FortiGate防火墙常用配置命令(可编辑修改word版)

FortiGate 常用配置命令

一、命令结构

config Configure object. 对策略，对象等进行配置get Get dynamic and system information. 查看相关关对象的参数信息show Show configuration. 查看配置文件

diagnose Diagnose facility. 诊断命令

execute Execute static commands. 常用的工具命令，如ping exit Exit the CLI. 退出

二、常用命令

1、配置接口地址:

FortiGate # config system interface

FortiGate (interface) # edit lan

FortiGate (lan) # set ip 192.168.100.99/24

FortiGate (lan) # end

2、配置静态路由

FortiGate (static) # edit 1

FortiGate (1) # set device wan1

FortiGate (1) # set dst 10.0.0.0 255.0.0.0

FortiGate (1) # set gateway 192.168.57.1

FortiGate (1) # end

3、配置默认路由

FortiGate (1) # set gateway 192.168.57.1

FortiGate (1) # set device wan1

FortiGate (1) # end

4、添加地址

FortiGate # config firewall address

FortiGate (address) # edit clientnet

new entry 'clientnet' added

FortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0 FortiGate (clientnet) # end

5、添加 ip 池

FortiGate (ippool) # edit nat-pool

new entry 'nat-pool' added

FortiGate (nat-pool) # set startip 100.100.100.1

FortiGate (nat-pool) # set endip 100.100.100.100

FortiGate (nat-pool) # end

6、添加虚拟 ip

FortiGate # config firewall vip

FortiGate (vip) # edit webserver

new entry 'webserver' added

FortiGate (webserver) # set extip 202.0.0.167

FortiGate (webserver) # set extintf wan1

FortiGate (webserver) # set mappedip 192.168.0.168 FortiGate (webserver) # end

7、配置上网策略

FortiGate # config firewall policy

FortiGate (policy) # edit 1

FortiGate (1)#set srcintf internal //源接口

FortiGate (1)#set dstintf wan1 //目的接口

FortiGate (1)#set srcaddr all //源地址

FortiGate (1)#set dstaddr all //目的地址

FortiGate (1)#set action accept //动作

FortiGate (1)#set schedule always //时间

FortiGate (1)#set service ALL //服务

FortiGate (1)#set logtraffic disable //日志开关

FortiGate (1)#set nat enable //开启 nat

end

8、配置映射策略

FortiGate # config firewall policy

FortiGate (policy) #edit 2

FortiGate (2)#set srcintf wan1 //源接口

FortiGate (2)#set dstintf internal //目的接口

FortiGate (2)#set srcaddr all //源地址

FortiGate (2)#set dstaddr FortiGate1 //目的地址，虚拟 ip 映射，事先添加好的FortiGate (2)#set action accept //动作

FortiGate (2)#set schedule always //时间

FortiGate (2)#set service ALL //服务

FortiGate (2)#set logtraffic all //日志开关

end

9、把 internal 交换接口修改为路由口

确保关于 internal 口的路由、dhcp、防火墙策略都删除

FortiGate # config system global

FortiGate (global) # set internal-switch-mode interface

FortiGate (global) #end

重启

1、查看主机名，管理端口

FortiGate # show system global

2、查看系统状态信息，当前资源信息

FortiGate # get system performance status

3、查看应用流量统计

FortiGate # get system performance firewall statistics

4、查看 arp 表

FortiGate # get system arp

5、查看 arp 丰富信息

FortiGate # diagnose ip arp list

6、清楚 arp 缓存

FortiGate # execute clear system arp table

7、查看当前会话表

FortiGate # diagnose sys session stat 或 FortiGate # diagnose sys session full- stat；

8、查看会话列表

FortiGate # diagnose sys session list

9、查看物理接口状态

FortiGate # get system interface physical

10、查看默认路由配置

FortiGate # show router static

11、查看路由表中的静态路由

FortiGate # get router info routing-table static

12、查看 ospf 相关配置

FortiGate # show router ospf

13、查看全局路由表

FortiGate # get router info routing-table all

1、查看 HA 状态

FortiGate # get system ha status

2、查看主备机是否同步

FortiGate # diagnose sys ha showcsum

3.诊断命令：

FortiGate # diagnose debug application ike -1

execute 命令：

FortiGate #execute ping 8.8.8.8 //常规 ping 操作

FortiGate #execute ping-options source 192.168.1.200 //指定 ping 数据包的源地址 192.168.1.200

FortiGate #execute ping 8.8.8.8 //继续输入 ping 的目标地址，即可通过 192.168.1.200 的源地址执行 ping 操作

FortiGate #execute traceroute 8.8.8.8

FortiGate #execute telnet 2.2.2.2 //进行 telnet 访问FortiGate #execute ssh 2.2.2.2 //进行 ssh 访问FortiGate #execute factoryreset //恢复出厂设置FortiGate #execute reboot //重启设备FortiGate #execute shutdown //关闭设备