我想知道是否没有Fortigates相当于我们可以在ASA上find的packet-tracer命令。
这是一个不知道它的人的执行的例子:
NAT和通行证:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside-in in interface inside access-list inside-in extended permit tcp any any eq www access-list inside-in remark Allows DNS Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: object network inside-network nat (inside,outside) dynamic interface Additional Information: Dynamic translate 192.168.3.20/9876 to 81.56.15.183/9876 Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 94755, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow 被ACL阻止:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 81 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Fortigates上有没有相同的东西?
在Fortigate上,你实际上没有能力生成虚拟包,就像在你的思科ASA上一样。 但最接近的实用程序将是“诊断debuggingstream程”命令。 不同的是,fortigate需要真正的stream量穿越防火墙。
以下是您需要执行的完整命令:
diagnose debug reset diagnose debug flow filter addr <source OR destination IP address> diagnose debug flow show console enable diagnose debug flow show function enable diagnose debug flow trace start <number of entries you want to view. eg 100> diagnose debug enable
我相信在Fortinet设备上最接近的东西就是嗅探器工具(可以通过诊断嗅探器进行访问?)我忘记了这一点之后的确切选项,但它应该是你正在寻找的东西。
在fortigate上名为“诊断debuggingstream程跟踪”
https://blog.webernetz.net/2015/12/21/cli-commands-for-troubleshooting-fortigate-firewalls/