Skip to content

Instantly share code, notes, and snippets.

@cetinajero
Last active June 20, 2024 19:46
Show Gist options
  • Save cetinajero/1effb04ee9ae9fc6f65faaf43d4bff9b to your computer and use it in GitHub Desktop.
Save cetinajero/1effb04ee9ae9fc6f65faaf43d4bff9b to your computer and use it in GitHub Desktop.
Usefull Fortigate CLI commands
get sys perf status

diag test app scanunit 3

diag stat app-usage-ip Facebook

Monitor bandwidth usage per IP address

diag stat per-ip-bw

# or 

ssh 172.31.35.254 'diagnose stats per-ip-bw' | grep -E "bps.[0-9]{6}" | sed -E 's/^.*addr.([0-9.]+).*([0-9]{6}).*$/\1 \2/g' | awk '{print $1"\t"$2/1024/1024*8}' | sed -E 's/^(.*\.[0-9]{2}).*/\1 Mbps/g'

Restart a FortiOS process

One by one using the process ID:

diag sys top 1 60
diag sys kill 11 proccess_id

Or, all processess at once:

fnsysctl killall scanunitd

Using the FortiOS built-in packet sniffer

All FortiGate units have a powerful packet sniffer on board. If you know tcpdump you should feel comfortable using the FortiGate Sniffer.

diag sniffer packet <interface> <'filter'> <verbose> <count> <timestamp>

Filter syntax

'[[src|dst] host<IP1>] [[src|dst] host<IP2>] [[arp|ip|gre|esp|udp|tcp] [port_no]] [[arp|ip|gre|esp|udp|tcp] [port_no]]'

Verbose levels in detail

  1. print header of packets
  2. print header and data from IP of packets
  3. print header and data from Ethernet of packets
  4. print header of packets with interface name
  5. print header and data from IP of packets with interface name
  6. print header and data from Ethernet of packets with interface name

Timestamp format

  • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
  • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
  • otherwise: relative to the start of sniffing, ss.ms

Examples

diag sniffer packet internal 'port 80' 6 0 l
diag sniffer packet internal 'net 172.31.29.0/24' 6 0 l
diag sniffer packet internal 'host 192.168.0.130 and icmp' 6 0 l
diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 6 0 l
diag sniffer packet internal 'src host 10.4.30.250' 6 0 l
diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 6 0 l
diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1 and tcp' 6 0 l
diag sniffer packet internal 'udp and port 1812 and host 192.168.0.130 and (192.168.0.1 or 192.168.0.2)' 6 0 l

Advance filtering based on package contents

Filtered can be used to display packets based on their content, using hexadecimal byte position.

On FortiOS 5, there is a bug when using the any interface mixed with the ether filter, be aware of that.

Match TTL = 1

diagnose sniffer packet port2 "ip[8:1] = 0x01"

Match Source MAC = 00:09:0f:89:10:ea

diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

Match Destination MAC = 00:09:0f:89:10:ea

diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

Match packets with RST flag set:

diagnose sniffer packet internal "tcp[13] & 4 != 0"

Match packets with SYN flag set:

diagnose sniffer packet internal "tcp[13] & 2 != 0"

Match packets with SYN-ACK flag set

diagnose sniffer packet internal "tcp[13] = 18"

Match packets with specific data

This matches the word this at an specific place in the data.

  • Payload:
0x0040	 8f48 8a0c 7468 6973 2069 7320 7069 6e67	.H..this.is.ping
  • Filter:
diagnose sniffer packet internal "ether[0x44:4]=0x74686973"

Match requests from EZView to NVR for camera stream

  • Payload:
0x0090	 1700 0100 0017 f501 1800 0500 2628 0200	............&(..
  • Filter:
diagnose sniffer packet internal "port 6060 and (ether[0x90]=23 or ether[0x90]=24 or ether[0x90]=25 or ether[0x90]=26)"

Note that 0x17 = 23

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment