Firewall

Fortinet:是否有任何與 ASA 的 packet-tracer 命令等效的命令?

  • March 20, 2021

我想知道是否沒有我們可以在 ASA 上找到的與packet-tracer命令等效的 Fortigates。

下面是一個執行範例,供不知道的人使用:

NAT 並通過:

lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit tcp any any eq www 
access-list inside-in remark Allows DNS
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network inside-network
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.3.20/9876 to 81.56.15.183/9876

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 94755, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

被 ACL 阻止:

lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 81

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Fortigates 上是否有任何等價物?

在 Fortigate 上,您實際上沒有能夠像在您的 cisco ASA 上那樣生成虛擬數據包的命令。但最接近的實用程序將是“診斷調試流程”命令。不同之處在於,使用 fortigate 時,您需要真正的流量穿過防火牆。

以下是您需要執行的完整命令:

diagnose debug reset
diagnose debug flow filter addr <source OR destination IP address>
diagnose debug flow show console enable
diagnose debug flow show function enable
diagnose debug flow trace start <number of entries you want to view. e.g. 100>
diagnose debug enable

引用自:https://serverfault.com/questions/372377