labunix's blog

labunixのラボUnix

Fortigateの正常性確認について 

■Fortigateの正常性確認について

 GUIで確認するのも良いけど、後に残らないのが問題。

■コマンドで「alertconsole list」ログを確認する方法

$ echo "diagnose log alertconsole list" | ssh admin@172.31.31.251 2> /dev/null | sed s/".*# "//g
admin@172.31.31.251s password: 
There are 50 alert console messages:
2015-02-24 20:02:53 FortiGuard Advisory Adobe Security Bulletin for February 2015
2015-02-24 20:02:53 FortiGuard Advisory Microsoft Security Bulletin for February 10, 2015
2015-02-24 20:02:53 FortiGuard Advisory FortiOS CAPWAP server two vulnerabilities
2015-02-24 20:02:53 FortiGuard Advisory FortiAuthenticator multiple vulnerabilities
2015-02-24 19:02:53 FortiGuard Latest Threat MSIL/Injector.FPV!tr
2015-02-24 19:02:53 FortiGuard Latest Threat W32/Kryptik.CHZB!tr
2015-02-24 19:02:53 FortiGuard Latest Threat W32/CPacker.C!tr
2015-02-24 19:02:53 FortiGuard Latest Threat W32/Cryptolocker.C!tr
2015-02-24 19:02:53 FortiGuard Latest Threat W32/Kryptik.CFCF!tr
2015-02-24 19:02:53 FortiGuard Latest Threat W32/Zbot.AHCV!tr
2015-02-24 19:02:53 FortiGuard Latest Threat W32/Boaxxe.BV!tr
2015-02-24 19:02:53 FortiGuard Latest Threat Nuclear.Exploit.Kit
2015-02-24 19:02:53 FortiGuard Latest Threat WordPress.Download.Manager.wpdm_upload_icons.Code.Execution
2015-02-24 19:02:53 FortiGuard Latest Threat Ropest.Botnet
2015-02-24 19:02:53 FortiGuard Latest Threat Sweet.Orange.Exploit.Kit
2015-02-24 19:02:53 FortiGuard Latest Threat Bash.Function.Definitions.Remote.Code.Execution
2015-02-24 19:02:53 FortiGuard Latest Threat Magnitude.Exploit.Kit
2015-02-24 19:02:53 FortiGuard Latest Threat Neutrino.Exploit.Kit
2015-02-24 19:02:43 Log disk is unavailable

■沢山の状態コマンドを覚えてられないので作った。

 fgt_check.sh
 https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/fgt_check.log

 fdt_check.log
 https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/fgt_check.log

■概要で何か見つけたら、整形前のログを見て、
 それでも疑問があれば、「diagnose debug report」する前提で、
 はじめの分かりやすい取っ掛かりがあればいいな。と。

 FortigateのCLIコマンド[diagnose debug report]の中身について
 http://labunix.hateblo.jp/entry/20150208/1423402180

■teeを使わない実行方法。
 コマンドがすべて正常することを表示無しで信じて待ってられる人は以下で。
 状態のリストなのでログは別途。

$ cat fgt_check.log | ssh admin@172.31.31.251 | \
    sed s/".*# "//g > "check_`date '+%Y%m%d'`.log" 2>&1
Pseudo-terminal will not be allocated because stdin is not a terminal.
admin@172.31.31.251s password: 
interfaces=[any]
filters=[udp port 53]

■概要を抽出
 「./fgt_check.sh」で試してから結果を整形するようにしましょう。

 正常に稼働している前提では、おおまかに知りたいのはこんなものかな。
 「disableチェック」はたまにやるかも知れないので残した。

$ /bin/bash -v ./fgt_check.sh  check_20150224.log 2>&1 | \
    grep -A 1000 "^# Start" | grep -v ^grep
# Start check_20150224.log digest

# ホスト名
hostname            : FGT-UTM 
# ファームウエアバージョン
Version: FortiGate-80C v5.0,build0252,131031 (GA Patch 5)
# 時刻
current date is: 2015-02-24
current time is: 20:40:09
# ライセンス期限
antispam-expiration : Fri Sep 18 09:00:00 2015
avquery-expiration  : Fri Sep 18 09:00:00 2015
webfilter-expiration: Fri Sep 18 09:00:00 2015
# DBバージョン
Virus-DB: 23.00891(2015-02-23 06:09)
Extended DB: 23.00891(2015-02-23 06:08)
IPS-DB: 5.00614(2015-02-19 04:57)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Botnet DB: 2.00099(2015-02-22 20:30)
# 次回のアップデート
Next sched update: Wed Feb 25 01:55:00 2015
# システム起動時間
Uptime: 0 days,  1 hours,  37 minutes

# 全CPU使用率
CPU states: 3% user 2% system 0% nice 95% idle
# メモリ使用率
Memory states: 54% used
# ディスク状態
  [ dev: /dev/sda1  major: 8  minor: 1  free: 22MB  mounted: N ]
  [ dev: /dev/sda2  major: 8  minor: 2  free: 8MB  mounted: Y ]
  [ dev: /dev/sda3  major: 8  minor: 3  free: 375MB  mounted: Y ]

# IPアドレスとNIC
IPS-DB: 5.00614(2015-02-19 04:57)
IPS-ETDB: 0.00000(2000-00-00 00:00)
IPS attacks blocked: 0 total in 1 minute
IP=192.168.1.251->192.168.1.251/255.255.255.248 index=4 devname=wan1
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=172.31.31.251->172.31.31.251/255.255.255.0 index=10 devname=internal
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=14 devname=vsys_fgfm
# トラフィック
Browsing: 184 packets, 68877 bytes
DNS: 5602 packets, 632639 bytes
E-Mail: 0 packets, 0 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 0 packets, 0 bytes
VoIP: 0 packets, 0 bytes
Generic TCP: 5836 packets, 1121578 bytes
Generic UDP: 55 packets, 4180 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 12 packets, 384 bytes
Browsing: 184 packets, 68877 bytes
DNS: 5602 packets, 632639 bytes
E-Mail: 0 packets, 0 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 0 packets, 0 bytes
VoIP: 0 packets, 0 bytes
Generic TCP: 5839 packets, 1123318 bytes
Generic UDP: 55 packets, 4180 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 12 packets, 384 bytes

# error|fail チェック
Ring         counters: pass=000000 fail=000000
Setup        counters: pass=000001 fail=000000
Update       counters: pass=000000 retry_fail=000000 final_fail=000000
Virus report counters: pass=000000 fail=000000 empty_stats=000001
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000

# disable チェック
#grep "disable" $LOGNAME