FW policy order

posted 4 Feb 2020, 09:32 by Donald Ross

Handy CLI commands

posted 4 Feb 2020, 06:56 by Donald Ross   [ updated 4 Feb 2020, 07:03 ]

FortiGate1_nse4_lab # get sys status

Version: FortiGate-VM64 v6.0.1,build0131,180604 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Wed Feb  5 10:16:22 2020
VM Resources: 1 CPU/1 allowed, 995 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Available
Hostname: FortiGate1_nse4_lab
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 0131
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Feb  4 14:50:25 2020

FortiGate1_nse4_lab # diagnose ip add list

IP=> index=3 devname=port1
IP=> index=4 devname=port2
IP=> index=5 devname=port3
IP=> index=13 devname=root
IP=> index=15 devname=vsys_ha
IP=> index=17 devname=vsys_fgfm

FortiGate1_nse4_lab # show system interface

config system interface
    edit "port1"
        set vdom "root"
        set ip
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1
    edit "port2"
        set vdom "root"
        set ip
        set allowaccess ping
        set type physical
        set role wan
        set snmp-index 2

FortiGate1_nse4_lab # show full-configuration system interface

config system interface
    edit "port1"
        set vdom "root"
        set vrf 0
        set fortilink disable
        set mode static
        set dhcp-relay-service disable
        set ip
        set allowaccess ping https ssh http
        set fail-detect disable
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-send-redirect enable
        set icmp-accept-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip
        set type physical
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set egress-shaping-profile ''
        set disconnect-threshold 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias ''
        set security-mode none
        set device-identification disable
        set lldp-transmission vdom
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set vrrp-virtual-mac disable
        set role undefined
        set snmp-index 1
        set secondary-IP disable
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            set ip6-address ::/0

FortiGate1_nse4_lab # show system interface port1

config system interface
    edit "port1"
        set vdom "root"
        set ip
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1

Fortigate Lab

posted 8 Oct 2016, 10:57 by Donald Ross   [ updated 12 Jul 2018, 02:15 ]

Initial setup -
open console
admin no password
config system interface
edit port1
set ip
set allowaccess http https ssh telnet ping

To add a default route
config system route
edit 1
set gateway <gateway_ipv4>
set device <interface_name>


version 6.0 Lab

config system interface
edit port1
set mode static
set ip

configure router static
edit 1
set device port1
set gateway

config system global
set vdom-admin enable

1-3 of 3