yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Firewall (page 3 of 4)

fw monitor command reference

This is a quick reference sheet of all usable options for the fw monitor tool .At the end I put a list of fw monitor examples. The previous experience with the tool is assumed, i’ll just say that if you are serious about debugging Checkpoint products learn it and learn it well.
By default the fw monitor sniffing driver is inserted into the 4 locations on
the Firewall kernel chain .
Here they are:

 i (PREIN) – inbound direction before firewall Virtual
Machine (VM, and it is CP terminology) . Most important fact to know about that
is that this packet capturing location shows packets BEFORE any security rule
in the policy is applied. That is, no matter what rules say a packet should at
least be seen here, this would prove that packets actually reach the firewall
at all.
 I (POSTIN) – inbound direction after firewall VM.
 o (PREOUT) – outbound direction before firewall VM,
 O (POSTOUT) – outbound direction after firewall VM.

You can change point of insertion within the fw chain with :

# fw monitor –p<i|I|O|o> <where to
insert>

easiest way to specify where to insert is to first see the chain:
# fw ctl chain
then give relative to any module you see there <+|->module_name

Now the usage itself:

# fw monitor
Usage: fw monitor [- u|s] [-i] [-d] [-T] <{-e
expression}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]]
[-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a
]> [-ci count] [-co count]

Round up of options:

-m mask , which point of capture is to be displayed, possible: i,I,o,O
-d/-D debug output from fw monitor itself, not very useful IMO.
-u|s print also connection/session Universal ID
– i after writing each packet flush stdout
-T add timestamp, not interesting
-e expr expression to filter the packets (in detail later)
-f filter_file the same as above but read expression from file
-l <len> packet length to capture

Expressions
On the very low level fw monitor understands byte offsets from the header
start. So to specify for example 20th byte of the IP packet (that is source IP)
you can just use:

# fw monitor -e 'accept [12,b]=8.8.8.8;'

Where:
12 – offset in bytes from the beginning of the packet
b – mandatory, means big endian order.
4 – not seen here but size (in bytes) of how many bytes to look for from the
starting offset (default is 4 )

To look for source port 53 (UDP/TCP) in raw packet:

# fw monitor -m i -e 'accept [20:2,b]=53;'
Here I say to fw monitor to look at 2 bytes at offset 20.

While this way of looking at packets is the most general and therefore includes
all cases, you rarely have the need for such a granular looking glass. In 99%
of the cases you will be doing alright with a limited known set of expressions.
Just for that Checkpoint defined and kindly provided us in every Splat
installation with definition files that give meaningful synonyms to the most
used patterns. There are few definition files but they circularly reference
each other providing multiple synonyms for the same pattern.
I put all those predefined patterns in the list below for the easy to use
reference.

Summary table of possible expressions to be fed to the fw
monitor
Specifying
Hosts
 host(IP_address)  to or from this host
 src=IP_address  where source ip = IP_address
 dst=IP_address  where destination ip = IP_address
 net(network_address,netmask)  to or from this network
 to_net(network_address,netmask)  to this network
 from_net(network_address,netmask)  from this network
 
 Specifying ports
 port(port_number)  having this source or destination port
 sport=port_number  having this source port
 dport=port_number  having this destination port
 tcpport(port_number)  having this source or destination port that is also TCP
 udpport(port_number)  having this source or destination port that is also UDP
 
 Specifying protocols  
 ip_p=<protocol_number_as_per_IANA>  this way you can specifiy any known protocol by its registered
number in IANAFor detailed list of protocol numbers see www.iana.org/assignments/protocol-numbers
 icmp  what it says , icmp protocol
 tcp  TCP
 udp  UDP
 
 Protocol specific oprions  
 IP
 ip_tos = <value>  TOS field of the IP packet
 ip_len = <length_in_bytes>  Length of the IP packet in bytes
 ip_src/ ip_dst = <IP_address>  Source or destination IP address of the packet
 ip_p =<protocol_number_as_per_IANA>  See above
 ICMP
  echo_reply  ICMP reply packets
  echo_req  Echo requests
  ping  Echo requests and echo replies
  icmp_error  ICMP error messages (Redirect,Unreachables,Time exceeded,Source
quench,Parameter problem)
  traceroute  Traceroute as implemented in Unix (UDP packets to high ports)
  tracert  Traceroute as implemented in Windows (ICMP packets , TTL
<30)
  icmp_type = <ICMP types as per RFC>  catch packets of certain type
  icmp_code = <ICMP type as per RFC>  catch packets of certain code
  ICMP types and where applicable respective codes:ICMP_ECHOREPLY
ICMP_UNREACH
      ICMP_UNREACH_NET
      ICMP_UNREACH_HOST
      ICMP_UNREACH_PROTOCOL
      ICMP_UNREACH_PORT
      ICMP_UNREACH_NEEDFRAG
      ICMP_UNREACH_SRCFAIL
ICMP_SOURCEQUENCH
ICMP_REDIRECT
      ICMP_REDIRECT_NET
      ICMP_REDIRECT_HOST
      ICMP_REDIRECT_TOSNET
      ICMP_REDIRECT_TOSHOST
ICMP_ECHO
ICMP_ROUTERADVERT
ICMP_ROUTERSOLICIT
ICMP_TIMXCEED
      ICMP_TIMXCEED_INTRANS
      ICMP_TIMXCEED_REASS
ICMP_PARAMPROB
ICMP_TSTAMP
ICMP_TSTAMPREPLY
ICMP_IREQ
ICMP_IREQREPLY
ICMP_MASKREQ
ICMP_MASKREPLY
  icmp_ip_len = <length>  Length of ICMP packet
 icmp_ip_ttl = <TTL>  TTL of ICMP packet, use with icmp protocol otherwise will catch ANY
packet with TTL given
 < cut here—-bunch of other icmp-related fields
like ID ,sequence I don’t see any value in bringing here–>
 
 TCP
 syn  SYN flag set
 fin  FIN flag set
 rst  RST flag set
 ack  ACK flag set
 first  first packet (means SYN is set but ACK is not)
 not_first  not first packet (SYN is not set)
 established  established connection (means ACK is set but SYN is not)
 last  last packet in stream (ACK and FIN are set)
 tcpdone  RST or FIN are set
 th_flags – more general way to match the flags inside
TCP packets
 th_flags = TH_PUSH  Push flag set
 th_flags = TH_URG  Urgent flag set
 UDP
 uh_ulen = <length_in_bytes>  Length of the UDP header (doesnt include IP header)

 

And the last thing to remember before we move to examples – expressions support logical operators and numerical values support relative operators:

and – logical AND
or – logical OR
not – logical NOT
> MORE than
< LESS than
>= MORE than or EQUAL to
<= LESS than or EQUAL to
You can combine logical expressions and influence order by using ()

Below is laundry list of examples to showcase the reference table above.

# fw monitor -m i -e 'accept host(208.44.108.136) ;'
# fw monitor -e 'accept src=216.12.145.20 ;'  packets where source ip = 216.12.145.20
# fw monitor -e 'accept src=216.12.145.20 or dst= 216.12.145.20;'  packets where source or destination ip = 216.12.145.20
# fw monitor -e 'accept port(25) ;'  packets where destination or source port = 25
# fw monitor -e 'accept dport=80 ;'  packets where destination port = 80
#fw monitor -e 'accept sport>22 and dport>22 ; '  packets with source and destination ports greater than 22
# fw monitor -e 'accept ip_len = 1477;'  packets where their length equals exactly 1477 bytes
# fw monitor -e 'accept icmp_type=ICMP_UNREACH;'  ICMP packets of Unreachable type
# fw monitor -e 'accept from_net(216.163.137.68,24);'  packets having source IP in the network 216.163.137.0/24
# fw monitor -e 'accept from_net(216.163.137.68,24) and port(25) and dst=8.8.8.8 ;'  packets coming from network 216.163.137.0/24 that are destined to the host 8.8.8.8 and hving source or destination port = 25
# fw monitor -m i -x 40,450 -e 'accept port(80);'  incoming packets before any rules are applied also
display contents of the packet starting at 40th byte of 450 bytes length

# fw monitor -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);'  incoming packets from/to host 66.240.206.90 , insert sniffer before module named ipopt_strip
# fw monitor -D -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);'  same as above but add debug info

Resources:
PDF version of fw monitor command reference

SSH login alert by mail Linux or Unix based systems

As you may have noticed many security-related software/appliances are based on Linux or Unix operating
systems in their variety. And as the logical consequence of that remote managing of such devices is done with OpenSSH
package  .  What is lacking in these applications built on Linux/Unix platforms is alerting in real–time on successful
SSH login to the system . e.g eSafe can alert only on login to the software itself (i.e. econsole), the same goes for the Checkpoint firewall
. On the other hand SSH login to the system ultimately means superuser/root access that gives control over the whole
system. To fix it I wrote the following script. This script sends mail to predefined email address each time someone
successfully logs in by SSH to the machine.
I take advantage here of the built-in feature of the  OpenSSH daemon – if you create text file containing commands (as if you typed
them on the command line), and name it either /etc./ssh/sshrc or <user home dir>/.ssh/rc , these commands in file will be run each time user logs in through SSH daemon to the system.
The file has to be readable by the user logging in through SSH.
Note 1:
file /etc/ssh/sshrc is applied globally to any user logging in, unless:
Note 2:
file <user home dir>/.ssh/rc   overrides action of /etc/ssh/sshrc . Caveat here – it is enough for a user to put in his home .ssh directory
empty file named rc and it will disable /etc/ssh/sshrc including mail alerts sent from it. Actually it is not that big of an issue as you may
create rc file in the home directory of the user yourself, give it 644 permissions and while user will know what is going on when doing ssh login he/she won’t be able to do anything about that.

So to script itself.
Here:
yurisk@yurisk.info –   mail to which I get mail alert
mail.yurisk.info   –   mail server that accepts mails destined for yurisk.info domain (its MX record)
SENDING_HOST   –  hostname of sending host, will be included in the subject so later I can create mail inbox rule to pay appropriate attention   to such mails
USER_ID     – output of the #id command so I will also be able to filter incoming messages on the user logged in

freeBSD# cat /etc/ssh/mail_alert.awk
BEGIN {
# Set up some info to be included in the mail
# As you see I prefer to use absolute pathnames , but you don’t have to
# Find the hostname to which SSH login happened , to be included in the Subject
"/bin/hostname" | getline SENDING_HOST
# FInd ID of logged
"/usr/bin/id" | getline
USER_ID = $1
SMTP = "/inet/tcp/0/mail.yurisk.info/25"
RS = ORS = "\r\n"
print "helo yurisk.info"     |& SMTP
SMTP                       |& getline
print "mail from: <yurisk@yurisk.info>" |& SMTP
SMTP                       |& getline
print  "rcpt to: <yurisk@yurisk.info>"  |& SMTP
SMTP                       |& getline
print   "data"             |& SMTP
SMTP                       |& getline
print  "Subject:SSH login alert – user " USER_ID “logged in " SENDING_HOST  |& SMTP
print                       |&  SMTP
"/usr/bin/w" | getline
print  $0                  |& SMTP
print   " He is most free from danger, who, even when safe, is on his guard  "               |& SMTP

print   "  "               |& SMTP
print  "."                 |& SMTP
print                      |& SMTP

print  "quit"              |& SMTP

}
– Now the file that is checked on each login for commands ( I put both files  in /etc/ssh/) :
freeBSD# cat /etc/ssh/sshrc
awk -f /etc/ssh/mail_alert.awk > /dev/null
Note for FreeBSD (I guess any *BSD) users:  in *rc file above you will have to replace awk with gawk, as in *BSD systems awk behaves as the old-style Unix awk that has no bidirectional pipe to connect to mail server.

PS. You might be asking why awk here ? True, Linux/Unix have perfect tool for sending mails called #mail, but I did it with awk
for  a reason – not on every (especially if hardened) system you will find mail/telnet/etc utilities with which sending mails is more simple and more reliable. The biggest one is Checkpoint firewall – it has NO mail or telnet clients, neither scripting language beyond AWK and Bash.

The downside of awk is that it is not perfect for more or less complex protocols. So script may stuck / send commands too fast/ etc and therefore be disconnected by the server.

Also if mail server uses greylisting – this script won’t understand it. So check it in interactive session before using. If time permits later I will polish it a bit to count for such cases.

BTW If you haven’t noticed eSafe has full-blown scripting languages installed – Perl and Python . With these you are limited by your imagination only.

Reinstall Checkpoint UTM firewall, the hard way…

 Sometimes machines fail , in the end all machines fail some day anyway. When it happens to the firewall (Checkpoint ) it might be a very
frustrating event . By failing I mean machine turns on but doesn’t boot or boots into unusable state. The first thought that comes to
the sysadmin looking at such a miserable piece of expensive metal – format/fdisk/Factory Defaults/anything !!!???
If you have Checkpoint Open Server (i.e. Checkpoint VPN-1 software installed on 3rd party server) then most probably you have CD/DVD-drive in it and what  left is to find installation CD  of the Checkpoint – 30 minutes, some basic rules and your network partially but starts to work.
But if you have a Checkpoint UTM  appliance you have a problem. A big one. There is no magic button to restore to factory defaults nor CD/DVD drive to start formatting/reinstalling the firewall immediately.  Not that Checkpoint didn’t think about that situation, just reinstalling/reimaging  procedure is a bit involved.
I won’t say new things here as all is neatly documented in SecureKnowledgebase of checkpoint.com (sk37231) . But as I get questions about that more frequently than people bother to check at the Checkpoint website here is a short procedure:

– You download from checkpoint.com (with download speeds and image size patience is your friend) UTM image matching your UTM version ;
– You burn it to DVD disk (It is 1,5 Gigabyte in size) ;
– You connect USB DVD drive to USB port in UTM reboot from it and start install from scratch.

That is it.

PS If you happen to forget SSH password of the expert user you are also left with grim option to try to boot appliance from some bootable DVD and reset password, or just plain reinstall the whole firewall. So be very careful about SSH passwords for the UTM appliances.

Don’t rely on SmartViewTracker only – it may lie

Funny case of WYSIWYG misleading the uninitiated. The case involved a seemingly normally functioning firewall Checkpoint which after a client created rule to allow FTP from any to his server in DMZ (no Nat involved) refused to allow connections though. The client being quite experienced himself entered SmartViewTracker did filter on the rule (here rule 77) and saw nothing (of course Log was enabled on the rule) . OK, he thought, he canceled the filter and also started looking on the clean up rule that said Any -> Any = Drop (log enabled) and … again saw no hits at all. And at this stage he approached us with
request to check Linkproof leading to this firewall as ” it doesnt pass traffic to my FTP server”.
I did a usual thing – ssh -> fw monitor on FTP server IP and , hurra, saw
me reaching FTP server IP but on input interface only – “Aha, dropped by a rule
for sure” , then it took me another minute to prove it (to me and to the client)
with this:

Here:
194.99.73.13 – FTP server in DMZ (IP sanitazed of course)
124.92.11.33 – my IP

[Expert@firewall2070]# fw ctl zdebug drop | grep 194.99.73.13
fw_log_drop: Packet proto=6 124.92.11.33:53408 -> 194.99.73.13:21 dropped by fwhold_expires Reason: held chain expired
fw_log_drop: Packet proto=6 124.92.11.33:53408 -> 194.99.73.13:21 dropped by
fw_handle_first_packet Reason: Rulebase drop – rule 77

To remind – rule 77 was Any -> 194.99.73.13 (Service FTP) = Allow (log)

Why rule didn’t work is another question – but reason was messed up rulebase that cleint did, when further
down the rulebase was another rule to the same server partly overlapping this rule, the moment I disabled
second rule all started to work.

So conclusion – don’t rely on the SmartviewTracker only for debug , there can be too many
reasons why it is not logging/showing logs as should.

Failed to connect to Fortiguard servers

Today encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to ‘hide’ this parameter deep enough so that it got on my nerves until I fixed it.
[showmyads]

NOTE : Fortiguard is subscription based service when your Fortigate unit periodically
connects to the Fortinet servers (collectively named Fortiguard servers) to get info that enables advanced
feautures like filtering by category/rating.

Problem – suddenly Fortigate of the client refused to do web/spamfiltering service while having valid contract subscription. Not a big deal as in System -> Maintenance -> Fortiguard status was “Failed to connect ” (or something of a kind dont recall it now) . On the same page there is a nice button “Test Availability” pushing which would bring error “Connection failed Check firewall routing table” .
In most of the cases it is either reachability issue or Fortigate is trying to update against wrong server.
Doing pings successfuly from the firewall to service.fortiguard.net (FQDN to use for Fortiguard servers)
left 2nd option – wrong Fortiguard server hardcoded somewhere in the configs. Doing
FG100 # show system fortiguard Gave only this
config system fortiguard
set antispam-cache disable
set webfilter-cache disable
end

And only doing FG100 # get system fortiguard Gave the answer
hostname : 66.92.33.1
srv-ovrd : disable
port : 53
client-override-status: disable

To fix this you enter:
FG100 # config system fortiguard
FG100 (fortiguard) # set
*hostname hostname or IP of the FortiGuard server
FG100 (fortiguard) # set service.fortiguard.net
FG100 (fortiguard) #next

* FortiOS 3.x uses service.fortiguard.net , FortiOS 2.80 used guard.fortinet.net for Webfiltering and
antispam.fortigate.com for Antispam filtering and it is Fortinet recommendation to do so, nevertheless
setting guard.fortinet.net in Fortios 3 works as well (after all they are CNAME’d )

And while we are on it, here are few useful debug commands for the topic:

– To see real time list of servers to which the firewall tries to connect for Fortiguard service
FG200# diagnose debug rating
Locale : english
License : Contract
Expiration : Fri Jun 17 02:00:00 2010
Hostname : guard.fortinet.net

-=- Server List (Wed Jun 19 08:12:58 2009) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost
212.95.252.121 0 85 0 521863 0 113
212.95.252.120 0 89 0 4625 0 5
82.71.226.65 0 97 0 2140 0 34
62.209.40.73 10 105 1 2060 0 0
62.209.40.72 10 103 1 2060 0 0
66.117.56.37 50 158 -5 2060 0 0
69.20.236.180 50 191 -5 2060 0 0
69.20.236.179 50 185 -5 2060 0 0
66.117.56.42 50 164 -5 2061 0 1
72.52.72.243 80 245 -8 2063 0 3
116.58.208.39 80 371 -8 2081 0 21
208.91.112.194 80 233 -8 2075 0 12
216.156.209.26 80 239 -8 2068 0 7
121.111.236.179 90 354 9 2061 0 1
121.111.236.180 90 366 9 2064 0 4

– The same for Antispam service
FG200# diagnose spamfilter fortishield servers
Locale : english
License : Contract
Expiration :Fri Jun 17 02:00:00 2010
Hostname : guard.fortinet.net

-=- Server List (Wed Jun 19 08:13:39 2009) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost
212.95.252.121 0 94 0 2063 0 0
212.95.252.120 0 96 0 2061 0 0
82.71.226.65 0 104 0 2076 0 18
62.209.40.73 10 113 1 2061 0 0
62.209.40.72 10 111 1 2061 0 0
66.117.56.37 50 159 -5 2061 0 0
69.20.236.180 50 199 -5 2061 0 0
69.20.236.179 50 193 -5 2061 0 0
66.117.56.42 50 169 -5 2063 0 2
72.52.72.243 80 273 -8 2065 0 4
116.58.208.39 80 380 -8 2085 0 24
208.91.112.194 80 271 -8 2071 0 8
216.156.209.26 80 261 -8 2064 0 2
121.111.236.179 90 362 9 2061 0 0
121.111.236.180 90 370 9 2062 0 1

– To see on the console Webfiltering doing its work:
FG200# diagnose debug application urlfilter 1

FG200 # id=93000 pid=50 main-696 in main.c received pkt:count=197, a=/tmp/.thttp.socket/21
id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=www.cnn.com:80, url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById(‘oImg2’)&w=319&h=215, id=913659, vfid=0, type=0, client=192.168.7.238
id=93000 msg=”found it in cache”
id=93003 user=”N/A” src=192.168.7.238 sport=4796 dst=157.166.224.25 dport=80 service=http cat=36 cat_desc=”News and Media” hostname=www.cnn.com url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById(‘oImg2’)&w=319&h=215 status=passthrough msg=”URL belongs to an allowed category in the policy”
id=93000 pid=50 main-696 in main.c received pkt:count=255, a=/tmp/.thttp.socket/21
id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=b.mail.google.com:80, url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1, id=900542, vfid=0, type=0, client=192.168.7.56
id=93003 user=”N/A” src=192.168.7.56 sport=4280 dst=74.125.39.189 dport=80 service=http cat=23 cat_desc=”Web-based Email” hostname=b.mail.google.com url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1 status=passthrough msg=”URL belongs to an allowed category in the policy”

You can’t set duplex/speed settings of the Fortigate interfaces?

You can’t set duplex/speed settings of the Fortigate interfaces.
Important FIX: depends on which interface you are trying to set! [ Thanks to Chen for pointing out ]
Upon careful reexamination turns out that you can’t set duplex/speed settings of 4-port switch interfaces only, i.e. Internal interface of Fortigate 60, 60M, 100A, 200A, and FortiWiFi-60 and also LAN interface of 500A .
Tried on FG100A FortiOS v4.0,build0178,090820 (MR1)
[showmyads]

FG100 (dmz2) # set speed
100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex
auto auto adjust speed

Working most of the time with Cisco gear I’m (and others) used to being able to set duplex/speed
parameters on the physical interfaces to my liking.
This comes as a necessity when connecting cisco to various equipment of differing quality. So it was a surprise to me when I encountered strange layer1/layer2 connectivity problem between some Fortigate 200A and cisco and tried to set manually duplex full/speed 100 on the Fortigate just to find out that it is impossible to do it on the Fortigate.
It was possible back in the days of FortiOS 2.80 (and early 3.0 – I guess up until MR5)  :

# conf sys int
(interface)# edit internal
(internal)# set speed

100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex

But then Fortinet dropped this option and the only (not direct) explanation
found on their site is this memo:
“Locked-down port policies (forcing speed, duplex, and link capabilities with auto-negotiation disabled) are
outdated. Legacy and historical reasons for forced setup with auto-negotiation disabled date
back many years when the technology was new…”

Now we can see what is the negotiated status of the links
(this command also shows errors/collisions/MTU on the interface) :

FG100 # diagnose hardware deviceinfo nic internal
Description VIA VT6102 Rhine-II
Part_Number N/A
Driver_Name via-rhine
Driver_Version 1.1.17
PCI_Vendor 0x1106
PCI_Device_ID 0x3065
PCI_Subsystem_Vendor 0x3065
PCI_Subsystem_ID 0x1106
PCI_Revision_ID 0x74
PCI_Address 0:12.0
PCI_Bus_Type
Memory 0x0000f400
IRQ 11
System_Device_Name internal
Current_HWaddr 00:09:0f:30:32:11 #In HA set up primary member would have different , virtual MAC address , for more see here FortiOS v3.0 HA Cluster virtual MAC addresses
Permanent_HWaddr 00:09:0f:30:32:11
Link up
Speed 100
Duplex forced full
FlowControl off
State up(0x00001103)
MTU_Size 1392
Rx_Packets 89944267
Tx_Packets 73437299
Rx_Bytes 370540924
Tx_Bytes 428118992
Rx_Errors 0
Tx_Errors 0
Rx_Dropped 0
Tx_Dropped 0
Multicast 8810
Collisions 0
Rx_Length_Errors 0
Rx_Over_Errors -0
Rx_CRC_Errors 0
Rx_Frame_Errors 0
Rx_FIFO_Errors 0
Rx_Missed_Errors 0
Tx_Aborted_Errors 0
Tx_Carrier_Errors 0
Tx_FIFO_Errors 0
Tx_Heartbeat_Errors 0
Tx_Window_Errors 0
Tx_Single_Collision_Frames 0
Tx_Multiple_Collision_Frames 0
Rx_Frame_Too_Longs 0
Rx_Symbol_Errors 0
Rx_Control_Unknown_Opcodes 0
Rx_Pause_Frames 0
Tx_Pause_Frames 0
Scatter_Gather OFF
poll_intr_switch 0
rx_tasklet_pkts 92505560
xmit queue 0
recv queue -64
phy_id= 1/1

Debug VPN in Fortigate – seeing is believing

[showmyads]You can’t really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands that do just that for IPSEC site-to-site
tunnels in Fortigate.

Here:
192.168.168.254 – IP address on the LAN interface of the fortigate
10.170.15.131′ – IP address on the remote LAN
200.199.20.162 – (sanitazed) IP of the wan interface of Fortigate
72.21.207.65 – (sanitazed) IP of the remote VPN peer

-Enable debugging
FG100A# diag debug en

– Enable debug messages for specific application , here we are interested in IKE (note debug level -1,
following logic I enabled first +1, 255 etc and surprisingly had no effect at all )
FG100A # diag debug app ike -1
Continue reading

Older posts Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑