搜索
©CopyrightFortinetInc.Allrightsreserved.4September2019FortiGateIITroubleshootingFortiGate5.2.12目标识别网络常规行为监控非正常行为如流量突发或非典型性协议Troubleshoot物理和逻辑网络接口理解会话表使用“diagnosedebugflow”来对流量流向进行排错对资源使用问题进行排错,如当防病毒和IPS打开时高CPU或高内存占用测试没有保存到flash的OS3在任何问题发生之前定义正常行为(基线):»CPU使用率»Memory使用率»流量等级»流量如何走向(流量)»使用了哪些协议和TCP/UDP端口»流量模式和分布Why?»如果你知道什么是正常流量,识别非正常流量会更容易NowBaseline(Average)NormalRangeAbnormal4网络图为何需要网络图?»没有网络图,解释和分析复杂网络是困难且耗时的物理图»包含所有物理网络接口,连线和端口»对Layer1/2/3的问题很有效逻辑图»包含路由器,逻辑设备(VDOMs)和UTM»对Layer3+的问题很有效2001:db8::b108port2192.168.1.0/24port4172.16.1.0/27port110.0.0.0/8port35监控数据流&资源使用情况获取正常的网络数据在发生问题之前不正常的行为非常难发现–除非知道什么是正常的»CPU使用率»RAM使用率»允许通过的应用»入和出的带宽…工具»SNMP»Alertemail»Logging/Syslog»FortiAnalyzer或者第三方SIEM(systeminformation&eventmanagement)»Dashboard/getsystemstatusNormalTrafficspikes6SNMPAllowedsourceofqueries7通过SNMP获取事件通知trapDestination触发FortiGatet发送SNMP消息的事件8#getsysstatusVersion:FortiGate-VM64v5.2.0,build0589,140613(GA)Virus-DB:22.00856(2014-09-2405:33)ExtendedDB:1.00000(2012-10-1715:46)IPS-DB:5.00549(2014-09-2300:49)IPS-ETDB:0.00000(2001-01-0100:00)Serial-Number:FGVM040000025212BotnetDB:1.00736(2014-08-2410:18)LicenseStatus:ValidVMResources:1CPU/4allowed,969MBRAM/6144MBallowedBIOSversion:04000002Logharddisk:AvailableHostname:STUDENTOperationMode:NATCurrentvirtualdomain:rootMaxnumberofvirtualdomains:10Virtualdomainsstatus:1inNATmode,0inTPmodeVirtualdomainconfiguration:disableFIPS-CCmode:disableCurrentHAmode:standaloneBranchpoint:589ReleaseVersionInformation:GAFortiOSx86-64:YesSystemtime:ThuOct900:26:542014#getsysperfstatCPUstates:2%user15%system0%nice83%idleCPU0states:2%user15%system0%nice83%idleMemorystates:44%usedAveragenetworkusage:542kbpsin1minute,1050kbpsin10minutes,512kbpsin30minutesAveragesessions:7sessionsin1minute,5sessionsin10minutes,5sessionsin30minutesAveragesessionsetuprate:0sessionspersecondinlast1minute,0sessionspersecondinlast10minutes,0sessionspersecondinlast30minutesViruscaught:0totalin1minuteIPSattacksblocked:0totalin1minuteUptime:0days,0hours,19minutes系统信息&资源使用情况9#diagnosefirewallstatisticshowgettingtrafficstatistics...Browsing:328packets,132562bytesDNS:797packets,127917bytesE-Mail:0packets,0bytesFTP:0packets,0bytesGaming:0packets,0bytesIM:0packets,0bytesNewsgroups:0packets,0bytesP2P:0packets,0bytesStreaming:0packets,0bytesTFTP:0packets,0bytesVoIP:0packets,0bytesGenericTCP:1098554packets,817573554bytesGenericUDP:1490packets,210976bytesGenericICMP:0packets,0bytesGenericIP:6packets,192bytes#diagnosehardwaredeviceinfonicport1Name:port1Driver:e1000Version:5.1.13k2NAPIFWversion:N/ABus:00:11.0Memory:0xfeb80000-0xfeba0000Baseaddress:0x1400Interrupt:18Hwaddr:00:0c:29:95:8c:faPermanentHwaddr:00:0c:29:95:8c:faState:upLink:upMtu:1500Supported:auto10half10full100half100full1000fullAdvertised:auto10half10full100half100full1000fullSpeed:1000fullAuto:enabledRxpackets:136154Rxbytes:10901815Rxcompressed:0Rxdropped:0Rxerrors:0RxLengtherr:0RxBufoverflow:0RxCrcerr:0RxFrameerr:0RxFifooverrun:0RxMissedpackets:0Txpackets:1611Txbytes:257565...Multicasts:0Collisions:0带宽利用率,系统崩溃和错误10其他工具CLI»getsystemstatus»getsystemperformancestatus»diagnosesystop»diagnosesystop-summary»diagnosehardwaresysinfomemory»diagnosehardwaresysinfoshm»diagnosenetlinkdevicelist»diagnosehardwaredeviceinfonicport1»diagnosefirewallstatisticsshow»...DashboardSNMPtrapsAlertemailLogs11#diagnosehardwaredeviceinfonicport1Description:FortiASICNP6AdapterDriverName:FortiASICUnifiedNPUDriverName:np6_2PCISlot:8d:00.0irq:58Board:FGT3700DSN:NP6KR44613000276MajorID:2MinorID:0lifid:0lifoid:156netdevoid:156netdevflags:1203Current_HWaddr:08:5b:0e:4a:2e:e4Permanent_HWaddr:08:5b:0e:4a:2e:e4phyname:np6_2_0bank_id:255phy_addr:0x20lane:0sw_port:51sw_np_port(cat)vid_phy[6]:[0x00][0x00][0x0b][0x00][0x00][0x00]vid_fwd[6]:[0x00][0x00][0x00][0x00][0x00][0x00]oid_fwd[6]:[0x00][0x00][0x00][0xcc][0x00][0x00]==========LinkStatus==========Admin:upnetdevstatus:downautonego_setting:1link_setting:1link_speed:40000link_duplex:1Speed:0Duplex:Fulllink_status:Downrx_link_status:0int_phy_link:0local_fault:0local_warning:0remote_fault:0============Counters===========RxPkts:0RxBytes:0TxPkts:0TxBytes:0HostRxPkts:0HostRxBytes:0HostRxdropped:0HostTxPkts:4HostTxBytes:198HostTxdropped:0sw_rx_pkts:0sw_rx_bytes:0sw_tx_pkts:0sw_tx_bytes:0sw_np_rx_pkts:4sw_np_rx_bytes:272sw_np_tx_pkts:0sw_np_tx_bytes:0物理层/数据链路层的Troubleshooting12网络层的Troubleshooting:路由#executeping-options?data-size定义数据包的大小,以bytes为单位df-bit在IP头里设置DF位yes|nointerval两个ping直接的间隔时间,以秒为单位pattern十六进制格式,e.g.00ffaabbrepeat-count重复ping多少次sourceauto|源接口IPtimeout定义多少秒后timeouttosIP的服务类型ttl存活时间time-to-live.validate-reply有效的reply数据yes|no.view-settings查看ping的当前设置#executepingipv4_address#executetraceroute{ipv4_address|host_fqdn}13网络层的Troubleshooting:会话1.清空之前的过滤条件#diagnosesyssessionfilterclear2.设置过滤条件#diagnosesyssessionfilter?dportdestinationportdstdestinationIPaddresspolicypolicyidsportsourceportsrcsourceipaddress3.列出所有匹配过滤条件的会话#diagnosesyssessionlist4.清空所有匹配过滤条件的会话#diagnosesyssessionclear14会话表:TCPsessioninfo:proto=6proto_s