labunix's blog

labunixのラボUnix

Fortigate-80CのGUI操作デバッグログからアップデートの方法を確認する。

■Fortigate-80CのGUI操作デバッグログからアップデートの方法を確認する。

# get hardware status | grep Model
Model name: FortiGate-80C

# get system status | grep Ver
Version: FortiGate-80C v5.2.2,build0642,150106 (GA)
Release Version Information: GA

■WAN側の設定は以下。

# show | grep -f wan1
config system interface
    edit "wan1" <---
        set vdom "root"
        set ip 192.168.1.252 255.255.255.248
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 1
    next
end
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1" <---
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set av-profile "default"
        set webfilter-profile "default"
        set application-list "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end
config router static
    edit 1
        set gateway 192.168.1.254
        set device "wan1" <---
    next
end

■コンソールでGUI操作をデバッグ

# diagnose debug cli 7

■システム > 設定 > FortiGuard から。

 > AV & IPS ダウンロードオプション
  > [実行]

# 0: config system autoupdate schedule
0: end

  > WebフィルタリングとEmailフィルタリングオプション
  > Port Selection
    > Use Default Port (53)
    [Test Availability] -> [OK]

# 0: config system autoupdate schedule
0: end

■コマンドが同じことから、本質的には同じらしい。

$ sudo tail -f /var/log/Fortigate-80C.log | \
    sed -e 's/\(FGT80C\)[0-9]*/\1Serial/g' \
        -e 's/ [a-z]*i[dp]=/\n&/g' \
        -e 's/ service=\|duration=/\n&/g' \
        -e 's/ module=\| logdesc=\| msg=\|,/\n&/g'
Jun 10 00:26:52 172.31.31.252 date=2015-06-10 time=00:26:52 devname=FGT8
 devid=FGT80CSerial
 logid=0100032102 type=event subtype=system level=information vd="root"
 logdesc="A user has changed the configuration for a specific sub-module via GUI" user="admin" ui=GUI(172.31.31.254)
 module=system submodule=update
 msg="User admin made a change via GUI(172.31.31.254): System update setting has been changed"


Jun 10 00:28:24 172.31.31.252 date=2015-06-10 time=00:28:24 devname=FGT8
 devid=FGT80CSerial
 logid=0100032102 type=event subtype=system level=information vd="root"
 logdesc="A user has changed the configuration for a specific sub-module via GUI" user="admin" ui=GUI(172.31.31.254)
 module=system submodule=update
 msg="User admin made a change via GUI(172.31.31.254): System update setting has been changed"

■パケットキャプチャしてみる。

# diagnose sniffer packet wan1 'net 208.91.112.0 mask 255.255.255.0'
interfaces=[wan1]
filters=[net 208.91.112.0 mask 255.255.255.0]
0: config system autoupdate schedule
0: end
60.971829 192.168.1.252.1154 -> 208.91.112.80.443: syn 382486821 
61.087707 208.91.112.80.443 -> 192.168.1.252.1154: syn 378329634 ack 382486822 
61.087779 192.168.1.252.1154 -> 208.91.112.80.443: ack 378329635 
...

■AV & IPS ダウンロードオプションでは、
 「443/TCP(https)」「53/UDP」の通信が発生。

$ cat packet1 | awk '{print $2,$3$4,$5}' | sort -u
192.168.1.252.1154 ->208.91.112.80.443: 382487028
192.168.1.252.1154 ->208.91.112.80.443: ack
192.168.1.252.1154 ->208.91.112.80.443: fin
192.168.1.252.1154 ->208.91.112.80.443: psh
192.168.1.252.1154 ->208.91.112.80.443: syn
192.168.1.252.64633 ->208.91.112.52.53: udp
192.168.1.252.64633 ->208.91.112.53.53: udp
208.91.112.52.53 ->192.168.1.252.64633: udp
208.91.112.53.53 ->192.168.1.252.64633: udp
208.91.112.80.443 ->192.168.1.252.1154: 378329635
208.91.112.80.443 ->192.168.1.252.1154: ack
208.91.112.80.443 ->192.168.1.252.1154: psh
208.91.112.80.443 ->192.168.1.252.1154: rst
208.91.112.80.443 ->192.168.1.252.1154: syn

■WebフィルタリングとEmailフィルタリングオプションでは、
 「8888/udp」、「53/udp」、「80/tcp」の通信が発生
 時差なのだろうか。。。

$ cat packet2 | awk '{print $2,$3$4,$5}' | sort -u
192.168.1.252.1025 ->208.91.112.196.53: udp
192.168.1.252.1025 ->208.91.112.196.8888: udp
192.168.1.252.1025 ->208.91.112.198.53: udp
192.168.1.252.1025 ->208.91.112.198.8888: udp
192.168.1.252.1156 ->208.91.112.198.80: ack
192.168.1.252.1156 ->208.91.112.198.80: psh
192.168.1.252.1156 ->208.91.112.198.80: syn
192.168.1.252.1157 ->208.91.112.196.80: ack
192.168.1.252.1157 ->208.91.112.196.80: psh
192.168.1.252.1157 ->208.91.112.196.80: syn
192.168.1.252.1158 ->208.91.112.198.80: ack
192.168.1.252.1158 ->208.91.112.198.80: psh
192.168.1.252.1158 ->208.91.112.198.80: syn
192.168.1.252.1159 ->208.91.112.196.80: ack
192.168.1.252.1159 ->208.91.112.196.80: psh
192.168.1.252.1159 ->208.91.112.196.80: syn
192.168.1.252.1160 ->208.91.112.198.80: ack
192.168.1.252.1160 ->208.91.112.198.80: psh
192.168.1.252.1160 ->208.91.112.198.80: syn
192.168.1.252.1161 ->208.91.112.196.80: ack
192.168.1.252.1161 ->208.91.112.196.80: psh
192.168.1.252.1161 ->208.91.112.196.80: syn
192.168.1.252.1162 ->208.91.112.198.80: ack
192.168.1.252.1162 ->208.91.112.198.80: syn
192.168.1.252.1163 ->208.91.112.196.80: ack
192.168.1.252.1163 ->208.91.112.196.80: psh
192.168.1.252.1163 ->208.91.112.196.80: syn
192.168.1.252.1164 ->208.91.112.198.80: ack
192.168.1.252.1164 ->208.91.112.198.80: syn
192.168.1.252.1165 ->208.91.112.196.80: ack
192.168.1.252.1165 ->208.91.112.196.80: psh
192.168.1.252.1165 ->208.91.112.196.80: syn
192.168.1.252.1166 ->208.91.112.198.80: ack
192.168.1.252.1166 ->208.91.112.198.80: psh
192.168.1.252.1166 ->208.91.112.198.80: syn
192.168.1.252.1167 ->208.91.112.196.80: ack
192.168.1.252.1167 ->208.91.112.196.80: psh
192.168.1.252.1167 ->208.91.112.196.80: syn
192.168.1.252.64633 ->208.91.112.52.53: udp
192.168.1.252.64633 ->208.91.112.53.53: udp
208.91.112.196.53 ->192.168.1.252.1025: udp
208.91.112.196.80 ->192.168.1.252.1157: ack
208.91.112.196.80 ->192.168.1.252.1157: psh
208.91.112.196.80 ->192.168.1.252.1157: rst
208.91.112.196.80 ->192.168.1.252.1157: syn
208.91.112.196.80 ->192.168.1.252.1159: ack
208.91.112.196.80 ->192.168.1.252.1159: psh
208.91.112.196.80 ->192.168.1.252.1159: rst
208.91.112.196.80 ->192.168.1.252.1159: syn
208.91.112.196.80 ->192.168.1.252.1161: psh
208.91.112.196.80 ->192.168.1.252.1161: rst
208.91.112.196.80 ->192.168.1.252.1161: syn
208.91.112.196.80 ->192.168.1.252.1163: psh
208.91.112.196.80 ->192.168.1.252.1163: rst
208.91.112.196.80 ->192.168.1.252.1163: syn
208.91.112.196.80 ->192.168.1.252.1165: psh
208.91.112.196.80 ->192.168.1.252.1165: rst
208.91.112.196.80 ->192.168.1.252.1165: syn
208.91.112.196.80 ->192.168.1.252.1167: psh
208.91.112.196.80 ->192.168.1.252.1167: rst
208.91.112.196.80 ->192.168.1.252.1167: syn
208.91.112.196.8888 ->192.168.1.252.1025: udp
208.91.112.198.53 ->192.168.1.252.1025: udp
208.91.112.198.80 ->192.168.1.252.1156: ack
208.91.112.198.80 ->192.168.1.252.1156: psh
208.91.112.198.80 ->192.168.1.252.1156: rst
208.91.112.198.80 ->192.168.1.252.1156: syn
208.91.112.198.80 ->192.168.1.252.1158: ack
208.91.112.198.80 ->192.168.1.252.1158: psh
208.91.112.198.80 ->192.168.1.252.1158: rst
208.91.112.198.80 ->192.168.1.252.1158: syn
208.91.112.198.80 ->192.168.1.252.1160: ack
208.91.112.198.80 ->192.168.1.252.1160: psh
208.91.112.198.80 ->192.168.1.252.1160: rst
208.91.112.198.80 ->192.168.1.252.1160: syn
208.91.112.198.80 ->192.168.1.252.1162: ack
208.91.112.198.80 ->192.168.1.252.1162: rst
208.91.112.198.80 ->192.168.1.252.1162: syn
208.91.112.198.80 ->192.168.1.252.1164: ack
208.91.112.198.80 ->192.168.1.252.1164: rst
208.91.112.198.80 ->192.168.1.252.1166: ack
208.91.112.198.80 ->192.168.1.252.1166: psh
208.91.112.198.80 ->192.168.1.252.1166: rst
208.91.112.198.80 ->192.168.1.252.1166: syn
208.91.112.198.8888 ->192.168.1.252.1025: udp
208.91.112.52.53 ->192.168.1.252.64633: udp

■今日のところはライセンスの更新は出来ているので
 コマンドで同様のログが出なければGUIから操作するしか無いということで終わりにしましょう。。。
 ※日付の形式はdateコマンドのもの。

$ env LANG=C date '+%a %B %d %Y'
Wed June 10 2015

# get system fortiguard | grep "lic\|exp"
antispam-license    : Contract
antispam-expiration : %a %B %d %Y
avquery-license     : Contract
avquery-expiration  : %a %B %d %Y
webfilter-license   : Contract
webfilter-expiration: %a %B %d %Y