Advanced Search
Search Results
419 total results found
Technical
This is a collection of technical notes I have made for myself over the years. It will eventually contain the bulk of what used to be in the snipsnap instance that served this site in the past. I won't carry forward all the information from the old system as s...
FortiOS
Various FortiOS notes I've made for myself over the years. I've been working with Fortinet firewalls now since v5.0.0. Mostly small deployments (F-60 class) but I have worked with larger devices. My main bread-and-butter firewalls was a cluster of FGT-300D un...
Linux
Cisco
Cisco Stuff. For the most part the clientele that I have worked with have been unable to afford serious Cisco equipment, so my engagement with it is fairly superficial. I think I understand most of the switching basics prior to the introduction of fabrics and...
Applications
War Stories
Stuff that may or may not have happened.
Sun & Solaris
My Stuff
Scripts and other stuff I've written.
Juniper
Notes from a previous life looking after Juniper switches and baby SRX firewalls. Before this I came from mostly working with Dell and HP switches, and Netscreen-ScreenOS firewalls. In general, I have listed the entire from-root set commands rather than show ...
Palo Alto
v5.0.x
v5.2.x
v5.4.x
v5.6.x
v6.0.x
v6.2.x
v6.4.x
v7.0.x
CentOS 4
CentOS 5
CentOS 6
CentOS 7
CentOS 8
ASA
ASA 8.0
ASA 8.2
ASA 8.3
ASA 8.4
ASA 8.6
ASA 9.1
HA Cluster Member Firmware Revisions
(2014-11-20) Verify the firmware versions of cluster members: fw-ottawa-A # get system stat Version [...] [...] fw-ottawa-A # execute ha manage 0 fw-ottawa-B # get system stat Version [...] [...]
DHCP and PPPoE
Problem: Cannot set mode to DHCP or PPPoE when HA is on. It doesn't work. Note: this is allegedly supported in 5.2.1 or higher, but there are otherproblems with this firmware that prevent me from confirming this. **Update:** With 5.2.2 I can at leas...
arp
(2015-04-20) Show the arp table: # get system arp
crashlog
(2015-04-22) List the firewall's internal crashlog: # di de crashlog read
DHCP Reservation
(2015-01-29) Warning: this method does not work in 5.2 (and presumably higher). config system dhcp reserved-address edit <string> set ip <ipv4> set mach <mac> set type regular end
Reset to Factory Defaults
(2013-08-28) Reset To Factory Defaults You have two minutes from power reset to perform this task. Login: username maintainer password bcpb$SERIALNUMBER Reset: execute factoryreset Let it run, then log in as admin with no password.
Interface Duplex
(2013-12-17) Problem Need to force speed/duplex on a physical interface. Solution There's no GUI option, you must command-line: forti$ config system interface forti(Interface)$ edit wan2 forti(wan2)$ set speed 100full forti(wan2)$ end Possible settings for sp...
Interface Mode
(2014-06-24) To set interface mode: make sure the default Internal interface has no DHCP server enabled (it is by default) and has no policies referring to it (there are by default) or any address objects referring explicitly to it on the console: config sys...
Packet Capture
(2013-07-18) Show information of packets seen on an interface: # diag sniffer packet internal none 4 3 internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261 internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816 ack 1949135261...
Radius Server Definition
(2014-06-14) On the smaller FortiGates, the GUI doesn't include the ability to define Radius servers. So you have to do it via the command line. This is a minimal Radius server definition: config user radius edit "DC Radius" set server "192.168.1.2...
Reset Admin Password
(2014-07-03) Problem Nobody remembers the password for a given admin account. We have another superadmin account that we can log in with. Solution Easy: delete the account and recreate it. Harder: (ie under some circumstances you can't delete the admin account...
Routing Table
(2013-08-26) Display the routing table: # get router info routing-table all
Simple Commands
(2013-11-13) Ping # exec ping $TARGET Routes # get router info routing-table all
Syslog
(2014-08-22) To enable logging to a syslog server: config log syslogd setting set status enable set server <ip.or.dns-name.here> end For some reason this doesn't appear as a GUI option.
Test Authentication Servers
Testing authentication These cli commands can help you test your radius or ldap server: # diag test auth radius <server_name> <chap | pap | mschap | mschap2> <username> <pwd> # diag test authserver ldap <server_name> <username> <pwd> These commands turn on mo...
Backup ISP with some traffic selection
(2013-08-26) Problem: My scenario is that I have a FortiGate 60D with two ISPs: a static DSL, and a dynamic high speed cable. So I have VIP objects defined on my DSL line going to a couple of systems, including a mail system. I want: The mail system to send t...
DHCP Client Leases
(2015-04-22) List the DHCP leases handed out on $INTERFACE. # exec dhcp lease-list $INTERFACE
Interface Status
(2015-04-01) Interface State Show IP, status, speed/duplex: get system interface physical Show physical state including errors and drops get hardware nic X Also you can look at ifconfig: fnsysctl ifconfig X
Memory Logging
(2015-03-12) Problem By default, baby firewalls (which seems to mean up to and including F90Ds ) do not log practically anything. Solution Enable memory logging from the command line: config log memory setting set status enable end The system will now use up ...
Configuration Preparation
(2015-08-24) This is the recipe that I use when configuring out-of-box systems for the first time. By default, WAN1 is a dhcp insterface. So I set WAN1 to allow HTTPS management, then plug WAN1 into the LAN that I have handy so I can web-manage. config system ...