Firewall
Fortinet:是否有任何與 ASA 的 packet-tracer 命令等效的命令?
我想知道是否沒有我們可以在 ASA 上找到的與packet-tracer命令等效的 Fortigates。
下面是一個執行範例,供不知道的人使用:
NAT 並通過:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside-in in interface inside access-list inside-in extended permit tcp any any eq www access-list inside-in remark Allows DNS Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: object network inside-network nat (inside,outside) dynamic interface Additional Information: Dynamic translate 192.168.3.20/9876 to 81.56.15.183/9876 Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 94755, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
被 ACL 阻止:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 81 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Fortigates 上是否有任何等價物?
在 Fortigate 上,您實際上沒有能夠像在您的 cisco ASA 上那樣生成虛擬數據包的命令。但最接近的實用程序將是“診斷調試流程”命令。不同之處在於,使用 fortigate 時,您需要真正的流量穿過防火牆。
以下是您需要執行的完整命令:
diagnose debug reset diagnose debug flow filter addr <source OR destination IP address> diagnose debug flow show console enable diagnose debug flow show function enable diagnose debug flow trace start <number of entries you want to view. e.g. 100> diagnose debug enable