Disable Fortigate Identity on WAN port (that is enabled by default):
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Closing-TCP-port-113/ta-p/195373
config system interface
edit
set ident-accept enable
next
end
Difference between “show” and “get” commands:
“We can use the get command to retrieve dynamic information such as IP of DHCP or PPPoE Interface
It also gives the information or lists the configuration of the current object in tabular format.
While the show command gives the configuration in configurable format or tree structure.”
How I understand it:
Show in FortiOS like “show” in Cisco IOS where you see, for example, interface status: show ip interface g1
“Get” is like “show run | sec GigabitEthernet1” – shows the configuration of the item.
OSPF with Cisco:
https://tcpflag.blogspot.com/2015/08/fortigate-with-cisco-using-ospf.html
There are two important things:
1) https://community.fortinet.com/t5/FortiGate/Technical-Note-OSPF-Interoperability-with-Cisco-Setting-up-an/ta-p/192112
you can’t configure Area ID like in Cisco, with one digit (0), you must configure it like 0.0.0.0. If you want area 5, you must convert 5 to 0.0.0.5. And if you want area 269, you must convert it to 0.0.1.13 (269-256=13). You can use converter if you don’t want to do it by yourself: https://codebeautify.org/decimal-to-ip-converter
2) Hello and Dead intervals should match with other members of routing exchange. Check configuration in CLI and set correct timers in interface(s) configuration.
OSPF diagnostics command: diagnose sniffer packet "proto 89" 6 0 a
Radius configuration:
Start with this example:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Radius/ta-p/213024
Check connectivity problems from Fortigate CLI:
diag sniffer packet any "host XXX.XXX.XXX.XXX and udp" 4 0 l
or
diag sniffer packet any "host XXX.XXX.XXX.XXX" 4 0 l for more info
If there is no connection to RADIUS, check/fix things:
1) correct IP address in Client Settings in Windows NPS
2) correct outgoing interface (configurable in CLI only): set source-ip “XXX.XXX.XXX.XXX”
3) Windows Firewall rules. Sometimes it’s easier to disable preconfiured rules for NPS and manually create new ones (thanks, Microsoft, your products are always reliable and predictable)
4) if you’ve configured logging in NPS settings, “If logging fails, discard connection requests” shoud be unchecked
FortiGate routing debug commands:
General Debugs:
Static Routing:
get router info routing-table all <—– Displays all the active routes in the routing table.
get router info routing-table database <—– Get full routing-table information.
– All routes learned by the unit from different sources: BGP, OSPF, RIP, IS-IS, static, and connected.
get router info routing-table details x.x.x.x <—– Routing entry for x.x.x.x. Known via ‘connected’ or OSPF, etc.
diagnose ip route list <- To check if the route is injected in the kernel.
get router info routing-table connected <—– Displays all directly connected routes.
get router info routing-table static <—– Displays static routes configured.
diagnose ip arp list
get system arp
diagnose ip rtcache list
execute router restart <—– Will restart the routing table. Check with the user before executing this command, as it might cause an interruption.
Identify the source Interface for a particular IP Address:
get router info routing-table details 8.8.8.8 <—– Subnet.
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via “static”, distance 10, metric 0, best
* vrf 0 10.9.15.254, via port1
The default static routing is configured for port1 and to the internet:
config router static
show
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 10.9.15.254
set device “port1”
next
end
OSFP Routing:
get router info routing all <—– See all the directly connected routes, OSPF routes, BGP routes, etc.
get router info protocols <—– Find information networks being advertised.
get router info ospf database router lsa <- Gives information about the router LSA and individual networks received by the router.
get router info ospf database self-originate <- Gives information about router LSAs advertised by the router.
get router info routing-table ospf <- Gives information about the OSPF routes.
get router info ospf database brief <- Displays the OSPF LSDB.
get router info ospf neighbor all <- Show all neighbors.
get router info ospf interface <- To view OSPF interface details
get router info ospf status <- To view OSPF process status.
BGP Routing:
get router info bgp summary <- Verify BGP peering status, number of prefixes received/sent, and peering uptime.
get router info bgp neighbors <neighbour_address> advertised-routes <- Know which networks are advertised to specific neighbors.
get router info bgp network <- Show routes injected into the BGP table.
get router info bgp community-info <- Show BGP community strings in use.
get router info routing-table all <- Get active routing-table information (routes in use by unit).
get router info routing-table bgp <- Get BGP active routing-table information (BGP routes in use by the unit.
get router info routing-table database <- Get full routing-table information (all routes learned by the unit from different sources: BGP, OSPF, RIP, IS-IS, static, and connected. Some of them are in use, some of them are not).
get router info bgp neighbors x.x.x.x received-routes <- Get the received routes from the neighbour.
get router info bgp neighbors x.x.x.x routes <- Routes being injected into our routing table after filtration.
execute router clear bgp ip IP_ADDRS <- To clear the specific route to the IP address.
execute router clear bgp as AS_Number <-To remove all routes for a specific AS number.
Troubleshooting:
Debugging OSPF LSAs:
Run these debug commands to check the LSA, as well as information on Hello/Dead Timers.
diagnose debug disable
diagnose debug reset
diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug console timestamp enable
diagnose debug enable
OSPF Sniffer:
A sniffer that can be used to troubleshoot OSPF issues.
diagnose sniffer packet any “proto 89” 3
Debugging BGP Hello/Dead Timers and more:
Run these debug commands to check information on Hello/DeadTimers and more.
diagnose debug disable
diagnose debug reset
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug console timestamp enable
diagnose debug enable
From v7.2.x onwards, filtering specific neighbors or VRF is possible :
diagnose ip router bgp set-filter vrf <vrf_id>
diagnose ip router bgp set-filter neighbor <neighbor_address>
To reset or show the filter :
diagnose ip router bgp set-filter reset
diagnose ip router bgp show
get router info filter show
BGP Sniffer:
BGP uses port number 179. Run the sniffer on port 179 to analyze BGP Traffic:
diagnose sniffer packet any “port 179” 3
To check the routing entry in Zebos (kernel):
Sometimes, it is also important to examine the ZebOS configuration if FortiOS is not parsing the routing configuration correctly into ZebOS.
diagnose ip router command show-vrf <vdom> <zebos command>
diagnose ip router command show-vrf root show run
diagnose ip router command show-vrf root show run int <name>
diagnose ip router command show-vrf root show interface <name>
diagnose ip router command show-vrf root show ip route
diagnose ip router command show-vrf root show ip route x.x.x.x
To verify routing decisions for a packet hitting the FortiGate, a debug flow can be run:
diagnose debug disable
diagnose debug reset <—– Resets debug settings.
diagnose debug flow filter <—– Use the ‘?’ to check the filter options.
diagnose debug console timestamp enable
diagnose debug flow trace start 100 <—– This will display 100 packets for this flow.
diagnose debug enable