cetinajero/fortigate.md

## fortigate.md

      
    Raw
  

              fortigate.md
            
          
    get sys perf status

diag test app scanunit 3

diag stat app-usage-ip Facebook

Monitor bandwidth usage per IP address

diag stat per-ip-bw

# or 

ssh 172.31.35.254 'diagnose stats per-ip-bw' | grep -E "bps.[0-9]{6}" | sed -E 's/^.*addr.([0-9.]+).*([0-9]{6}).*$/\1 \2/g' | awk '{print $1"\t"$2/1024/1024*8}' | sed -E 's/^(.*\.[0-9]{2}).*/\1 Mbps/g'
Restart a FortiOS process

One by one using the process ID:
diag sys top 1 60
diag sys kill 11 proccess_id
Or, all processess at once:
fnsysctl killall scanunitd
Using the FortiOS built-in packet sniffer

All FortiGate units have a powerful packet sniffer on board. If you know tcpdump you should feel comfortable using the FortiGate Sniffer.
diag sniffer packet <interface> <'filter'> <verbose> <count> <timestamp>
Filter syntax

'[[src|dst] host<IP1>] [[src|dst] host<IP2>] [[arp|ip|gre|esp|udp|tcp] [port_no]] [[arp|ip|gre|esp|udp|tcp] [port_no]]'
Verbose levels in detail


print header of packets
print header and data from IP of packets
print header and data from Ethernet of packets
print header of packets with interface name
print header and data from IP of packets with interface name
print header and data from Ethernet of packets with interface name

Timestamp format


a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
otherwise: relative to the start of sniffing, ss.ms

Examples

diag sniffer packet internal 'port 80' 6 0 l
diag sniffer packet internal 'net 172.31.29.0/24' 6 0 l
diag sniffer packet internal 'host 192.168.0.130 and icmp' 6 0 l
diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 6 0 l
diag sniffer packet internal 'src host 10.4.30.250' 6 0 l
diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 6 0 l
diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1 and tcp' 6 0 l
diag sniffer packet internal 'udp and port 1812 and host 192.168.0.130 and (192.168.0.1 or 192.168.0.2)' 6 0 l

Advance filtering based on package contents

Filtered can be used to display packets based on their content, using hexadecimal byte position.

On FortiOS 5, there is a bug when using the any interface mixed with the ether filter, be aware of that.

Match TTL = 1

diagnose sniffer packet port2 "ip[8:1] = 0x01"
Match Source MAC = 00:09:0f:89:10:ea

diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"
Match Destination MAC = 00:09:0f:89:10:ea

diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
Match packets with RST flag set:

diagnose sniffer packet internal "tcp[13] & 4 != 0"
Match packets with SYN flag set:

diagnose sniffer packet internal "tcp[13] & 2 != 0"
Match packets with SYN-ACK flag set

diagnose sniffer packet internal "tcp[13] = 18"
Match packets with specific data

This matches the word this at an specific place in the data.

Payload:

0x0040	 8f48 8a0c 7468 6973 2069 7320 7069 6e67	.H..this.is.ping


Filter:

diagnose sniffer packet internal "ether[0x44:4]=0x74686973"
Match requests from EZView to NVR for camera stream


Payload:

0x0090	 1700 0100 0017 f501 1800 0500 2628 0200	............&(..


Filter:

diagnose sniffer packet internal "port 6060 and (ether[0x90]=23 or ether[0x90]=24 or ether[0x90]=25 or ether[0x90]=26)"

Note that 0x17 = 23

Resources


Hex Packet Decoder
My own TCP/IP packet decoding
Ethernet Frame Format
IPv4 Header Format
TCP Header Format