飞塔防火墙常用命令集合

  • 说明

CPU:系统管理、路由、新建会话、非FA2、NP2,NP4接口的流量处理等;

内存运行系统软件,存储路由表、会话表、记录日志等;

Flash存放Fort IOS版本、配置文件,系统运行事件日志;

CP芯片内容处理芯片,病毒特征/IPS特征查找,IPSec VPN加解密等;

FA2、NP2、NP4芯片网络处理芯片,同步复制已建立的会话后,独立处理转发流量,减少CPU消耗。

  • 重启和切换
  1. 软切换 #diagnose sys ha reset-uptime
  2. 重启防火墙 #exec reboot (只重启主防火墙,将导致主备切换)

注:此命令单台防火墙生效,关闭接口则主备防火墙都生效。

  • 查看设备系统状态
  1. 查看系统基本信息 #get sys status

hqwlf1000aep02 $ get sys status

Version: Fortigate-l000A 3. 00, build0668, 080514 Virus-OB: 8.631(2008-01-15 14:27)

Extended DB: 0.000(2003-01-01 00:00)

IPS-DB: 2.461(2008-01-18 11:23)

Serial-Number: FGT1KA3607500159

BIOS version: 04000004

Log hard disk: Not available

Hostname: hqwlf1000aep02

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, O in TP mode

Virtual domain configuration: disable

FIPS-C:C mode: disable

Current HA mode: a-p,master

Distribution: International

Branch point: 668

MR/Patch Information: MR6 Patch 2

System time: Sat Jan 21 17:05:01 2012

  1. 查看系统状态信息 #get sys performance status

CPU states: 0% user 1% system 0% nice 99% idle

CPU0 states: 0% user 1% system 0% nice 99% idle

Memory states: 21% used

Average network usage: 2304 kbps in 1 minute, 8573 kbps in 10 minutes, 7404 kbps in 30 minutes

Average sessions: 3224 sessions in 1 minute, 3013 sessions in 10 minutes, 3049 sessions in 30 minutes

Average session setup rate: 19 sessions per second in last 1 minute, 23 sessions per second in last 10 minutes, 22 sessions per second in last 30 minutes

Virus caught: 0 total in 1 minute

IPS attacks blocked: 0 total in 1 minute

Uptime: 135 days,  8 hours,  22 minutes

 

  • 查看接口
  1. 查看单接口状态 #diagnose hardware deviceinfo nic 接口名

YC-JRFW-F30-03-I # diagnose hardware deviceinfo nic port1

Driver Name: NP2

Version: 0.92

Chip Revision: 2

BoardSN: N/A

Module Name: 310B

DDR Size: 256 MB

Bootstrap ID: 11

PCIX-64bit-@133MHz bus: 03:01.0

Admin: up, num=3, duration=1169463448

Current_HWaddr: 08:5b:0e:bb:c1:79

Permanent_HWaddr: 08:5b:0e:bb:c1:79

Link: up, 5

Speed: 1000Mbps

Duplex: Full

Rx Pkts: 2220629348

Tx Pkts: 923921960

Rx Bytes: 1933305856

Tx Bytes: 3349576413

MAC1 Rx Errors: 0

MAC1 Rx Dropped: 0

MAC1 Tx Dropped: 0

MAC1 FIFO Overflow: 0

MAC1 IP Error: 0

 

TAE Entry Used: 0

TSE Entry Used: 0

Host Dropped: 0

Shaper Dropped: 1454

EEI0 Dropped: 0

EEI1 Dropped: 0

EEI2 Dropped: 0

EEI3 Dropped: 0

IPSEC QFIFO Dropped: 0

IPSEC DFIFO Dropped: 0

PBA: 123/1019/251

Forwarding Entry Used: 0

Offload IPSEC Antireplay ENC Status: Disable

Offload IPSEC Antireplay DEC Status: Enable

Offload Host IPSEC Traffic: Disable

ses mask: 40027dcb

  1. 查看聚合接口状态 #diagnose netlink aggregate name 聚合接口名

 

  1. 关闭接口线速转发 #diagnose npu np2 fastpath-sniffer enable Port-Number

注:该配置只在工作机有效(diagnose 命令),当设备切换时,原备机没有这个配置

 

  • 查看HA状态
  1. 登录备墙,需要先用admin登录到主防火墙后执行 #exec ha manage 0 或1
  2. 查看主备机配置是否同步 #diag sys ha showcsum

查看主备机输出是否一致,如果一致则表明配置已同步

 

  1. 查看HA状态 # get sys ha status
  • 查看会话
  1. 查看会话 # diagnose sys session stat 或diagnose sys session full-stat

YC-JRFW-F30-03-I # diagnose sys session stat

misc info: session_count=2786 setup_rate=38 exp_count=0 clash=1

        memory_tension_drop=0 ephemeral=0/114688 removeable=0

delete=0, flush=0, dev_down=0/0

TCP sessions:

         562 in ESTABLISHED state

         20 in SYN_SENT state

         4 in SYN_RECV state

         69 in FIN_WAIT state

         6 in TIME_WAIT state

         19 in CLOSE state

         77 in CLOSE_WAIT state

firewall error stat:

error1=00000000

error2=00000000

error3=00000000

error4=00000000

tt=00000000

cont=00000000

ids_recv=00000000

url_recv=00000000

av_recv=00000000

fqdn_count=00000001

tcp reset stat:

        syncqf=60279 acceptqf=0 no-listener=8108 data=0 ses=300 ips=0

global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

 

session_count 为会话总数;setup_rate 为每秒新建会话数

  • 查看系统ARP表项

1、查看ARP表 # get sys arp

YC-JRFW-F30-03-I # get system arp

Address           Age(min)   Hardware Addr      Interface

172.16.0.1        0          08:5b:0e:f1:60:3c port1

172.16.0.2        0          00:90:0b:3d:73:7c port1

172.16.0.18       1          20:47:47:8c:a5:cc V400

172.16.0.21       0          00:0c:29:44:4b:97 V400

172.16.0.23       0          00:0c:29:d1:c1:00 V400

172.16.0.26       0          20:47:47:8c:a5:20 V400

172.16.0.34       0          70:4c:a5:11:3b:78 MZNJZH

172.16.0.38       0          70:4c:a5:67:3d:52 XQFZH

  1. 查看丰富的ARP信息 # diagnose ip arp list

YC-JRFW-F30-03-I # diagnose ip arp list

index=10 ifname=port1 172.16.0.1 08:5b:0e:f1:60:3c state=00000002 use=1 confirm=1770 update=1121 ref=1419

index=10 ifname=port1 172.16.0.2 00:90:0b:3d:73:7c state=00000008 use=590 confirm=3017 update=151 ref=5

index=25 ifname=V310 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=148831 confirm=154831 update=148831 ref=1

index=28 ifname=V313 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=357300 confirm=363300 update=357300 ref=1

index=31 ifname=V101 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=86844 confirm=92844 update=86844 ref=1

index=36 ifname=V106 255.255.255.255 ff:ff:ff:ff:ff:ff state=00000040 use=4748 confirm=10748 update=4748 ref=1

index=41 ifname=To-MP-WBK 0.0.0.0  state=00000040 use=32246 confirm=38246 update=32246 ref=1

index=43 ifname=To-ZH-VPN 0.0.0.0  state=00000040 use=334121 confirm=340121 update=334121 ref=5

index=29 ifname=V400 172.16.0.18 20:47:47:8c:a5:cc state=00000004 use=3622 confirm=3622 update=1385 ref=1

index=48 ifname=支行 0.0.0.0  state=00000040 use=87126307 confirm=87132307 update=87126307 ref=1

index=29 ifname=V400 172.16.0.21 00:0c:29:44:4b:97 state=00000004 use=7036 confirm=7036 update=764 ref=3

index=29 ifname=V400 172.16.0.23 00:0c:29:d1:c1:00 state=00000002 use=557 confirm=480 update=480 ref=70

index=29 ifname=V400 172.16.0.26 20:47:47:8c:a5:20 state=00000008 use=13 confirm=2540 update=303 ref=5

  1. 清系统ARP # exec clear system arp table
  • 查看当前系统进程
  1. 查看系统进程 #diagnose sys top 5 99

 

  1. 杀进程 #diagnose sys kill 11 进程ID 或 # dia sys kill 9 进程ID

注意:kill 11 有日志,kill 9 没有日志

  • IPsec 相关调试
  1. 观察IPSec 芯片是否正常 #diagnose vpn ipsec status

正常状态,能看到CP5和CPU

非正常状态,只能看到CP5

 

  1. 观察IPSec隧道状态 # diagnose vpn tunnel list

 

  1. 重置指定的某个IPSec隧道 # diagnose vpn tunnel flush <阶段1名称>

 

  1. 激活指定的某个IPSec隧道 # diagnose vpn tunnel up <阶段2名称>

 

  1. 观察隧道协商过程

# diagnose debug enable

# diagnose debug application ike 255

  1. 关闭IKE协商调试命令

# diagnose debug application ike 0

debug enable 命令管理员登录后会自动关闭。

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值