diag test app ipsmonitor <#>
- 1: Display IPS engine information
- 2: Toggle IPS engine enable/disable status
- 3: Display restart log
- 4: Clear restart log
- 5: Toggle bypass status
- 97: Start all IPS engines
- 98: Stop all IPS engines
- 99: Restart all IPS engines and monitor
config system global
set admin-sport 8443
set sslvpn-sport 443
end
config system ha
set group-name <cluster_name>
set mode <a-a|a-p|standalone> !! Active-Active, Active-Passive, or Standalone
set password <HA_Password>
set hbdev <heartbeat-port> !! This port cannot be an interface with an IP and in use
set session-pickup <enable|disable> !! Sync of sessions (not failover multicast or SSLVPN sessions)
set override <enable|disable> !! Preempt
set monitor <int1> <int2> <etc>
set priority <#> !! Default is 128
end
Notes:
- To bring a new device into the cluster, ensure the new device has a lower priority than the active device. After connecting to the network and configuring the above settings, the configuration should by pulled from the active unit
config system global
set hostname <hostname>
end
config system dns
set primary <ip>
set secondary <ip>
end
config vpn ipsec phase2
edit "<Phase2-Name>"
set use-natip <enable|disable>
Notes:
- If NATing, enabled (default) will use the public IP of FortiGate as the source selector (encryption domain), disable will use what's configured in the phase 2 settings (src-start-ip/src-end-ip or src-subnet)
diag debug report
get system status
get system performance status
diag hardware sysinfo memory
diagnose sys session stat
get system performance top 3 99 !! Let it run for 20-30 secs, then hit ctr + c to stop the command
diag debug crashlog read
Username: admin
Password: <empty>
config system interface
edit wan1 // Some name
set ip <ip>/<cidr>
set allowaccess ping https ssh !! All protocols needed, usually need ping ssh and https access
end
!! Aggregate interfaces using LACP 802.3AD (example: assign port8 and port9 to \"aggr1\", aggr1 is a name we can make up, then assign IP like above as normal)
config system interface
edit aggr1
set member "port8" "port9"
end
!! Add VLAN to Aggregate or interface (create int aggr1_30 and assign IP and VLAN 30)
configure system interface
edit aggr1_30
set ip <ip>/<cidr>
set interface "aggr1"
set vlanid 30
end
!! Configure a zone (zones are optional, not required unless desired)
config system zone
edit <some zone name>
set interface <interface1> <interface2> <etc>
set intrazone allow // Only enable if needed as it is insecure (allows 2 ints in the same zone talk to each other without a policy)
end
!! Ensure ssh is allowed on the interface you are attempting to access
config system interface
edit <interface>
set allowaccess ping https ssh !! SSH added to the other allowed admin options
end
!! Enable SCP
config system global
set admin-scp enable
end
!! To backup the system
scp admin@<ip>:sysconfig <local-file>
Notes:
- SCP is disabled by default and may become disabled after an upgrade