- 说明
CPU:系统管理、路由、新建会话、非FA2、NP2,NP4接口的流量处理等;
内存:运行系统软件,存储路由表、会话表、记录日志等;
Flash卡:存放Fort IOS版本、配置文件,系统运行事件日志;
CP芯片:内容处理芯片,病毒特征/IPS特征查找,IPSec VPN加解密等;
FA2、NP2、NP4芯片:网络处理芯片,同步复制已建立的会话后,独立处理转发流量,减少CPU消耗。
- 重启和切换
- 软切换 #diagnose sys ha reset-uptime
- 重启防火墙 #exec reboot (只重启主防火墙,将导致主备切换)
注:此命令单台防火墙生效,关闭接口则主备防火墙都生效。
- 查看设备系统状态
- 查看系统基本信息 #get sys status
hqwlf1000aep02 $ get sys status
Version: Fortigate-l000A 3. 00, build0668, 080514 Virus-OB: 8.631(2008-01-15 14:27)
Extended DB: 0.000(2003-01-01 00:00)
IPS-DB: 2.461(2008-01-18 11:23)
Serial-Number: FGT1KA3607500159
BIOS version: 04000004
Log hard disk: Not available
Hostname: hqwlf1000aep02
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, O in TP mode
Virtual domain configuration: disable
FIPS-C:C mode: disable
Current HA mode: a-p,master
Distribution: International
Branch point: 668
MR/Patch Information: MR6 Patch 2
System time: Sat Jan 21 17:05:01 2012
- 查看系统状态信息 #get sys performance status
CPU states: 0% user 1% system 0% nice 99% idle
CPU0 states: 0% user 1% system 0% nice 99% idle
Memory states: 21% used
Average network usage: 2304 kbps in 1 minute, 8573 kbps in 10 minutes, 7404 kbps in 30 minutes
Average sessions: 3224 sessions in 1 minute, 3013 sessions in 10 minutes, 3049 sessions in 30 minutes
Average session setup rate: 19 sessions per second in last 1 minute, 23 sessions per second in last 10 minutes, 22 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 135 days, 8 hours, 22 minutes
- 查看接口
- 查看单接口状态 #diagnose hardware deviceinfo nic 接口名
YC-JRFW-F30-03-I # diagnose hardware deviceinfo nic port1
Driver Name: NP2
Version: 0.92
Chip Revision: 2
BoardSN: N/A
Module Name: 310B
DDR Size: 256 MB
Bootstrap ID: 11
PCIX-64bit-@133MHz bus: 03:01.0
Admin: up, num=3, duration=1169463448
Current_HWaddr: 08:5b:0e:bb:c1:79
Permanent_HWaddr: 08:5b:0e:bb:c1:79
Link: up, 5
Speed: 1000Mbps
Duplex: Full
Rx Pkts: 2220629348
Tx Pkts: 923921960
Rx Bytes: 1933305856
Tx Bytes: 3349576413
MAC1 Rx Errors: 0
MAC1 Rx Dropped: 0
MAC1 Tx Dropped: 0
MAC1 FIFO Overflow: 0
MAC1 IP Error: 0
TAE Entry Used: 0
TSE Entry Used: 0
Host Dropped: 0
Shaper Dropped: 1454
EEI0 Dropped: 0
EEI1 Dropped: 0
EEI2 Dropped: 0
EEI3 Dropped: 0
IPSEC QFIFO Dropped: 0
IPSEC DFIFO Dropped: 0
PBA: 123/1019/251
Forwarding Entry Used: 0
Offload IPSEC Antireplay ENC Status: Disable
Offload IPSEC Antireplay DEC Status: Enable
Offload Host IPSEC Traffic: Disable
ses mask: 40027dcb
- 查看聚合接口状态 #diagnose netlink aggregate name 聚合接口名
- 关闭接口线速转发 #diagnose npu np2 fastpath-sniffer enable Port-Number
注:该配置只在工作机有效(diagnose 命令),当设备切换时,原备机没有这个配置
- 查看HA状态
- 登录备墙,需要先用admin登录到主防火墙后执行 #exec ha manage 0 或1
- 查看主备机配置是否同步 #diag sys ha showcsum
查看主备机输出是否一致,如果一致则表明配置已同步。
- 查看HA状态 # get sys ha status
- 查看会话
- 查看会话 # diagnose sys session stat 或diagnose sys session full-stat
YC-JRFW-F30-03-I # diagnose sys session stat
misc info: session_count=2786 setup_rate=38 exp_count=0 clash=1
memory_tension_drop=0 ephemeral=0/114688 removeable=0
delete=0, flush=0, dev_down=0/0
TCP sessions:
562 in ESTABLISHED state
20 in SYN_SENT state
4 in SYN_RECV state
69 in FIN_WAIT state
6 in TIME_WAIT state
19 in CLOSE state
77 in CLOSE_WAIT state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000001
tcp reset stat:
syncqf=60279 acceptqf=0 no-listener=8108 data=0 ses=300 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
session_count 为会话总数;setup_rate 为每秒新建会话数
- 查看系统ARP表项
1、查看ARP表 # get sys arp
YC-JRFW-F30-03-I # get system arp
Address Age(min) Hardware Addr Interface
172.16.0.1 0 08:5b:0e:f1:60:3c port1
172.16.0.2 0 00:90:0b:3d:73:7c port1
172.16.0.18 1 20:47:47:8c:a5:cc V400
172.16.0.21 0 00:0c:29:44:4b:97 V400
172.16.0.23 0 00:0c:29:d1:c1:00 V400
172.16.0.26 0 20:47:47:8c:a5:20 V400
172.16.0.34 0 70:4c:a5:11:3b:78 MZNJZH
172.16.0.38 0 70:4c:a5:67:3d:52 XQFZH
- 查看丰富的ARP信息 # diagnose ip arp list
YC-JRFW-F30-03-I # diagnose ip arp list
index=10 ifname=port1 172.16.0.1 08:5b:0e:f1:60:3c state=00000002 use=1 confirm=1770 update=1121 ref=1419
index=10 ifname=port1 172.16.0.2 00:90:0b:3d:73:7c state=00000008 use=590 confirm=3017 update=151 ref=5
index=25 ifname=V310 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=148831 confirm=154831 update=148831 ref=1
index=28 ifname=V313 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=357300 confirm=363300 update=357300 ref=1
index=31 ifname=V101 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=86844 confirm=92844 update=86844 ref=1
index=36 ifname=V106 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=4748 confirm=10748 update=4748 ref=1
index=41 ifname=To-MP-WBK 0.0.0.0 state=00000040 use=32246 confirm=38246 update=32246 ref=1
index=43 ifname=To-ZH-VPN 0.0.0.0 state=00000040 use=334121 confirm=340121 update=334121 ref=5
index=29 ifname=V400 172.16.0.18 20:47:47:8c:a5:cc state=00000004 use=3622 confirm=3622 update=1385 ref=1
index=48 ifname=支行 0.0.0.0 state=00000040 use=87126307 confirm=87132307 update=87126307 ref=1
index=29 ifname=V400 172.16.0.21 00:0c:29:44:4b:97 state=00000004 use=7036 confirm=7036 update=764 ref=3
index=29 ifname=V400 172.16.0.23 00:0c:29:d1:c1:00 state=00000002 use=557 confirm=480 update=480 ref=70
index=29 ifname=V400 172.16.0.26 20:47:47:8c:a5:20 state=00000008 use=13 confirm=2540 update=303 ref=5
- 清系统ARP # exec clear system arp table
- 查看当前系统进程
- 查看系统进程 #diagnose sys top 5 99
- 杀进程 #diagnose sys kill 11 进程ID 或 # dia sys kill 9 进程ID
注意:kill 11 有日志,kill 9 没有日志。
- IPsec 相关调试
- 观察IPSec 芯片是否正常 #diagnose vpn ipsec status
正常状态,能看到CP5和CPU
非正常状态,只能看到CP5
- 观察IPSec隧道状态 # diagnose vpn tunnel list
- 重置指定的某个IPSec隧道 # diagnose vpn tunnel flush <阶段1名称>
- 激活指定的某个IPSec隧道 # diagnose vpn tunnel up <阶段2名称>
- 观察隧道协商过程
# diagnose debug enable
# diagnose debug application ike 255
- 关闭IKE协商调试命令
# diagnose debug application ike 0
debug enable 命令在管理员登录后会自动关闭。
7815
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
