FortiGate防火墻常用配置命令

1、fortigate 常用配置命令一、命令結構config configure object. 對策略，對象等進行配置get get dynamic and system information. 查看相關關對象的參數信息show show configuration. 查看配置文件diagnose diagnose facility. 診斷命令execute execute static commands. 常用的工具命令，如pingexit exit the cli. 退出二、常用命令 1 、配置接口地址:fortigate # config system interface fortiga

2、te (interface) # edit lanfortigate (lan) # set ip 192.168.100.99/24fortigate (lan) # end2、配置靜態(tài)路由fortigate (static) # edit 1 fortigate (1) # set device wan1fortigate (1) # set dst 10.0.0.0 255.0.0.0fortigate (1) # set gateway 192.168.57.1fortigate (1) # end3、配置默認路由 fortigate (1) # set gateway 192.168

3、.57.1fortigate (1) # set device wan1fortigate (1) # end 4、添加地址fortigate # config firewall address fortigate (address) # edit clientnetnew entry clientnet addedfortigate (clientnet) # set subnet 192.168.1.0 255.255.255.0fortigate (clientnet) # end 5 、添加 ip 池fortigate (ippool) # edit nat-poolnew entry

4、 nat-pool addedfortigate (nat-pool) # set startip 100.100.100.1fortigate (nat-pool) # set endip 100.100.100.100fortigate (nat-pool) # end6、添加虛擬ipfortigate # config firewall vipfortigate (vip) # edit webservernew entry webserver addedfortigate (webserver) # set extip 202.0.0.167fortigate (webserver)

5、# set extintf wan1fortigate (webserver) # set mappedip 192.168.0.168fortigate (webserver) # end7、配置上網策略fortigate # config firewall policy fortigate (policy) # edit 1 fortigate (1)#set srcintf internal /源接口 fortigate (1)#set dstintf wan1 / 目的接口fortigate (1)#set srcaddr all / 源地址fortigate (1)#set dsta

6、ddr all / 目的地址fortigate (1)#set action accept / 動作fortigate (1)#set schedule always / 時間fortigate (1)#set service all / 服務fortigate (1)#set logtraffic disable / 日志開關fortigate (1)#set nat enable / 開啟 nat end8、配置映射策略 fortigate # config firewall policy fortigate (policy) #edit 2fortigate (2)#set srcint

7、f wan1 / 源接口fortigate (2)#set dstintf internal /目的接口fortigate (2)#set srcaddr all / 源地址fortigate (2)#set dstaddr fortigate1 / 目的地址，虛擬ip 映射，事先添加好的fortigate (2)#set action accept / 動作fortigate (2)#set schedule always /時間fortigate (2)#set service all / 服務fortigate (2)#set logtraffic all / 日志開關end9、把 in

8、ternal交換接口修改為路由口確保關于 internal口的路由、 dhcp 、防火墻策略都刪除fortigate # config system globalfortigate (global) # set internal-switch-mode interfacefortigate (global) #end重啟- 1 、查看主機名，管理端口fortigate # show system global2、查看系統(tǒng)狀態(tài)信息，當前資源信息fortigate # get system performance status 3 、查看應用流量統(tǒng)計fortigate # get system p

9、erformance firewall statistics 4、查看 arp 表 fortigate # get system arp5、查看 arp 豐富信息fortigate # diagnose ip arp list 6、清楚 arp 緩存 fortigate # execute clear system arp table7、 查看當前會話表fortigate # diagnose sys session stat 或 fortigate # diagnose sys session full-stat；8、 查看會話列表 fortigate # diagnose sys sess

10、ion list9、查看物理接口狀態(tài)fortigate # get system interface physical 10 、查看默認路由配置fortigate # show router static11、查看路由表中的靜態(tài)路由fortigate # get router info routing-table static12、查看 ospf 相關配置 fortigate # show router ospf 13 、查看全局路由表 fortigate # get router info routing-table all-1、查看 ha 狀態(tài)fortigate # get system

11、ha status2、查看主備機是否同步fortigate # diagnose sys ha showcsum-3. 診斷命令：fortigate # diagnose debug application ike -1- execute 命令：fortigate #execute ping 8.8.8.8 / 常規(guī) ping操作fortigate #execute ping-options source 192.168.1.200 / 指定 ping數據包的源地址192.168.1.200fortigate #execute ping 8.8.8.8 / 繼續(xù)輸入ping的目標地址，即可通過192.168.1.200的源地址執(zhí)行ping操作fortigate #execute traceroute 8.8.8.8 fortigate #execute