Fortinet - FortiOS - See CLI commands being executed by changes in the GUI

Overview

This blog post will guide you through how to view the CLI commands that are being executed in the background when you make a change to the configuration in the GUI.

OS Version

FortiOS: v4.2.X, v4.3.X, v5.0.X

Steps to Follow

You will perform the following:

a. Open a CLI connection to the FortiGate
b. Enable debugger and CLI debug level output
c. Make a change in the GUI 
d. See the CLI commands being executed
e. Clear the debugger



a. Open a CLI connection to the FortiGate

In the below capture I'm initiaed the CLI console from the GUI. THis is done by click on the CLI window. This is found under "System" -> "Dashboard" -> "Status"

b. Enable debugger and CLI level debug output

The following are the cli commands that you would want to use to enable the debugger. The first two lines will clear the existing debugger if there was a previous debugger initiated. 

diag debug cli 8 will enable level 8 debug output. This will capture any changes done by modify configuration in the GUI.

diag debug en will enable the debugger and output the gui changes. 

c. Make a change in the GUI

In this example I will create an address group in the gui. 

d. See the CLI commands being executed

Pulling up the CLI window after the GUI change has been done will show you the CLI commands executed.

d. Clear the debugger

Its always good habit to clear the debugger when you are done.

Fortinet - FortiOS - Block all MSN Messenger users except on allow list

Overview

This blog post will guide you through how to enable IM filtering for MSN Messenger.

OS Version

FortiOS: v4.3.9

Steps to Follow


You will perform the following:

a. Create an Application Sensor
b. Create a New Filter For This Sensor
c. Attach Application Sensor to an Outbound Policy
d. Deny All MSN Login Events in the CLI
e. Create Deny and or allow list for MSN users


a. Create an Application Sensor

1) Step1 above is to click on UTM Profiles
2) Step2 above is to click on Application Sensor
3) Step3 above is to click on the + sign to create a new Application Sensor

1) Step1 above is to have you enter the name of this Application Sensor.

b. Create a Filter For This Sensor

1) Step1 above is verify that you have your application sensor selected. The name of the sensor should be listed in this field. You would click on Step1b and select your sensor if it is not displayed in Step1

2) Step2 above is to click on “Create New” to create the filter

1) Step1 above is to click “Application”

2) Step2 above is to enter the MSN.Messenger filter name.

3) Step3 above is to make sure “Block File Transfers” is checked

4) Step4 above is to make sure “Block Audio ” is checked

c. Attach Application sensor to an outbound policy

1) Step1 above is to click “Policy”

2) Step2 above is to click “Policy”

3) Step3 above is to edit your outbound policy as in the above example

1) Step1 above is to click “Enable UTM” on this policy

2) Step2 above is to enable Application Control

3) Step3 above is to select the Application Sensor created earlier

d. Deny All MSN Login Events in the CLI

1) Step1 above is to type “config im2p policy”

2) Step2 above is to type “set msn deny”

3) Step3 above is to type “end”

e. Create Deny and or allow list for MSN users

1) Step1 above is to type “config imp2p msn-user”

2) Step2 above is to type “edit testemail@hotmail.com”. The email address is the only you want to

allow and or deny

3) Step3 above is to type “set action permit”. The permit or deny is to allow or deny this user

4) Step4 above is to type “end”

In the GUI after adding a user in the CLI you can then add and remove users from the GUI. Under User -> User -> User you will notice IM appear. You will have to log in then out for this to appear

1) Step1 above is to click “User”

2) Step1 above is to click “IM”

3) Step1 above is to click “Create New” if you want to create a new user to allow through MSN

messenger

Fortinet - FortiOS Debug Flow

Overview


This blog post will guide you through using the debug flow tool and analyzing its output.  Debug flow will help you validate that selective traffic is passing through the FortiGate, and what policy and gateway are being used. This will help diagnose traffic flow concerns.

OS Version

FortiOS: v5.0.x | v4.3.x

Fortinet CLI Configuration

Debug Flow Syntax

The following debug lines can be used in any combination. For the sake of demonstrating the possible options that can be used, I have listed the most common ones.


Line001: diag debug dis
Line002: diag debug reset
Line003: diag debug flow filter clear
Line004: diag debug flow sh con en
Line005: diag debug flow sh func en
Line006: diag debug flow filter addr 192.168.1.1
Line007: diag debug flow filter saddr 192.168.1.1
Line008: diag debug flow filter daddr 192.168.1.1
Line009: diag debug flow filter port 53
Line010: diag debug flow filter proto 1
Line011: diag debug flow trace start 5000
Line012: diag debug en

Line 1 to 3 : Used to clear the debugger and remove all prior configured debugs.
Line 4: Used to show the console output.
Line 5: Used to show the function in the debug output.
Line 6: Filters the flow of data based on the defined IP. This will be source or destination IP.
Line 7: Filters the flow of data based on the defined IP. This will be based on the flow originating. based on the source.
Line 8: Filters the flow of data based on the defined IP. This will be based on the flow destination.
Line 9: Filters the flow of data based on the source or destination Port.
Line 10: Filters the flow of data based on the protocol type. (eg: 1=ICMP. 6=TCP).
Line 11: Sets the number of lines that will be outputted on the debug flow.
Line 12: Enables the debug flow.

Reference site for Protocol numbers:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml


Debug Flow Example

The following example is set to filter ICMP traffic destined to 8.8.4.4.

I initiated a ping from my workstation to 8.8.4.4. The following is the output.

Analyzing the Debug Flow Example 1

The following is one session segment removed form the above output. 

id=13 trace_id=268 func=resolve_ip_tuple_fast line=4295 msg="vd-root received a packet(proto=1, 192.168.88.108:266->8.8.4.4:8) from Internal."

id=13 trace_id=268 func=init_ip_session_common line=4424 msg="allocate a new session-0016a973"

id=13 trace_id=268 func=vf_ip4_route_input line=1603 msg="find a route: gw-99.224.148.1 via wan2"

id=13 trace_id=268 func=get_new_addr line=2398 msg="find SNAT: IP-99.224.148.182, port-62464"

id=13 trace_id=268 func=fw_forward_handler line=660 msg="Allowed by Policy-1: SNAT"

id=13 trace_id=268 func=ids_receive line=237 msg="send to ips"

id=13 trace_id=268 func=__ip_session_run_tuple line=2505 msg="SNAT 192.168.88.108->99.224.148.182:62464"

Color 1: You will notice that the packet is using proto 1 (icmp). You will see the the source IP session was nat'ted locally on port 266 and it is destined to 8.8.4.4:8. On this line you will see which interface the packet was received on. In this case it was received on the "Internal" interface.

Color 2: You will see that there was a route found through wan2 using a gateway of 99.244.148.1. This will be based on what was in the routing table.

Color 3: You will see the IP that was used on the outbound interface and the port in which the session was nat'ted out as.

Color 4: You will see the Policy that allowed the traffic out on.

Analyzing the Debug Flow Example 2

The following is one session segment removed form the above output. 

id=13 trace_id=268 func=resolve_ip_tuple_fast line=4295 msg="vd-root received a packet(proto=1, 192.168.88.108:266->8.8.4.4:8) from Internal."

id=13 trace_id=268 func=init_ip_session_common line=4424 msg="allocate a new session-0016a973"

id=13 trace_id=268 func=vf_ip4_route_input line=1603 msg="find a route: gw-99.224.148.1 via wan2"

id=13 trace_id=268 func=get_new_addr line=2398 msg="find SNAT: IP-99.224.148.182, port-62464"

id=13 trace_id=268 func=fw_forward_handler line=660 msg="Allowed by Policy-1: SNAT"

id=13 trace_id=268 func=ids_receive line=237 msg="send to ips"

id=13 trace_id=268 func=__ip_session_run_tuple line=2505 msg="SNAT 192.168.88.108->99.224.148.182:62464"

Color 1: If a new session is created, it will indicate it here. As in this case it says "allocate a new session". If an existing session is in place, it will indicate that it is using an existing session.

Color 2: If the traffic is being inspected by the IPS engine, it will indicate it here. In this case it says "send to ips". If you are having anomalies in your traffic flow, you may want to disable the IPS engine and then validate the traffic flow.

Fortinet - FortiGate Automatic Restarting

Overview

This blog post will guide you through configuring the FortiGate to automatically restart on a daily basis.

OS Version

FortiOS: v5.0.4 | v4.3.15

Fortinet CLI Configuration

Step 1
Log into the FortiGate. In this example, I connected using SSH.

Step 2
You will find the daily restart command under "config system global". If you are using VDOMs, you will have to run the following commands prior to running the commands in the below image example.

config global

You then want to set the daily restart command to enable.

Step 3

Set the time you want to the restart to occur. In the below screen capture I have set it to 1AM.

You then want to type "end", which will save the above changes.