#########################################################################

ERROR WAN IP
#########################################################################
diag sys waninfo

#########################################################################
config dnsfilter profile
edit "default"
set comment "Default dns filtering."
config ftgd-dns
config filters
edit 1
set category 12
next
......
edit 21
next
end
end
next
end

***************************************************

get router info routing-table all | grep

**************************************************
**************************************************
BGP
****************************************************

config router bgp

set log-neighbour-changes enable
end

get router info routing-table bgp

get router info protocols
get router info bgp summary

*****************************************
*****************************************
FORZAR LICENCIA
****************************************
****************************************

diag debug app update -1

diag debug enable
exec update-now
diag debug disable

*******************************************
******************************************
VER ERRORES
*******************************************
*******************************************

diagnose debug crashlog read

diagnose debug config-error-log read
****************************************
****************************************
SESIONES
***************************************
***************************************

diagnose sys session full-stat = total sesiones

diagnose sys session list = detalle sesion

diagnose sys session filter src xxxxxxxxxx

diagnose sys session list

172.18.65.177 GESTION-CLOUDIN
*********************
*********************
DEBUG EN FORTINET
*********************
*********************

diagnose debug flow filter saddr 192.168.1.252

diagnose debug flow filter daddr 190.25.225.85
diagnose debug flow filter dport 4848
diagnose debug flow trace start 1000
diagnose debug enable

*********************
*********************
SNIFFER EN FORTINET
*********************
*********************

diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-

format>

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name <<<<<< good default choice
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Ejemplo:

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l

diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l
diagnose sniffer packet any 'net 2001:db8::/32' 6 1000 l

diag sniffer packet any "net x.x.x.x" 4

diag sniffer packet any 'host 172.25.2.102 and host 172.31.255.10 and tcp port 80'
4
'src host 192.168.0.130 and dst host 192.168.0.1'
http://kb.fortinet.com/kb/viewContent.do?externalId=11186&
diagnose sniffer packet any 'host 172.18.64.53 and host 172.18.233.15' 4

BUSCAR PALABRA

sh full | grep "PALABRA" -f

*************************************************
*************************************************
PERFORMANCE
************************************************
************************************************

get sys status

get hardware status
get sys performance status = Mostrar el estado del CPU y tiempo prendido
diag sys top 5 30
diag sys top-summary
diag debug crashlog read

VER IPS INTERFACES - ARP

diagnose ip address list

diagnose ip arp list
diagnose firewall iplist list

show full-configuration system dns

show full-configuration system global
show full-configuration system settings

MODO CONSERVACION

diagnose hardware sysinfo shm

diagnose debug crashlog read

************************
************************
HA
************************
************************

get system ha status

show full-configuration system ha
diagnose sys ha status
diagnose sys ha csum-recalculate
diagnose sys ha cluster-csum
diagnose sys ha showcsum
execute ha synchronize start
execute ha synchronize
execute ha manage
0 o 1
diagnose sys ha reset-uptime
execute ha ignore-hardware-revision status

##################################################################
##################################################################

NOTA: Mayor Prioridad = Master

Menor Prioridad = Slave

*********************
*********************
LISTADO FQDN
*********************
*********************

diagnose firewall fqdn list

***************************
***************************
ESTADISTICAS INTERFACES
***************************
***************************

get hardware nic XXXX

fnsysctl ifconfig

************************************
************************************
VER EL INDEX DE CADA INTERFAZ
************************************
************************************

diagnose netlink interface list

*****************************
*****************************
DEBUG VPN IPSEC
*****************************
*****************************

diagnose vpn ike log filter dst-addr4 203.0.113.2

diagnose debug ena
diag deb application ike -1

Para renegociar las fase 1 de las VPN se usan los siguientes comandos:
Se tiene que indicar cual es el tunel a reiniciar y si no reinicia todos
los tuneles VPN.

diag vpn tunnel flush VPN_Marca-es

diag vpn tunnel reset VPN_marca2

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

******************************
******************************
VER SESIONES VPN SSL POR CLI
******************************
******************************

get vpn ssl monitor

execute vpn sslvpn ?

del-allDelete all connections under current VDOM.

del-tunnel Delete tunnel connection.
del-webDelete web connection.
list List tunnel connections.

************************************
************************************
LDAP user test
************************************
************************************

diag tes authserver ldap AD_Banco_Pichincha diafor357 *******

diag tes authserver ldap AD_Banco_Pichincha diafor357 *******
diag tes authserver ldap AD_Banco_Pichincha testinternet T3st1nternet

************************************
************************************
Debug LDAP
************************************
************************************

diag debug application fnbamd –1

************************************
************************************
Reiniciar motor IPS
************************************
************************************

diagnode test application ipsmonitor 2

diagnose test application ipsmonitor 99

2 Cambia el estado
99 reinicia
98 detiene
97 inica

************************************
************************************
VER REPORTES FAZ
************************************
************************************

diagnose sys session filter dport 5060

diag sys session list
diagnose sys session filter dport 8554
diag sys session list
diag deb ena
diag deb con enable
diag sql status run_sql_rpt

************************************
************************************
BORRAR CONTADORES POLITICA
************************************
************************************

diag firewall iprope clear 100004 <policy_id>

************************************
************************************
DHCP SERVER
************************************
************************************

config system dhcp server

edit [ID DHCP Server]
set lease-time [Tiempo en seg - 28800 = 8hrs]

limpiar las sesiones del servidor DHCP:

execute dhcp lease-clear all

************************************************************************
************************************************************************
CAMBIAR EL MODO DE LA INTERFAZ INTERNAL
************************************************************************
************************************************************************

config system global

(global) # set internal-switch-mode
interfaceinterface
switch switch
(global) # set internal-switch-mode interface
(global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y

*******************************************************
*******************************************************
PAGINAS FORTINET
*******************************************************
*******************************************************

http://kb.fortinet.com/kb/viewContent.do?externalId=11186&
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33882
https://www.stackfire.com/fortigate-cli-comandos-utiles-i/
https://blog.webernetz.net/cli-commands-for-troubleshooting-fortigate-firewalls/
http://cookbook.fortinet.com/resetting-a-lost-admin-password/

##################################################
FSSO
##################################################

http://kb.fortinet.com/kb/documentLink.do?externalID=FD39911
https://charlessantana.com.br/2014/05/29/autenticao-fsso-agent-fortinet/
http://nksistemas.com/fsae-configurando-fortigate-usando-active-directory/
https://es.scribd.com/doc/44835523/Fortinet-FSAE-Polling-and-DCAgent-mode
http://kb.fortinet.com/kb/documentLink.do?externalID=FD39911

FAILOVER FSSO
http://kb.fortinet.com/kb/microsites/search.do?
cmd=displayKC&docType=kc&externalId=FD36603&sliceId=1&docTypeID=DT_KCARTICLE_1_1&di
alogID=108560035&stateId=0%200%20108558507

#######################################################################
#######################################################################
PUERTOS
######################################################################
########################################################################

Protocol Numbers
# Protocol Protocol's Full Name
0 HOPOPT IPv6 Hop-by-Hop Option
1 ICMP Internet Control Message Protocol
2 IGMP Internet Group Management
3 GGP Gateway-to-Gateway
4 IPv4 IPv4 encapsulation Protocol
5 ST Stream
6 TCP Transmission Control Protocol
7 CBT CBT
8 EGP Exterior Gateway Protocol
9 IGP Any private interior gateway (used by Cisco for their IGRP)
10 BBN-RCC-MON BBN RCC Monitoring
11 NVP-II Network Voice Protocol
12 PUP PUP
13 ARGUS ARGUS
14 EMCON EMCON
15 XNET Cross Net Debugger
16 CHAOS Chaos
17 UDP User Datagram Protocol
18 MUX Multiplexing
19 DCN-MEAS DCN Measurement Subsystems
20 HMP Host Monitoring
21 PRM Packet Radio Measurement
22 XNS-IDP XEROX NS IDP
23 TRUNK-1 Trunk-1
24 TRUNK-2 Trunk-2
25 LEAF-1 Leaf-1
26 LEAF-2 Leaf-2
27 RDP Reliable Data Protocol
28 IRTP Internet Reliable Transaction
29 ISO-TP4 ISO Transport Protocol Class 4
30 NETBLT Bulk Data Transfer Protocol
31 MFE-NSP MFE Network Services Protocol
32 MERIT-INP MERIT Internodal Protocol
33 DCCP Datagram Congestion Control Protocol
34 3PC Third Party Connect Protocol
35 IDPR Inter-Domain Policy Routing Protocol
36 XTP XTP
37 DDP Datagram Delivery Protocol
38 IDPR-CMTP IDPR Control Message Transport Proto
39 TP++ TP++ Transport Protocol
40 IL IL Transport Protocol
41 IPv6 IPv6 encapsulation
42 IPv6 SDRPSource Demand Routing Protocol
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
45 IDRP Inter-Domain Routing Protocol
46 RSVP Reservation Protocol
47 GRE General Routing Encapsulation
48 DSR Dynamic Source Routing Protocol
49 BNA BNA
50 ESP Encap Security Payload
51 AH Authentication Header
52 I-NLSP Integrated Net Layer Security TUBA
53 SWIPE IP with Encryption
54 NARP NBMA Address Resolution Protocol
55 MOBILE IP Mobility
56 TLSP Transport Layer Security Protocol using Kryptonet key management
57 SKIP SKIP
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6
61 any host internal protocol
62 CFTP CFTP
63 any local network
64 SAT-EXPAK SATNET and Backroom EXPAK
65 KRYPTOLAN Kryptolan
66 RVD MIT Remote Virtual Disk Protocol
67 IPPC Internet Pluribus Packet Core
68 any distributed file system
69 SAT-MON SATNET Monitoring
70 VISA VISA Protocol
71 IPCV Internet Packet Core Utility
72 CPNX Computer Protocol Network Executive
73 CPHB Computer Protocol Heart Beat
74 WSN Wang Span Network
75 PVP Packet Video Protocol
76 BR-SAT-MON Backroom SATNET Monitoring
77 SUN-ND SUN ND PROTOCOL-Temporary
78 WB-MON WIDEBAND Monitoring
79 WB-EXPAK WIDEBAND EXPAK
80 ISO-IP ISO Internet Protocol
81 VMTP VMTP
82 SECURE-VMTP SECURE-VMTP
83 VINES VINES
84 TTP TTP
84 IPTM Protocol Internet Protocol Traffic
85 NSFNET-IGP NSFNET-IGP
86 DGP Dissimilar Gateway Protocol
87 TCF TCF
88 EIGRP EIGRP
89 OSPFIGP OSPFIGP
90 Sprite-RPC Sprite RPC Protocol
91 LARP Locus Address Resolution Protocol
92 MTP Multicast Transport Protocol
93 AX.25 AX.25 Frames
94 IPIP IP-within-IP Encapsulation Protocol
95 MICP Mobile Internetworking Control Pro.
96 SCC-SP Semaphore Communications Sec. Pro.
97 ETHERIP Ethernet-within-IP Encapsulation
98 ENCAP Encapsulation Header
99 any private encryption scheme
100 GMTP GMTP
101 IFMP Ipsilon Flow Management Protocol
102 PNNI PNNI over IP
103 PIM Protocol Independent Multicast
104 ARIS ARIS
105 SCPS SCPS
106 QNX QNX
107 A/N Active Networks
108 IPComp IP Payload Compression Protocol
109 SNP Sitara Networks Protocol
110 Compaq-Peer Compaq Peer Protocol
111 IPX-in-IP IPX in IP
112 VRRP Virtual Router Redundancy Protocol
113 PGM PGM Reliable Transport Protocol
114 any 0-hop protocol
115 L2TP Layer Two Tunneling Protocol
116 DDX D-II Data Exchange (DDX)
117 IATP Interactive Agent Transfer Protocol
118 STP Schedule Transfer Protocol
119 SRP SpectraLink Radio Protocol
120 UTI UTI
121 SMP Simple Message Protocol
122 SM SM
123 PTP Performance Transparency Protocol
124 ISIS over IPv4
125 FIRE
126 CRTP Combat Radio Transport Protocol
127 CRUDP Combat Radio User Datagram
128 SSCOPMCE
129 IPLT
130 SPS Secure Packet Shield
131 PIPE Private IP Encapsulation within IP
132 SCTP Stream Control Transmission Protocol
133 FC Fibre Channel
134 RSVP-E2E-IGNORE
135 Mobility Header
136 UDPLite
137 MPLS-in-IP
138 manet
139 HIP
140 Shim6
141 WESP
142 ROHC
143 − 252 Unassigned Unassigned
253 Use for experimentation and testing
254 Use for experimentation and testing
255 Reserved