FortiGate防火墙总是用他丰富的嵌入式功能,价格和性能让我感到惊讶。 FortioS是一种安全化的,目的建立的操作系统,是FortiGate产品的软件基础。通过这一统一的直观操作系统,我们可以控制所有FortiGate产品中的所有安全性和网络功能。
我在以下两个帖子中放出一些有用的命令或配置:
1. FGT30D# 配置系统界面
FGT30D (interface) # show 配置系统界面 edit "wan" set ip 10.99.142.1 255.255.255.0 set allowaccess ping https ssh snmp http fgfm set type physical set snmp-index 2 next ..... edit "lan" set ip 192.168.100.1 255.255.255.0 set allowaccess ping https ssh http fgfm capwap set type physical set snmp-index 1 next end
FWF60D # show | grep interface config system switch-interface 配置系统界面 set alias "SSL VPN interface" set monitor-interface "wan1" set interface "lan" set associated-interface "ssl.root" set associated-interface "lan" set associated-interface "lan"
FWF60D # show | grep -f DMZ2 配置系统界面 edit "wan2" set vdom "root" set ip 172.17.3.1 255.255.255.0 set allowaccess ping https http fgfm set type physical set alias "DMZ2" <--- set role dmz set snmp-index 3 next end
| Grep可用于过滤输出以搜索所需的字符串。
| Grep -f将向您展示与搜索字符串匹配的整个部分。
目录
2.更改系统主机名
FGT30D# 配置系统全局
FGT30D(全球)# 设置hostname fgt30d.
FGT30D(全球)# 结尾
3.配置系统DHCP服务器
在接口“LAN”:
FGT30D# config system dhcp server config system dhcp server edit 1 set default-gateway 192.168.100.1 set dns-service default set interface "lan" config ip-range edit 1 set end-ip 192.168.100.200 set start-ip 192.168.100.80 next end set netmask 255.255.255.0 next end
获取DHCP租用IP列表的LAN接口
FWF60D # execute dhcp lease-list lan lan IP MAC-Address Hostname VCI Expiry 192.168.2.165 a8:5c:2c:4a:8f:c7 iPhone Sun Sep 2 13:07:04 2018 192.168.2.54 e4:98:d6:83:ef:6e iPad Sun Sep 2 13:05:39 2018 192.168.2.53 d0:c1:93:02:1d:a0 udhcp 1.10.4 Sun Sep 2 12:56:34 2018 192.168.2.51 02:0f:b5:c9:54:23 H-J-Dell-L1 MSFT 5.0 Sun Sep 2 12:56:14 2018 192.168.2.52 02:0f:b5:73:26:55 ESP_732655 Sun Sep 2 12:52:23 2018 FWF60D4614014474 #
来自Web Gui:
4.配置防火墙策略
FGT30D# 配置防火墙策略
配置防火墙策略
edit 1
set srcintf “lan”
set dstintf “wan”
set srcaddr “all”
set dstaddr “all”
set action accept
设置计划“始终”
set service “ALL”
set nat enable
next
结尾
5.配置静态网关
FGT30D# 配置路由器静态
配置路由器静态
edit 1
set device “wan”
设置网关10.99.142.6
next
结尾
FGT30D3X1401796 $ conf router static FGT30D3X1401796 (static) $ edit 2 new entry '2' added FGT30D3X1401796 (2) $ set device "lan" FGT30D3X1401796 (2) $ set dst 10.9.9.0 255.255.255.0 FGT30D3X1401796 (2) $ set gateway 10.9.13.1 FGT30D3X1401796 (2) $ 结尾
6.配置系统DNS主机
FGT30D# 配置系统DNS.
配置系统DNS.
设置主要208.91.112.53.
设置次要208.91.112.52.
结尾
配置FortiGate作为DNS服务器:
6.1启用DNS数据库功能
6.2配置DNS转发到系统DNS
7.设置系统用户
FGT30D# 配置系统管理员
配置系统管理员
编辑管理员
设置密码<psswrd>
配置系统管理员
edit “admin”
设置AccProfile“Super_admin”
….
设置密码enc ak1tdet3tvzlnxwgk7zjkfdgeisgltywyk2 / lnoytvcl28 =
next
edit “superadmin1”
设置AccProfile“Super_admin”
......
设置密码enc ak1edvlpbt + qarqmq5r0ituehnmu9xvwdabo2puf9tzofo =
next
edit “testadmin”
设置AccProfile“PROF_ADMIN”
设置密码ENC AK1JB0GM4GKVHLD20NMFFBHNICTGO / + OUIQAAGTGLB + VG =
next
结尾
8.配置Syslog设置
配置日志syslogd(2 | 3)设置
set status enable
设置服务器10.99.1.1.
设置端口514.
设置设施用户
结尾
诊断日志测试//测试日志记录
9.执行命令 - ping
FGT30D# execute ping www.google.ca PING www.google.ca (173.194.46.111): 56 data bytes 64 bytes from 173.194.46.111: icmp_seq=0 ttl=57 time=20.7 ms 64 bytes from 173.194.46.111: icmp_seq=1 ttl=57 time=22.7 ms 64 bytes from 173.194.46.111: icmp_seq=2 ttl=57 time=20.6 ms --- www.google.ca ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 20.6/21.3/22.7 ms
设置ping源:
FGT30D# execute ping-options source 192.168.1.1
FGT30D # execute ping-options viewPing Options:
Repeat Count: 5
Data Size: 56
Timeout: 2
Interval: 1
TTL: 64
TOS: 0
DF bit: unset
Source Address: 192.168.1.1
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no
Note: ping-options will reset when session closed
10.超时配置
|
fgt30d3x13001834# 显示系统会话-TTL
配置系统会话-TTL set default 30000 config port edit 23 set timeout 72000 next end 结尾 |
为避免管理员远离管理计算机的可能性并将其暴露在未经授权的人员外,您可以添加空闲超时。也就是说,如果基于Web的管理器未用于指定的时间量,则FortiGate单元将自动记录管理员掉。要继续工作,他们必须再次登录。
超时可以设置为高达480分钟,或八小时,虽然这不推荐。
设置空闲时间,转到 系统> Settings 并输入空闲超时的时间。最好的做法是保持5分钟的默认值。
使用SSH登录控制台时,要成功登录FortiGate单元的默认时间是120秒(2分钟)。您可以使用CLI配置要缩短的时间来更改命令提示符在FortiGate Unit之前将记录管理员熄灭的时间长度仍然空闲。范围可以在10到3600秒之间。要设置注销时间,请输入以下CLI命令:
配置系统全局
set admin-ssh-grace-time <number_of_seconds>
end
11.备份/恢复配置到闪存
FGT30D# execute backup config flash
Please wait...
Config backed up to flash disk done.
Setting timestamp
FGT30D # execute revision list config
Last Firmware Version: V0.0.0-build000-REL0
ID TIME ADMIN FIRMWARE VERSION COMMENT
1 2015-02-10 13:39:29 jn V5.0.0-build292-REL0
2 2015-02-10 13:42:15 jn V5.0.0-build292-REL0 20140210
从Flash还原配置:
FGT30D# execute restore config flash <revision> Revision ID on the flash. FGT30D # execute restore config flash 2 This operation will overwrite the current settings! 你要继续吗? (y / n)y Please wait... Get config from local disk OK. File check OK.
12.重置系统到工厂
|
FGT60D# 执行factoryReset. 此操作将将系统重置为出厂默认值! 你要继续吗? (y / n)y 系统重置为出厂默认设置...
现在正在下降!!
FortiGate-60D(10:49-11.12.2014) 启动操作系统...... 系统开始...... |
13.检查界面状态(速度/双工)
FGT30D3X1502126 $ get system interface physical == [onboard] ==[lan] mode: static ip: 10.9.14.8 255.255.255.0 ipv6: ::/0 status: up speed: 1000Mbps (Duplex: full) ==[wan] mode: static ip: 10.9.16.8 255.255.255.0 ipv6: ::/0 status: up speed: 1000Mbps (Duplex: full) ==[modem] mode: pppoe ip: 0.0.0.0 0.0.0.0 ipv6: ::/0 status: down speed: n/a FGT30D3X1502126 $ get hardware nic lan Driver Name :Fortinet NP4Lite Driver Version :1.0.1 Admin :up Current_HWaddr 90:6c:ac:13:45:88 Permanent_HWaddr 90:6c:ac:13:45:88 Status :up Speed :1000 Duplex :Full Host Rx Pkts :1252679 Host Rx Bytes :91142924 Host Tx Pkts :88665 Host Tx Bytes :11744688 Rx Pkts :1211790 Rx Bytes :106073828 Tx Pkts :75589 Tx Bytes :111560468 rx_buffer_len :2048 Hidden :No cmd_in_list : 0 promiscuous : 1
FGT30D3X1502126 $ diag netlink interface list lan
if=lan family=00 type=1 index=3 mtu=1500 link=0 master=0
ref=16 state=start present fw_flags=8000 flags=up broadcast run allmulti multicast
Qdisc=pfifo_fast hw_addr=90:6c:ac:13:45:88 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=1218030 txp=75593 rxb=106620201 txb=111560708 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0 stop=0
input_type=0 state=6 arp_entry=5 refcnt=16
14.时间和日期或NTP
通过配置NTP CLI.
通过通过手动设置日期和时间 CLI.