||||||||||||||||||| ] 50.0%Mem [||||||||||||| ] 34.0% 1353M/3951MProcesses: 46 (running=1 sleeping=96)PID RSS ^CPU% MEM% FDS TIME+ NAME* 400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]401 14M 0.0 0.4 19 00:00.60 urlfilter670 12M 0.0 0.3 14 00:00.10 ovrd35 3M 0.0 0.1 5 00:00.00 mrvl3135_worker45 29M 0.0 0.7 12 00:35.18 cmdbsvr51 13M 0.0 0.3 89 00:01.10 zebos_launcher [x12]6332 12M 0.0 0.3 35 00:00.00 iked63 12M 0.0 0.3 12 00:00.00 uploadd64 60M 0.0 1.5 55 00:38.76 miglogd [x2]65 12M 0.0 0.3 8 00:00.00 kmiglogd66 34M 0.0 0.9 19 00:05.40 httpsd [x4]68 12M 0.0 0.3 8 00:00.00 getty69 147M 0.0 3.7 107 13:56.40 ipsmonitor [x4]72 12M 0.0 0.3 11 00:00.00 merged_daemons73 13M 0.0 0.3 12 00:00.10 fnbamd74 12M 0.0 0.3 12 00:00.20 fclicense76 17M 0.0 0.4 22 00:00.20 forticron77 14M 0.0 0.4 15 00:00.98 forticldd78 13M 0.0 0.4 39 00:00.19 authd [x3]79 13M 0.0 0.3 19 00:00.00 foauthd80 12M 0.0 0.3 9 00:00.12 httpclid81 140M 0.0 3.6 16 00:12.38 reportd83 14M 0.0 0.4 32 00:00.10 voipd399 22M 0.0 0.6 606 07:35.60 wad [x3]398 12M 0.0 0.3 48 00:00.25 proxyd [x2]88 14M 0.0 0.4 13 00:35.36 updated6617 48M 0.0 1.2 13 00:00.44 pyfcgid [x5]91 13M 0.0 0.3 13 00:00.37 snmpd92 13M 0.0 0.3 21 00:00.60 dhcpd94 12M 0.0 0.3 16 00:00.60 ntpd95 44M 0.0 1.1 19 00:01.23 sshd [x6]96 12M 0.0 0.3 10 00:00.00 telnetd97 12M 0.0 0.3 13 00:00.80 quard98 12M 0.0 0.3 10 00:00.30 alertmail99 14M 0.0 0.4 28 00:09.36 dnsproxy103 13M 0.0 0.3 11 00:00.20 eap_proxy104 16M 0.0 0.4 16 00:00.10 fgfmd105 16M 0.0 0.4 23 00:00.90 cw_acd108 12M 0.0 0.3 12 00:00.00 wpad_ac109 12M 0.0 0.3 13 00:00.10 fortilinkd110 14M 0.0 0.4 19 00:00.50 cu_acd111 12M 0.0 0.3 11 00:00.10 swctrl_authd112 12M 0.0 0.3 13 00:00.00 flcfgd113 764K 0.0 0.0 13 00:00.00 usbmuxd114 12M 0.0 0.3 11 00:00.00 fsd115 12M 0.0 0.3 11 00:00.00 radius-dasFG200D3915803188 # diagnose sys top-summary "-s mem -i 60 -n 10"CPU [|||||||||||||||||||| ] 50.0%Mem [||||||||||||| ] 34.0% 1368M/3951MProcesses: 10 (running=1 sleeping=96)PID RSS CPU% ^MEM% FDS TIME+ NAME* 69 147M 0.0 3.7 107 14:00.60 ipsmonitor [x4]81 140M 0.0 3.6 16 00:12.43 reportd64 60M 0.0 1.5 55 00:38.97 miglogd [x2]6617 56M 0.0 1.4 13 00:00.73 pyfcgid [x5]95 44M 0.0 1.1 19 00:01.31 sshd [x6]66 34M 0.0 0.9 19 00:05.27 httpsd [x4]45 29M 0.0 0.7 12 00:35.18 cmdbsvr399 22M 0.0 0.6 536 07:36.87 wad [x3]400 17M 0.0 0.4 30 00:01.50 scanunitd [x3]76 17M 0.0 0.4 22 00:00.20 forticron-------------------------?
# diagnose hardware sysinfo shm SHM counter: 62032 SHM allocated: 38210422 SHM total: 3637624832 conservemode: 0 NO System/Proxy | 1 Proxy conserve mode | 2 System/Kernel conserve mode shm last entered: n/a system last entered: n/a SHM FS total: 3715198976 SHM FS free: 3675385856 SHM FS avail: 3675385856 SHM FS alloc: 39813120 2 System/Kernel conserve mode MEM LowTotal<1GB Red : LowFree <20% LowTotal Green : LowFree >30% LowTotal MEM LowTotal >= 1GB Red : LowFree=200M Green : LowFree = 300M Actions: Proxies are bypassed FortiGate configuration cannot be changed 1 Proxy conserve mode?
# get system arp # get system performance firewall statistics # get system performance firewall packet-distribution # get system session status # get system session list 配置FortiManger管理: config system central-managementset type fortimanagerset fmg "192.168.147.250"set fmg-source-ip 101.1.1.2 end----------------?
FGT最常用命令 # config system global # set hostname “FGT-Master“ //設備命名 # set language simch //語言切換成簡體中文 # set timezone 55 //時區切換為(GMT+8) # set tcp-halfclose-timer 120 //TCP會話空閑時長調整 # set tcp-halfopen-timer 10 # set tcp-timewait-timer 1 # set udp-idle-timer 180 //UDP會話空閑時長調整 # end# config system session-ttl //TCP established空閑時長調整 # set default 3600 # end# get system status //查看系統狀態 # get router info routing-table all //查看路由表 # get system arp //查看ARP表 # diagnose ip address list //查看接口IP_list # get system performance status //查看設備運行性能狀態(CPU/MEM/新建/并發) # get system performance top //查看系統允許top進程---------------?
config ips globalset sync-session-ttl disableconfig system npuset dedicated-management-cpu enableset np6-cps-optimization-mode disable // 單物理CPU(多核CPU),開啟優化后,性能提升30%,多個物理CPU(多核CPU),現實項目中不建議使用這條命令,提供了CPU的新建能力 ||NGFW優化IPS/AV不能使用proxy和flow的混合使用?
密碼恢復:maintainerbcpbFG900D3917800436bcpbFG1K2D3I17800162
?
報文亂序: 開啟了這個命令:set delay-tcp-npu-session enableconfig firewall policyedit 141set srcintf "VLAN4" "VLAN1010" "VLAN3000"set dstintf "VLAN3"set srcaddr "192.168.121.187"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set delay-tcp-npu-session enableset nat enableset ippool enableset poolname "58.213.19.157"next end------------------------?
FG100E4Q16003872 # get sys perf stat CPU states: 2% user 2% system 0% nice 96% idle 0% iowait 0% irq 0% softirq CPU0 states: 4% user 2% system 0% nice 94% idle 0% iowait 0% irq 0% softirq CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU2 states: 6% user 5% system 0% nice 89% idle 0% iowait 0% irq 0% softirq CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq Memory: 3112996k total, 1182116k used (37%), 1857320k free (59%), 73560k freeable (2%) Average network usage: 317 / 284 kbps in 1 minute, 293 / 206 kbps in 10 minutes, 220 / 63 kbps in 30 minutes Average sessions: 364 sessions in 1 minute, 279 sessions in 10 minutes, 145 sessions in 30 minutes Average session setup rate: 26 sessions per second in last 1 minute, 18 sessions per second in last 10 minutes, 6 sessions per second in last 30 minutes Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 4 days, 11 hours, 14 minutes?
修改接口MTU TCP_MSS 查看接口MTUdiagnose netlink interface list | grep mtu FG100E4Q16003872 # diagnose netlink interface list | grep mtu if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0 if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0 if=nturbo_rx family=00 type=1 index=3 mtu=1500 link=0 master=0 if=nturbo_tx family=00 type=1 index=4 mtu=1500 link=0 master=0 if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0 if=mgmt family=00 type=1 index=6 mtu=1500 link=0 master=0 if=wan1 family=00 type=1 index=7 mtu=1500 link=0 master=0 if=wan2 family=00 type=1 index=8 mtu=1500 link=0 master=0 if=ha1 family=00 type=1 index=9 mtu=1500 link=0 master=0 if=ha2 family=00 type=1 index=10 mtu=1500 link=0 master=0 if=port1 family=00 type=1 index=11 mtu=1500 link=0 master=32 if=port2 family=00 type=1 index=12 mtu=1500 link=0 master=32 if=port3 family=00 type=1 index=13 mtu=1500 link=0 master=0 if=port4 family=00 type=1 index=14 mtu=1500 link=0 master=0 if=port5 family=00 type=1 index=15 mtu=1500 link=0 master=0 if=port6 family=00 type=1 index=16 mtu=1500 link=0 master=0 if=port7 family=00 type=1 index=17 mtu=1500 link=0 master=0 if=port8 family=00 type=1 index=18 mtu=1500 link=0 master=0 if=port9 family=00 type=1 index=19 mtu=1500 link=0 master=0 if=port10 family=00 type=1 index=20 mtu=1500 link=0 master=0 if=port11 family=00 type=1 index=21 mtu=1500 link=0 master=0 if=port12 family=00 type=1 index=22 mtu=1500 link=0 master=0 if=port13 family=00 type=1 index=23 mtu=1500 link=0 master=0 if=port14 family=00 type=1 index=24 mtu=1500 link=0 master=0 if=port15 family=00 type=1 index=25 mtu=1500 link=0 master=0 if=port16 family=00 type=1 index=26 mtu=1500 link=0 master=0 if=npu0_vlink0 family=00 type=1 index=27 mtu=15324 link=0 master=0 if=npu0_vlink1 family=00 type=1 index=28 mtu=15324 link=0 master=0 if=modem family=00 type=512 index=29 mtu=1500 link=0 master=0 if=root family=00 type=772 index=30 mtu=16436 link=0 master=0 if=ssl.root family=00 type=65534 index=31 mtu=1500 link=0 master=0 if=BOND1 family=00 type=1 index=32 mtu=1500 link=0 master=0 if=vsw.BOND1 family=00 type=1 index=33 mtu=1500 link=0 master=0 if=qtn.BOND1 family=00 type=1 index=34 mtu=1500 link=0 master=0 if=VLAN100 family=00 type=1 index=35 mtu=1500 link=0 master=0 if=VLAN200 family=00 type=1 index=36 mtu=1500 link=0 master=0 if=VLAN901 family=00 type=1 index=37 mtu=1500 link=0 master=0 if=VLAN12 family=00 type=1 index=38 mtu=1500 link=0 master=0 if=VLAN13 family=00 type=1 index=39 mtu=1500 link=0 master=0 if=lan family=00 type=1 index=40 mtu=1500 link=0 master=0 if=vsys_ha family=00 type=772 index=41 mtu=16436 link=0 master=0 if=port_ha family=00 type=1 index=42 mtu=1496 link=0 master=0 if=vsys_fgfm family=00 type=772 index=43 mtu=16436 link=0 master=0 if=tun_fgfm family=00 type=65534 index=44 mtu=1492 link=0 master=0 if=B family=00 type=768 index=45 mtu=1438 link=0 master=0FG100E4Q16003872 # config system interface FG100E4Q16003872 (interface) # edit wan1 FG100E4Q16003872 (wan1) # set tcp-mss 1452 FG100E4Q16003872 (wan1) # end FG100E4Q16003872 # config firewall policy FG100E4Q16003872 (policy) # edit 1 FG100E4Q16003872 (1) # set tcp-mss-sender 1452 FG100E4Q16003872 (1) # set tcp-mss-receiver 1452 FG100E4Q16003872 (1) # endhttps://live.paloaltonetworks.com/t5/Learning-Articles/TCP-MSS-adjustment-for-IPSec-traffic/ta-p/74988 https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Verify-MTU-Size-Exceeded/ta-p/58989 https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Improve-Performance-for-IPSec-Traffic/ta-p/53301?
清除策略匹配統計計數: To show the statistics of policy <policy_id>: # diag firewall iprope show 100004 <policy_id> For example: # diag firewall iprope show 100004 2 idx=2 pkts/bytes=1732/262451To clear the statistics for this policy: # diag firewall iprope clear 100004 2 # diag firewall iprope show 100004 2 idx=2 pkts/bytes=0/0?
Link-monitor配置: config system link-monitoredit "Monitor_WAN1_DX"set srcintf "wan1"set server "www.189.cn"set gateway-ip 116.228.1.25set source-ip 116.228.1.26set failtime 3set recoverytime 3nextedit "Monitor_WAN2"set srcintf "wan2"set server "www.10010.com"set gateway-ip 210.13.66.117set source-ip 210.13.66.118set failtime 3set recoverytime 3next end?
報文亂序: TCP 亂序 config firewall policyedit 1set name "TO_Internet_Policy"set srcintf "port11"set dstintf "port9"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set logtraffic allset delay-tcp-npu-session enableset nat enablenext end?
https://mantis.fortinet.com/bug_view_page.php?bug_id=0365497 B1026 : possible packet out-of-order with NP6 during TCP session establishment - (new CLI) [ History ] - Issue was first reported by Bouygues Telecom with a FortiGate-3950B (NP4) - Further testing was made with a FortiGate-1500D (NP6) where the problem can still be reproduced in the lab (FortiOS 5.4 GA) - As suggested, opening a bug to track the issue. [ Problem Description ] When the host interface is busy (packets queuing in the FIFO), it is possible that the 3rd tcp session establishment ack received from the client is transmitted to the server after data packets. This may or may not cause an issue to the server depending on the cases : 1) one single DATA segment managed to sneak before the 3rd handshake ACK : Since the segment relative sequence number is 1 (just like the 3rd ack packet), it may be seen by the server as a TCP handshake 3rd ack containing data (piggyback). When the real 3rd ack then arrives, it is considered as a duplicate ack but does not cause real problem to the application. Note : If a stateful firewall exists between the FortiGate and the server, this may be a problem and generate a Reset causing the failure of the TCP session. 2) more than 1 DATA segments manage to sneak before the 3rd handshake ACK : If 2 data packets sneak, the sequence number for the second packet is higher than 1 (depending on data length from the the first packet). In this scenario, the server may not consider the tcp session handshake to be completed and sends a reset causing the session to fail. These 2 scenario were observed and reproduced in the lab using traffic stressers. It is not systematic to all sessions and require a busy host. Reason for TCP handshake ACK out-of-order : The reason for these scenario is explained in attached document "NP6_OOO_on_busy_CPU_v2.pdf" Please note this document is for internal use only. [ Diagram ] See Diagram.png [ Reproduction Scenario ] This is reproduction from the lab run by Vincent. Use an FortiGate-1500D running 5.4 GA with 4 ports where : - 2 ports Port39 and Port36 are used to generate http 21k traffic (11K session per seconds, 2Gbps) passing through a UTM/IPS policy from an avalanche => The only goal of this traffic is to create a busy host interface condition. - 2 ports Port33 and Port38 with a firewall only policy connected to avalanche generating SIP traffic. => SIP is chosen here because it allows to have the client sending more than 1 DATA packets immediately after the client has sent its 3rd ACK handshake packet. A Breaking Point is used as a 'network probe' receiving traffic on the FortiGate server side from the switch configured with SPAN port. Attached pcap files 'client.pcap' and 'server.pcap' are extracted from the breaking point in lab testing. Other trace [ Attached files ] - NP6_OOO_on_busy_CPU_v2.pdf : Explanation of the cause Lab files/traces with FortiGate-1500D : - Diagram.png - NPI_default.spf : Avalanche test file - config_1500D_nturbo_ips_cps.conf : FortiGate configuration - vince-mirror.bpt : Breacking point test file (used to capture mirrored traffic from the switch) - client.pcap : pcap extracted from the switch port mirror, client side - server.pcap : pcap extracted from the switch port mirror, server side [ Expected Behavior ] Fortigate should not create out-of-order packet during the TCP handshake.?
所有報文亂序: config port-cpu-mapedit "port9"set cpu-core "3"nextedit "port11"set cpu-core "3"next end?
FG900D3915800574 # get hardware status Model name: FortiGate-900D ASIC version: CP8 ASIC SRAM: 64M CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz Number of CPUs: 4 RAM: 16065 MB Compact Flash: 1925 MB /dev/sda Hard disk: 244198 MB /dev/sdb USB Flash: not available Network Card chipset: FortiASIC NP6 Adapter (rev.)G900D3915800574 # get system performance status CPU states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU2 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq Memory: 16450708k total, 3300036k used (20%), 13150672k free (80%) Average network usage: 49 / 4 kbps in 1 minute, 46 / 1 kbps in 10 minutes, 46 / 0 kbps in 30 minutes Average sessions: 49 sessions in 1 minute, 35 sessions in 10 minutes, 32 sessions in 30 minutes Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes Average NPU sessions: 1 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 1 days, 19 hours, 20 minutes?
異常不建立會話的日志:看到不建立會話的異常包的日志,比如SYN+ACK/FIN+ACK等等,或RPF檢查失敗的日志。 config log settingset log-invalid-packet enable endconfig log disk filterset severity warningset forward-traffic enable end date=2018-02-08 time=21:14:13 logid=0000000007 type=traffic subtype=forward level=warning vd=root srcip=124.124.125.27 srcport=46311 srcintf="port24" dstip=133.133.133.122 dstport=80 dstintf=unknown-0 proto=6 action=deny policyid=0 dstcountry="Japan" srccountry="India" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"date=2018-02-08 time=21:49:19 logid=0000000007 type=traffic subtype=forward level=warning vd=root srcip=124.124.124.255 srcport=15062 srcintf="port24" dstip=133.133.133.122 dstport=80 dstintf=unknown-0 sessionid=2095719319 proto=6 action=deny policyid=0 dstcountry="Japan" srccountry="India" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check fail(bad src),drop" mantis:0473183?
?
丟棄的數據包也建立會話,并且保持30s。某些時候可以緩解某些ddos攻擊。 config system settingsset ses-denied-traffic enable endBJFG300D (settings) # set ses-denied-traffic enable Include denied sessions in the session table. disable Do not add denied sessions to the session table.BJFG300D (global) # get | grep sess auth-session-limit : block-new av-failopen-session : disable block-session-timer : 30 proxy-re-authentication-mode: session reset-sessionless-tcp: disable strict-dirty-session-check: enable?
sandbox new包 可能需要FQ: http://192.241.194.166/downloaderTechnical Note: Technical support on customization on various Fortinet products http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD33500 Custom IPS signatures from Fortinet Customizing reports generated by FortiGate會話長連接: Technical Note : Changing the TCP session TTL (time to live) on a FortiGate http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30171&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234697&stateId=1%200%2047236305Technical Note: Priority of session-ttl settings in FortiGate http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37296&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234747&stateId=1%200%2047236355Technical Note: Session TTL values and Policy RST for Sessions http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36001&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234747&stateId=1%200%2047236355?
光模塊功率: 查看光纖光衰,光模塊功率。 FG3K2D3Z17800004 # get sys interface transceiver Interface port5: SFP/SFP+Vendor Name: Axcen PhotonicsPart No. : AXXE-5886-05B1 Serial No. : AX16430003258 Interface port6: SFP/SFP+Vendor Name: OEM Part No. : DEM-431TX Serial No. : H08LA0039 Interface port7: SFP/SFP+Vendor Name: OEM Part No. : SFP-T-F Serial No. : F80T061 Interface port8: SFP/SFP+Vendor Name: OEM Part No. : SFP-GE-T Serial No. : CSGETG40333 Interface port17: SFP/SFP+Vendor Name: Axcen PhotonicsPart No. : AXXE-5886-05B1 Serial No. : AX15190014113 Interface port18: SFP/SFP+Vendor Name: Axcen PhotonicsPart No. : AXXE-5886-05B1 Serial No. : AX15190014090 Interface port19: SFP/SFP+Vendor Name: Axcen PhotonicsPart No. : AXXE-5886-05B1 Serial No. : AX15190014109 Interface port25: SFP/SFP+Vendor Name: OPLINK Part No. : TPP1XGDS0E000E2Serial No. : 7331850 Optical Optical Optical SFP/SFP+ Temperature Voltage Tx Bias Tx Power Rx Power Interface (Celsius) (Volts) (mA) (dBm) (dBm) ------------ ----------- --------- --------- --------- --------port5 32.5 3.31 6.07 -1.8 -1.4 port6 35.4 3.23 6.10 -1.8 -2.5 port7 N/A N/A N/A N/A N/A port8 N/A N/A N/A N/A N/A port17 34.0 3.31 5.78 -1.9 -1.0 + port18 33.8 3.32 7.43 -1.9 -1.8 port19 34.1 3.30 6.27 -1.8 -1.3 port25 23.0 3.27 5.18 -2.6 -1.7 ++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.?
?
FGT1KD3915801542 # execute sensor list 1 CPU VCCP alarm=0 value=1.7743 threshold_status=02 PVDDQ alarm=0 value=1.52 threshold_status=03 DDR VTT alarm=0 value=0.768 threshold_status=04 CPU VCORE alarm=0 value=1.776 threshold_status=05 NCT 3VDD alarm=0 value=3.36 threshold_status=06 NCT VCC3 alarm=0 value=3.312 threshold_status=07 NCT 3VSB_HM alarm=0 value=3.312 threshold_status=08 NCT CPU_Vtt alarm=0 value=1.008 threshold_status=09 NCT VBAT alarm=0 value=3.168 threshold_status=0 10 PCB Temp. alarm=0 value=28 threshold_status=0 //主板溫度 11 D1 alarm=0 value=42 threshold_status=0 12 D2 alarm=0 value=40 threshold_status=0 13 TR3 alarm=0 value=27 threshold_status=0 14 DTS CPU alarm=0 value=53 threshold_status=0//CPU溫度 15 CPU Core 0 alarm=0 value=54 threshold_status=0//CPU core溫度 16 CPU Core 1 alarm=0 value=52 threshold_status=0 17 CPU Core 2 alarm=0 value=54 threshold_status=0 18 CPU Core 3 alarm=0 value=51 threshold_status=0 19 Sys Fan 1 alarm=0 value=3200 threshold_status=0//主板上的風扇,轉速3200 20 Sys Fan 2 alarm=0 value=3200 threshold_status=0//主板上的風扇,轉速3200 21 Sys Fan 3 alarm=0 value=3200 threshold_status=0//主板上的風扇,轉速3200 22 PS1 Ambient Temp alarm=0 (scanning disabled) 23 PS1 Comp Temp alarm=0 (scanning disabled) 24 PS1 Fan 1 alarm=0 (scanning disabled)//沒有值,說明沒有該電源PS1風扇不轉或沒有沒有插電源 25 PS1 VIN alarm=0 (scanning disabled) 26 PS1 VOUT_12V alarm=0 (scanning disabled) 27 PS1 Status alarm=0 (not detected)//PS1模塊沒有插入 28 PS2 Ambient Temp alarm=0 value=33 threshold_status=0 29 PS2 Comp Temp alarm=0 value=35 threshold_status=0 30 PS2 Fan 1 alarm=0 value=12160 threshold_status=0// 電源PS2的風扇,轉速為12160 31 PS2 VIN alarm=0 value=230 threshold_status=0 32 PS2 VOUT_12V alarm=0 value=12.284 threshold_status=0 33 PS2 Status alarm=0//PS2電源模塊工作時長Technical Note: Enable creation of TCP session on the firewall without checking for a SYN packet http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40929&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=47234673&stateId=1%200%2047236281?
diagnose log test 這個命令就能生成各種各樣的日志,包括攻擊 IPsec VPN證書認證失敗 IPsec VPN證書認證存在分片,對方無法正常重組IKE報文,拿到完整的證書內容: IPS的session和內存的session進行TTL同步: config ips globalset sync-session-ttl enable endips的會話表查看: dia ips session list?
huayun.py
#!/usr/bin/env python # -*- coding:utf-8 -*- # Date: 2018import re, getpass import string, time, winsound from telnetlib import Telnetdef login(host, port, username, password):try:tn = Telnet(host, port, timeout=5)tn.read_until(b"login:")tn.write(username.encode('ascii') + b"\r\n")tn.read_until(b"Password:")tn.write(password.encode('ascii') + b"\r\n")tn.read_until(b"#")tn.write(b"\r\n")tn.read_until(b"#")tn.write(b"config global" + b"\n")tn.read_until(b"#")except Exception as e:raisereturn tndef get_system_status(tn):# 注意防火墻不能一次性輸出全部信息的情況# 需要配置 config system console / set output standard 以避免這種情況tn.write(b"get sys status\n")sysinfo = tn.read_until(b"#").decode('ascii')sysinfo = re.split(r'[\r]+', sysinfo)for line in sysinfo:if 'Version' in line:System_Info['platform'] = re.split(r'[\s]+', line)[2]System_Info['version'] = re.split(r'[\s]+', line)[3]if 'Serial-Number' in line:System_Info['serialNumber'] = re.split(r'[:]+', line)[1]continueif 'Virtual domain configuration' in line:System_Info['vdom'] = re.split(r'[:]+', line)[1]continueif 'Current HA mode' in line:System_Info['haMode'] = re.split(r'[:]+', line)[1]breakdef get_sys_cpuMem(tn):tn.write(b"get sys perf status\n")usage = tn.read_until(b"#").decode('ascii')if System_Info['version'][0:4] == 'v5.2' or System_Info['version'][0:4] == 'v5.4':cpuUsage = re.findall(r'CPU states:(.*)', usage)[0].strip(' ')cpuUsage = int(re.split(r'[\s\-\(\>\)]+', cpuUsage)[0].strip('%')) + int(re.split(r'[\s\-\(\>\)]+', cpuUsage)[2].strip('%'))memUsage = re.findall(r'Memory states: (.*) used', usage)[0].strip('%')return cpuUsage, memUsageif System_Info['version'][0:4] == 'v5.6':cpuUsage = re.findall(r'CPU states:(.*)', usage)[0].strip(' ')memUsage = re.findall(r'Memory: (.*)', usage)[0].rstrip('\r')cpuUsage = re.split(r'[\s\-\(\>\)]+', cpuUsage)[2].strip('%')memUsage = re.split(r'[\s]+', memUsage)[4].lstrip('(').rstrip('%),')return cpuUsage, memUsageif System_Info['version'][0:4] == 'v6.0':passhost = '10.139.130.72' port = '23' username = raw_input('Please input username: ') password = getpass.getpass('Please input password: ') System_Info = {'platform': '', 'serialNumber': '', 'version': '', 'vdom': '', 'haMode': ''}filetime = time.strftime('%Y%m%d-%Hh%Mm%Ss') f = open('ips_' + filetime + '.txt', 'w')""" 在python2.7.14, 3.6.4測試通過 """ if __name__ == '__main__':"""get_system_status(tn) 獲取防火墻型號的版本、vdom、是否HA等信息,以供后續模塊調用注意 config system console / set output standard (缺省是more,可能導致不能期待出現 #號的情況)"""cpuhigh = 48memhigh = 75tn = login(host, port, username, password)get_system_status(tn)while True:cpuUsage, memUsage = get_sys_cpuMem(tn)print("CPU usage = %s, MEM usage = %s" % (cpuUsage, memUsage))# tn.write(b"config global" + b"\n")tn.write(b"exec date" + b"\n")temp = tn.read_until(b"#").decode('ascii')tn.write(b"exec time" + b"\n")temp = temp + tn.read_until(b"#").decode('ascii')tn.write(b"get sys performance status" + b"\n")temp = temp + tn.read_until(b"#").decode('ascii')tn.write(b"get system session-info statistics" + b"\n")temp = temp + tn.read_until(b"#").decode('ascii')tn.write(b"diagnose ips session status" + b"\n")temp = temp + tn.read_until(b"#").decode('ascii')tn.write(b"diagnose ips memory status" + b"\n")temp = temp + tn.read_until(b"#").decode('ascii')f.write(temp + '\n')if int(cpuUsage) >= cpuhigh:tn.write(b"diagnose sys top 2 99" + b"\n")time.sleep(6)tn.write(b"q")cputemp = tn.read_until(b"#").decode('ascii')tn.write(b"dia ips session performance" + b"\n")cputemp = cputemp + tn.read_until(b"#").decode('ascii')tn.write(b"dia ips session list" + b"\n")cputemp = cputemp + tn.read_until(b"#").decode('ascii')tn.write(b"dia sys process trace 15705" + b"\n")# time.sleep(6)cputemp = cputemp + tn.read_until(b"#").decode('ascii')tn.write(b"dia sys process trace 15706" + b"\n")# time.sleep(6)cputemp = cputemp + tn.read_until(b"#").decode('ascii')f.write('cpu high //\n' + cputemp + '\n')if int(memUsage) >= memhigh:tn.write(b"diagnose sys top 2 99" + b"\n")time.sleep(6)tn.write(b"q")memtemp = tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl df -h" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"dia ips memory status" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"dia ips packet status" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"dia ips session status" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl cat /proc/15705/status" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl cat /proc/15705/maps" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl cat /proc/15705/smaps" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl cat /proc/15706/status" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl cat /proc/15706/maps" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')tn.write(b"fnsysctl cat /proc/15706/smaps" + b"\n")memtemp = memtemp + tn.read_until(b"#").decode('ascii')f.write('mem high //\n' + memtemp + '\n')tn.write(b"diagnose sys ha reset-uptime" + b"\n")breaktime.sleep(10)f.close()?
testSMTP.py
#!/usr/bin/env python # -*- coding:utf-8 -*- # Author : Jerry Liu # Date: 2018import getpass import smtplibtry:sm = smtplib.SMTP('mail.fortinet.com', 25, timeout=3) except Exception as e:raise e try:emailpwd = getpass.getpass('Please input email password: ')authcode = sm.login('mliu', emailpwd) except smtplib.SMTPAuthenticationError as e:raise emsg = 'From: mliu@fortinet.com\n' \'To: mliu@fortinet.com; ftnt@qq.com\n' \'Subject: test python\n' \'HA failover just now !!!\n' \'HA failover just now !!!\n' tolist = ["mliu@fortinet.com", "ftnt@qq.com"] if authcode[0] == 235:sm.sendmail('mliu@fortinet.com', tolist, msg) else:sm.quit()?
BJLab-240D-90-254 # fnsysctl df -h Filesystem Size Used Available Use% Mounted on rootfs 1.9G 78.8M 1.8G 4% / tmpfs 1.9G 78.8M 1.8G 4% / none 3.4G 1.3M 3.4G 0% /tmp none 3.4G 37.1M 3.4G 1% /dev/shm none 3.4G 16.6M 3.4G 0% /dev/cmdb /dev/sda1 247.9M 41.7M 193.4M 18% /data /dev/sda3 14.1G 52.5M 13.4G 0% /data2 /dev/sdb1 58.6G 17.6G 38.0G 32% /var/log?
代理模式 TCP_OPTION選項設置: fgt-3700D-LAB # config system global fgt-3700D-LAB (global) # get | grep tcp reset-sessionless-tcp: disable tcp-halfclose-timer : 120 tcp-halfopen-timer : 10 tcp-option : enable tcp-timewait-timer : 1 fgt-3700D-LAB (global) # set tcp-option enable Enable TCP option. disable Disable TCP option.fgt-3700D-LAB (global) # set tcp-option enable Enable TCP option. disable Disable TCP option.?
==================== End?
總結
以上是生活随笔為你收集整理的sniffer 和 debug flow的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: MybatisPlus 多租户架构(Mu
- 下一篇: springcloud(十一):服务网关