FortiGate 防火墙常用配置命令.doc

FortiGate 常用配置命令一、命令结构 config Configure object. 对策略，对象等进行配置 get Get dynamic and system information. 查看相关关对象的参数信息 show Show configuration. 查看配置文件 diagnose Diagnose facility. 诊断命令 execute Execute static commands. 常用的工具命令，如 ping exit Exit the CLI. 退出二、常用命令1、配置接口地址 : FortiGate # config system interface FortiGate (interface) # edit lan FortiGate (lan) # set ip 192.168.100.99/24 FortiGate (lan) # end 2、配置静态路由 FortiGate (static) # edit 1 FortiGate (1) # set device wan1 FortiGate (1) # set dst 10.0.0.0 255.0.0.0 FortiGate (1) # set gateway 192.168.57.1 FortiGate (1) # end 3、配置默认路由 FortiGate (1) # set gateway 192.168.57.1 FortiGate (1) # set device wan1 FortiGate (1) # end 4、添加地址 FortiGate # config firewall address FortiGate (address) # edit clientnet new entry clientnet added FortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0 FortiGate (clientnet) # end5、添加ip池 FortiGate (ippool) # edit nat-pool new entry nat-pool added FortiGate (nat-pool) # set startip 100.100.100.1 FortiGate (nat-pool) # set endip 100.100.100.100 FortiGate (nat-pool) # end 6、添加虚拟ip FortiGate # config firewall vip FortiGate (vip) # edit webserver new entry webserver added FortiGate (webserver) # set extip 202.0.0.167 FortiGate (webserver) # set extintf wan1 FortiGate (webserver) # set mappedip 192.168.0.168 FortiGate (webserver) # end 7、配置上网策略 FortiGate # config firewall policy FortiGate (policy) # edit 1 FortiGate (1)#set srcintf internal /源接口 FortiGate (1)#set dstintf wan1 /目的接口 FortiGate (1)#set srcaddr all /源地址 FortiGate (1)#set dstaddr all /目的地址 FortiGate (1)#set action accept /动作 FortiGate (1)#set schedule always /时间 FortiGate (1)#set service ALL /服务 FortiGate (1)#set logtraffic disable /日志开关 FortiGate (1)#set nat enable /开启natend 8、配置映射策略 FortiGate # config firewall policy FortiGate (policy) #edit 2 FortiGate (2)#set srcintf wan1 /源接口 FortiGate (2)#set dstintf internal /目的接口 FortiGate (2)#set srcaddr all /源地址 FortiGate (2)#set dstaddr FortiGate1 /目的地址，虚拟ip映射，事先添加好的 FortiGate (2)#set action accept /动作 FortiGate (2)#set schedule always /时间 FortiGate (2)#set service ALL /服务 FortiGate (2)#set logtraffic all /日志开关 end 9、把internal交换接口修改为路由口 确保关于internal口的路由、dhcp、防火墙策略都删除 FortiGate # config system global FortiGate (global) # set internal-switch-mode interface FortiGate (global) #end 重启-1、查看主机名，管理端口 FortiGate # show system global 2、查看系统状态信息，当前资源信息 FortiGate # get system performance status3、查看应用流量统计 FortiGate # get system performance firewall statistics 4、查看arp表 FortiGate # get system arp 5、查看arp丰富信息 FortiGate # diagnose ip arp list 6、清楚arp缓存 FortiGate # execute clear system arp table 7、 查看当前会话表 FortiGate # diagnose sys session stat 或 FortiGate # diagnose sys session full-stat； 8、 查看会话列表 FortiGate # diagnose sys session list 9、查看物理接口状态 FortiGate # get system interface physical10、查看默认路由配置 FortiGate # show router static 11、查看路由表中的静态路由 FortiGate # get router info routing-table static 12、查看ospf相关配置 FortiGate # show router ospf13、查看全局路由表FortiGate # get router info routing-table all- 1、查看HA状态 FortiGate # get system ha status 2、查看主备机是否同步FortiGate # diagnose sys ha showcsum- 3.诊断命令： FortiGate # diagnose debug application ike -1 -execute 命令： FortiGate #execute ping 8.8.8.8 /常规ping操作 FortiGate #execute ping-options source 192.168.1.200 /指定ping数据包的源地址 192.168.1.200 FortiGate #execute ping 8.8.8.8 /继续输入ping的目标地址，即可通过192.168.1.200的源地址执行ping操作 FortiGate #execute traceroute 8.8.8.8 FortiGate #ex