“Troubleshooting FortiGate firewalls” cover FortiGate CLI options, routing overview, firewall sessions and TCP states followed by a live debug packet flow that will certainly help you in resolving most of your day-to-day issues in a Fortinet security environment.
Troubleshooting FortiGate Firewalls – How to become a firewall Guru!
Fortinet CLI options
•show | get | diagnose | execute •
Show – Used to view configurations on the firewall
Get – Used to check runtime values once the device is configured and operational
Diagnose – To gather diagnostic information e.g. for debugging hardware, system, and IP networking issue
Execute – To run system management utilities such as backups, upgrades and network diagnostic utilities such as nslookup, ping, traceroute and tcpdump etc.
•VDOMs are virtual domains that divide a FortiGate firewall into two or more independent virtual devices. They can have separate firewall policies, routing, NAT and VPN settings for each network.
To enter a VDOM, you give following commands.
edit <vdom name>
Below are some useful troubleshooting commands on Fortigate firewalls
execute ping <IP address>
execute traceroute <IP address>
execute telnet <IP address> <port no.>
get system status – to view version, S/N, vdoms, HA cluster, sys time etc.
show full-configuration – to view running-config
get router info routing table <all/protocol/database> – to view routing details
get system ha status – to view HA cluster status and details
Note that in order to source an address, you need to do ping-options/traceroute-options first.
It is a Stateful firewall – For any session, FortiGate performs a route lookup twice.
•For the first packet sent by the originator
•For the first reply packet coming from the responder
Routing information is written to the session table. Like any other firewall, it supports static routing, dynamic routing and policy based routing – PBR has precedence over the routing table. It also supports IPv6 and ECMP (Equal cost multi-pathing) and can route well-known Internet services (Google DNS, Apple DNS etc) via specific WAN interfaces. It also supports RPF that helps protect against IP spoofing attacks.
Session tables are useful when verifying open connections. For example, if you have a web browser open to browse Google or Facebook, you would expect a session entry from your computer on port 80 or 443 to the IP address for the destination website.
The session table stores following information about a session.
Source and destination addresses, port numbers, state and timeout
Source and destination interfaces
Source and destination NAT actions
Also, maximum concurrent sessions and new sessions/sec
To display the session table – diagnose sys session list
It is important to learn TCP States in order to have in-depth understanding while troubleshooting FortiGate firewalls. In any session, we have to deal with the protocol and its state depending upon the protocol
•proto – protocol number
•proto_state – state of the session (depending on protocol)
Note that proto_state is always a 2-digit number because the FortiGate is a stateful firewall (keeps the track of both directions of the session). For example, ICMP traffic (ping) has no state and is always 00.
ICMP – proto = 1 | proto_state = 00
Packet capture, also known as sniffing, records some or all of the packets seen by a network interface and helps diagnose issues that are not detected otherwise. The Sniffer works like tcpdump. It doesn’t show any details of firewall policy decisions unlike debug flow. Can be done via CLI or GUI and once completed, you can view it in a network analyzer such as Wireshark
In case you have any queries or want to connect with Haider Khalid, please feel free to drop a comment or follow him on LinkedIn. Also, if this has been helpful, then please subscribe to our Youtube channel – Our Technology Planet for more exciting stuff and videos.
Latest posts by Haider Khalid (see all)
- What is VRA Proof of View (PoV)? The solution to Ad Fraud by Verasity - June 21, 2022
- Top 5 Network Engineer Interview Topics - January 19, 2022
- Top 5 Networking Certifications in 2022 - December 13, 2021