我想知道有没有与 Fortigates 相当的数据包追踪器我们可以在 ASA 上找到的命令。
对于那些不知道的人来说,这是一个执行示例:
NAT并传递:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit tcp any any eq www
access-list inside-in remark Allows DNS
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.3.20/9876 to 81.56.15.183/9876
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94755, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
被 ACL 阻止:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 81
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Fortigates 上有同等的东西吗?
答案1
在 Fortigate 上,您实际上没有像在 cisco ASA 上那样能够生成虚拟数据包的命令。但最接近的实用程序将是“诊断调试流”命令。不同之处在于,使用 fortigate 时,您需要真实的流量穿过防火墙。
以下是您需要执行的完整命令:
diagnose debug reset
diagnose debug flow filter addr <source OR destination IP address>
diagnose debug flow show console enable
diagnose debug flow show function enable
diagnose debug flow trace start <number of entries you want to view. e.g. 100>
diagnose debug enable
答案2
我确实相信您在 Fortinet 设备上能找到的最接近的东西是嗅探器实用程序(可以通过以下方式访问:诊断嗅探器?)我忘记了此后的确切选项,但它应该就是您要找的东西。
答案3
在 fortigate 上它的名字是“诊断调试流跟踪”
https://blog.webernetz.net/2015/12/21/cli-commands-for-troubleshooting-fortigate-firewalls/
答案4
为了显示输出数据包,以下是一个示例:diagnose firewall iprope lookup "source IP" "source port" "destination IP" "destination port" "protocol" "interface"
例子:
diagnose firewall iprope lookup 10.212.134.200 12345 8.8.8.8 53 udp ssl.root
这是从 SSL VPN 到 Google DNS 的测试,结果如下:
<src [10.212.134.200-12345] dst [8.8.8.8-53] proto tcp dev ssl.root> matches policy id: 0
它与任何策略都不匹配,因此它采用默认拒绝规则 0。
我希望这能帮到你