81. Lecture-81:Troubleshooting FortiGate Firewall.
Now troubleshooting how we can do troubleshooting and FortiGate firewall. First you need to know what is troubleshooting. Troubleshooting shoot the trouble. Take a gun and shoot the trouble whenever you face. But don’t shoot yourself. Because troubleshooting is one of the hardest part of network. You will be be under pressure. Sometimes network is not working, resources are not accessible. Manager is shouting. Other people are shouting on you. They are accessing what the hell is this? And those things. So you have to be cool and calm to do troubleshooting.
Don’t care about anyone. Don’t care about that, you will lost your job. I know these are very hard things to do it. But you have to plan them and resolve the issue. Troubleshooting means if there is any problem, any error, any issue in the network. And to resolve them. This is called troubleshooting. But you have to plan them. You have to think.
And for thinking, you have very small amount of time. Because normally coming troubleshooting and the time which you don’t have a time. And as I told you, manager is shouting, everyone is shouting. And everyone say this and that. Now how we can approach to troubleshooting? Isolate the problem, what is the issue? Isolate them by layers OSI model layer, layer two, layer three issue, layer four issue, web application issue, application issue, hardware issue by OSI model from layer one to layer seven. And whatever you are doing, document them. And whatever you troubleshoot them, also document them.
So document everything. Whatever you’ve done. If you solve the issue, either you not solve the issue. Whatever you done. This is very important. So whenever you face the same issue, you document them in Excel file and also in ticketing system. And also you can use your word and excel all those things you can do it just for the future use and resolve them. If you resolve again, isolate them and document them. And check them. If you cannot do something, don’t worry that you will say no. What the hell are you? You are CCI and you don’t know how to resolve this small issue. Maybe it’s not coming in your mind. So what you need to do escalate them. Open a ticket with vendor. Every vendor. Normally you have a support from like a poly Alto for ticket.
They have their own support team and other vendors. Cisco have their tech support team. And they will do their job in two minutes. Why wasting your time? Is better to escalate to your third party vendor. Either to create a support ticket, either to give it to your layer three engineer. It’s not a big issue. Sometime you don’t know how to solve. But maybe he know better. Last you have to verify the thing. Whatever you’ve done, the changes like a ping trace route, show command checking everything. Monitor them for a while. Maybe you fix one issue. But they arrive a new issue. So this why is better to monitor for a while carefully this the steps to start define your problem, gather the facts, consider the possibility. Create action plane implement action plane observe the result. Utilize the process whatever I mentioned above, this is in steps do problem symptoms stop yes problem resolve document effect and finish that set.
If no, restart again. Utilize process, observe and everything and start again. Two most widely used command which will help you and I sign my entire life is spin and trace route. There are many command like a Telnet telnet we are using portrayal shooting as well by the way. Like a TCP port, like a 23 80 port four, four three this is also very important command in my life which I use most of the time. But two most widely used command is Ping and trace routing means packet, internet grouper and trace route to trace the route where the traffic is going. But normally in your organization it may be block. But for engineer and security engineer, you can allow these two command ping and traceroute very important command and it will help you most of the time 80% it will solve your issue. Because these two command can use fully qualified domain name like a Google. com to ping, Google. com to trace route and also IP addresses to figure out where is the issue just in summarized version. Because you are a security engineer, you already know in more detail these two command now coming to which approach I need to solve the issue to troubleshoot one is top down approach means an OSI model start from application layer check. Suppose if somebody say that I cannot access internet, check their browser, check their Google Chrome, then check their Internet explorer maybe at work there.
Then check interface, then check the IP address, then check the cable, then go like this way to learn to then go to V lens, check the V lens, then switch, then and so on. This is called top down approach to start from the top to troubleshoot the issue. Second is bottom up approach. Suppose if someone say I cannot access the internet and you start to check the cable from physical, then you check the interface, then you check the IP address and then last you come to the application. So check the internet is working or not. This is called bottom up approach. I’m giving you just a quick overview of not going in detail. Other method is Divide and conquer approach. Divide and conquer means divide them. If there is an issue, you will say okay, this part I will check the hardware section and this side I will check the application means you are dividing the application layer in two categories starting from transport and network layer. Either divide them, another one is follow the traffic path approach. Suppose if there is an issue, start with the ping and trace route.
And whenever the trace route stop go to that device and figure out the issue suppose you are going from here to here you start trace route here and put the trace route IP this one if a stop here just come here. The issue is here. Just the simple way to use the method and normal engineer, they will use this method spot the difference approach. If you have zero experience and you do don’t know spot the difference. Approach means check two things the one which is working and the one which is not working and spot out what is the difference between two devices. So match them and it will start working. Another is replace component approach. Maybe someone say my monitor screen is not working. You plug a new cable to check, you know, power cable. Then you plug another monitor. Then you plug another power cable. Then you plug another extension. You are changing one. One thing to see which thing is defaulty one this is called replace component approach and these are the diagram to see determine the scope of the problem if it is limited top down method is the best one if it is a complex go to bottom up method analyze the Symptom what is the symptom analyze? Previous experience. If you have a previous experience, just start straight away. Divide income per method is also there for you. Compare. I already told you to check two things if it is working or not, and another one is stripping. If something is not working, change them with another one. This is also one of the method, but always think which we know. Mujar twice, cut once. You have to be very careful and it’s planned them before the troubleshooting, you know, this is abraham Lincoln said that if I had a six hour to chop down a tree, I would spend the first four hour to sharpen the excess. So you have to be ready. Your tool has to be ready before you attack someone rather than without tool and everything. And you attack someone so they can harm you and it can be very dangerous. So it’s better to be ready and fully aware. Syslog server, SNMP server, NTP server and all those things can be very helpful. And backup purpose. If you have a backup, so your tension will be released, we will say okay, no issue. If something goes wrong, I will so it’s better to take backup all the time if NTP is working, so then you can figure out when the issue was arise. What was the issue? Sisla can help you. NSMP, which I told you already. And two so these are the basic things.
82. Lecture-82:Packet Sniffing in FortiGate Firewall.
In 40 gate firewall we can use Packet Snipper. Packet Snipper we also call them network tape, packet capture, logical analyzer, analyzing like a wireshock. There is nothing but like a wireshock which is a builtin tool in 40 gate firewall. To troubleshoot the issue. You know those student who done a five load balancer with me. They know we use TCP dumbs. TCP dumbs one was command and a five load balancer to troubleshoot many issues. And I give you full lecture of 1 hour. If you remember same thing can be happened here with Packet Snipper. And also Paul Wall to have the same approach as well. And other firewall by the way as well. So it snipped the packet, it captured the packet, it analyzed the packet. And you can see and you can find out. And you can troubleshoot your issue. Full command is diagnosed sniper packet then type interface name, then filter which you want to filter. Then which verbose are worth how many count NTC TS format. So interface name interface can be like port one either internal wein lane DMZ. So first you have to type this one diagnose snipper packet then type interface. And if you say any, it means any interface. You can type any as well. So two things, first thing to mention interface, then there is a filter. But filter has to be closed in this single quote. If you type none. So as you say any picket varbose means if you want to print only hidden type one. If you say no IP packet as well, type two. If you say no ethernet packet is well type three.
And if you say all the detail, this one is the best one, type four. So when I type this command, so keep in mind four means to show me all the detail if I type something filter. So filter means and single code to type something and count how many packet. So if you say one, two, three, it will capture those packets. But if you don’t mention anything and count so then you have to press CTRL C to stop them. It will continuously keep sharing the packet NTS format. If you need a time as well. So A means absolute time and I means absolute with local time as well. And otherwise it can be anything. These are some of the command which we will use. And I will show you. Now in my topology, I have a two user 192 160 at one. And it’s going to internet. I want to troubleshoot what is the issue so in for while I’m here what I will do, I will come here admin one, two, three and I will type diagnose snipper question mark. Another one is packet. And after that they say interface and also mention look at any as well. If you don’t know which interface you can type any. Suppose now there is filter as well as you told you filter it should be in single code but I say no. You can type like this way as well. Look at any traffic coming from any interface is showing you here. But I did not say any count. So it’s continuously sending. Let me open this so I can generate some traffic from this side. Enable 123123 and pinga eight. It has to go to a eight by the way. So showing me here 88 is going icmpeco request. But why it’s not going? Let me check my route. Route is there 100? Maybe there is no policy to allow me. So let me quickly create a policy to see just to check the thing. So it’s better to create one policy. So I can distinguish different things. Let me stop this one by the way because any packet means is showing me anything. So let me go to system policy and object firewall policy. Yeah, there is no policy lane to win.
So that’s why let me create lane to win and let me allow traffic from lane going to when source can be anything, destination can be anything, services can be anything and all station and okay. Also if you want to see deny traffic, you know the implicit deny. There are many packet deny. Look at 675. Click on this policy and allow logs so that you can see the logs. It’s also a good way to troubleshoot better. So see the drop packet as well. Now I can see the traffic now this time I will say on port two, I can mention port two as well. Now the filter is port two snipper only. And now let’s generate a traffic from here. By the way, it has to go to internet. There is everything and it’s still not anywhere. I can see the traffic. Look at the traffic is coming from 190 to 160. At one dot one, it’s going to eight dot eight and it’s ICMP ecorequest but it’s unlimited. If you say count, you can mention suppose four. Okay. What? I didn’t run four. Okay, four is also for the other thing so leave it. Okay.
I will show you. It has to be later on. So now this is the way to any and specific port. Now I say no port number two but the host is not in single code. Sorry. In single code port host 192 168 one and now generate traffic. So this is more specific. I say only for this host because if I say port number two from port number two, this one is also coming. So it will show me both traffic. Let me show you from this one as well. If I on this the other server as well. Okay, enable ping eight. Okay. So this one is not showing here because I say host only one one. But if I bring the top one this one now it will show me both this one as well and this one as well. Look at one one as well and one two as well so this is the difference to controls you to break it twelve packet has been received so it’s better to host now if I need only two specific hosts result, if I generate traffic from one, it will not show. It’s not showing. But if I generate from here, you will see the traffic locator showing now. Because I told them only for one, two capture and everything. RPE entry and everything is showing because I did not mention them specific anything. So host you can specify, but if I say no host is this one but another host where they want to reach is A and enter now. This is more specific. If they want to go to four four, it will not capture. But if they want to go to control shift six and want to go to 88, it will capture. It capture now. So specific. Source and specific destination. Put in that if the source is this one and destination is this one, capture the packet and show me and controls you to stop it. After this, you can say question mark. It’s a print. Header information, you know, six type of things. So I say four. Show me the detail. Verbose. You know, I just told you verbose. This one, I’m using this method. Four. This is the latest version. So they have added two more as well. This is the old documents. This wise mentioned four, but they added two more thing as well. So I say print the header information with interface T ten. So now for that you have to put four. And if you generate some traffic now and let’s see now they will show you port number two. Before there was no port detail. There is any port where? Anywhere. Now there is port number the traffic is coming. From this port. Because four means four is nothing. Four is nothing but print header. A packet with interface name. If you say print header and data from ethernet of the packet so it will show you the ethernet detail. So make them as a three. Let me see, three is yeah, and if I generate traffic again so now it will capture again. But this time it capture them as an Ethernet like the one we capture with what? Is called wireshark. This is wireshark format. You see wireshark? Yeah. There is like this one. Look at it is different now because just I changed from four to three. Nothing. Two and three is nothing. But these are the verbose command which thing you want. If you say hidden packet only, type one. If you say data IP packet only. Anyway it’s clear. Check yourself. Count how many count you want.
Now it is continuous control C. Then it will break. Ten packet has been captured. Let me take them. Four for count. Now this count time. Look at say count snipper count how many packet. I say only two and enter. But if I generate repeat 100 packet still it will only capture two packets and it’s done. No need of Control C because I told them I just need two count. Here is a Snipper count so it capture the first two packet to see the last thing question mark are they giving me any other option? Control C, sorry, control E why is not showing me full? Let me make them like this one control C, okay, it’s not showing me the last one because it’s a huge command. So let me do one thing, I need to put the last thing which mention is time. So if I say a so it will mention the time as well one packet yeah, there is time now look at if you see before packet there was nothing, no time and also if you go to the above one, it was some sequence number but now it’s mentioned date and time.
Why? Because I put them a means tell me year, month, day, month, second and millisecond that’s why this 2020 ten is the month, four is the date and this the time and these are the second and these are the millisecond. So this is a Snipper which can help you to figure out many issue. Also there is source as well you can use as a source I use as a host as well. And any you can use, you can use port number two, port number three, n any as well. And source you can check the 80 port as well. Like suppose if you say they control C I don’t know why it’s not taking. Let me type again diagnose snipper just pressing tab snipper packet port number two or any. You can type any and single quote and type a host 192, 168, one, two and port number 80 when the traffic is only on port number 80. So if I do ping, it will not capture? Yes. If I do tell net on eight with port number 80, then it will capture. Look at now it’s captured that somebody from one two is going to 80 port. And this is sync. Let me close them because it is doing continuous the control shift six. So it means you can do it for specific port. Maybe you say four, four, three. You want to investigate that one? Now let me do control C. Control shift six. It’s not closing by the way, it is the way to close them. But anyway, let’s wait for it. And instead of entry type four, four, three, it’s open and here it will capture the packet. Now this time is sync and sick and acknowledgement. Before it was showing only sync it means I’m not going to connect now I am connected, sync, sync, acknowledgement fine and now it’s acknowledged. So it means this way I troubleshoot it is going to connect and it’s working and then it’s disconnect, it controls you to close because I did not mention how many packets to capture so this is called Pecket snipper. And there are so many other ways to use them.
83. Lecture-83:Fundamental CLI Commands in FortiGate Firewall.
Some basic and fundamental CLI command you have to know to troubleshoot easily 40 Gate Firewall those are like a Git System Status sorry system Status status this is my system version. This my build number. This the wireless database, IPS database and everything in netted mode. I am hostname is Firewall and all the detail is showing here to figure out something. If you need Git System Performance Status it will show you the performance, CPU utilization, Ram utilization and everything. If you need for some reason you can use this command git System Performance Top top is a Linux command to use again CPU utilization and other application utilization and also this command is an LTM, Firfower and many other things. You will use this command control C to break it diagnose System session full state session full state it will show you session database detail maybe session is full either something is wrong with the session so you can use this command to figure out the issue either diagnose System there is another command what was diagnosed? System mark. Let me see top it was no, I need the session related. Go to session list. Sorry, session diagnose system. There was one command to see the session sessions or yes, session and list. That’s the command to see all the session related stuff and also useful in troubleshooting get system ARP detail this is also very important to see ARP detail. These are the system which is connected and their ARP detail are here.
Their hardware address, Mac address and IP address and on which port they are connected. This is also very important to figure out if you want to clear them execute clear system or table now it’s clear if you check again there is nothing, only one which is their own Mac address and their detail. Also if you need to check routing table detail git Router Info routing table static which I told you and if you need all, just type all to see all the routing detail to figure out what is the issue routing table is there or not? For specific one you can type like suppose if somebody is going to aid A, there is a command if I mentioned here which will show you specific AIS there before is a detail A. If you want to check for specific then you have to type like this for specific destination, their detail, their metric, their distance, their full detail, how it is going so it’s also a good command to troubleshoot routing issue. Also there is VPN related troubleshooting because we don’t have VPN.
So you can diagnose VPN related issue this one, phase one and phase two related diagnostic VPN issue you can use these command snipper I already told you above. You can use this command full configuration. It will show you all the configuration. Execute reboot to execute resistant execute ping this is also very important to check. Like suppose anything is working or not. So execute ping control C to stop them if you want before and Show system DNS. If you want to check DNS show system DNS, it will show you DNS detail and if you say Git system DNS, it will show you the difference between Show and get as well. Show told me the configuration copy and paste it will work straight away. You know this is the configuration but git show me that your primary DNS is this one, this the DNS SSL is this one and all the details they are mentioned related to DNS. This is some basic command and configuration. I already told you to configure something. If you want to configure hostname this the command to configure interface this is the command to configure DNS is the command static route and packet capture to enable packet capture which I will show you graphically now, but from this command?
I already told you, you don’t need to be worried. If you don’t know any command just type in Google and also anywhere go there anything is configured, right click and edit CLI. It will show you all the configuration command. If you go to static route addresses as well right click and edit and CLI so how to edit? So it means we need to go to Config firewall address, then edit and give them any name. And that’s the way to Configure, by the way, configure firewall address, edit, set unicodes, set color and set subnet and that’s it. So everywhere just right click and you will get all the command. So no need to be worried about the command that if you don’t know. But troubleshooting normally happens in real world through command. That’s the only question because you cannot do most of the stuff. But all in all, any firewall, whenever you do troubleshoot, the best approach is to use CLI and as quick as well. By the way, in the beginning you will be afraid that I don’t know the command, but after some time you will be good to go to use the command rather into GUI. Trust me, it’s so AZs compared to UI to troubleshoot thing. Okay, so these are some basic command.
84. Lecture-84:Configure and Verify Packet Capture in FortiGate.
How to configure packet capture. You know, sometimes you need for troubleshooting purpose to capture the packet. So if you want to capture the packet, go to network and there is packet capture. Nothing is configured, create new and on which interface the traffic will come. I say from lane this mylan interface. They say maximum capture packet, how many packet you want to capture? It’s a good thing. Suppose I say only capture four packet. Now there’s a filter. Do you want to specify specific either? Anything coming online? No. I say no. 192, 168, one, one. When this host is coming for port number 80, we launch. We don’t have and protocol. They are using TCP. TCPs six. You remember I told you there are from zero to two five, five protocol, protocol number. So TCP is coming under which it’s six. Yeah, I show you this one. TCP is six. So I say protocol number six villain we don’t have include IP six picket. Yes, include non IP picket. Suppose if you want and okay, so protocol number six, port number 80. Host is this one. If they are coming unlawed, if they reach to four packet, record them. But they say not running, it means we have to run them and okay, now now it’s running, but no packet is coming. I need to generate from server one some traffic onput 80 only enable one, two, three and ten traffic on eight at eight. And suppose I put them 80. I think so. So one packet is captured, two packet is captured and it will automatically stop. Maximum packet.
I say three packet is capture. Now it’s running automatically and done. My job is done. Open it and download and open in wireshark. PCAP is a wireshark extension. Look at 192, 168. One was going eight eight, and it’s true, I was going to eight at eight for port number 80, TCP. But TCP retransmit sync was sent, but nobody answered them. And it’s true, that’s why it’s blake in color and you can more analyze that. Only sync is sent, but no response is coming at me. This site is not reachable or either something else. If you need for all, just type this one. If you want to filter for the whole subnet, you can use and you can range command as well. Port number 80 or four, four, three, whatever you want to do. So this is host dimension, okay? And if you want to refresh, so you can say that I want to refresh and start again this download one how many packets you want to capture?
You want to filter them specifically. Either just want any packet. So it will like this one. You can use port villain detail protocol, include IPV six and non IP packet like ICMP and any other protocol you can mention. And it is done. So it will show you NS running. You can stop them from here as well. Now it stopped, so you will not utilize your time. And also you can use this command to enable them config firewall policy. Why it’s so easy? Right click here. Okay. And they don’t have some of the command they don’t have, so yeah, I thought maybe some of them they don’t have like this one. So I thought I will copy from there. So you can enable it from the CLI as well. And last, you can clone it, you can edit and you can delete as well if you don’t need per gesture.
