飞塔防火墙OSPF配置
飞塔防火墙如何过滤或控制重发布路由
如何过滤或控制重发布路由版本 1.0时间2013年4月支持的版本N/A状态已审核反馈support_cn@描述:该文档描述如何过滤或控制静态和直连路由重发布至OSPF。
该例中,FG80C 和FG300A在area0.0.0.0.互为neighbors需要将FG80C的部分路由重新发布至FG300A:直连网络10.168.6.0/23;静态路由10.11.0.0/24;配置:1.路由过滤前的配置FGT80Cconfig router ospfconfig areaedit 0.0.0.0nextendconfig networkedit 1set prefix 10.168.0.0 255.255.254.0nextendconfig redistribute "connected"set status enableendconfig redistribute "static"set status enableendset router-id 0.0.0.114endFGT80C# get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultS* 0.0.0.0/0 [10/0] via 172.31.225.254, wan1S 10.11.0.0/24 [10/0] via 10.168.4.103, vlan4S 10.12.0.0/24 [10/0] via 10.168.4.103, vlan4C 10.168.0.0/23 is directly connected, internalC 10.168.4.0/23 is directly connected, vlan4C 10.168.6.0/23 is directly connected, wan2C 172.31.224.0/23 is directly connected, wan1FG300Aconfig router ospfconfig areaedit 0.0.0.0nextendconfig networkedit 1set prefix 10.168.0.0 255.255.254.0nextendconfig redistribute "connected"endconfig redistribute "static"endset router-id 0.0.0.137endFG300A# get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultS* 0.0.0.0/0 [10/0] via 192.168.183.254, port5O E2 10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25O E2 10.12.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25C 10.168.0.0/23 is directly connected, port1O E2 10.168.4.0/23 [110/10] via 10.168.1.114, port1, 00:00:38 O E2 10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:07:33 O E2 172.31.224.0/23 [110/10] via 10.168.1.114, port1, 00:00:38 C 192.168.100.0/24 is directly connected, port2C 192.168.182.0/23 is directly connected, port52.FG80C添加过滤后配置FGT80Cconfig router access-listedit "OnlyNet6"config ruleedit 1set prefix 10.168.6.0 255.255.254.0set exact-match enablenextendnextedit "1"nextedit "OnlyNet11"config ruleedit 1set prefix 10.11.0.0 255.255.255.0set exact-match enablenextnextendconfig router route-mapedit "Map-OnlyNet6"config ruleedit 1set match-ip-address "OnlyNet6"nextendnextedit "Map-OnlyNet11"config ruleedit 1set match-ip-address "OnlyNet11"nextendnextendconfig router ospfconfig areaedit 0.0.0.0nextendconfig networkset prefix 10.168.0.0 255.255.254.0nextendconfig redistribute "connected"set status enableset routemap "Map-OnlyNet6"endconfig redistribute "static"set status enableset routemap "Map-OnlyNet11"endset router-id 0.0.0.114end3.检查FG300A上路由表FG300A2904500072 # get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultS* 0.0.0.0/0 [10/0] via 192.168.183.254, port5O E2 10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:01:07C 10.168.0.0/23 is directly connected, port1O E2 10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:01:35C 192.168.100.0/24 is directly connected, port2 C 192.168.182.0/23 is directly connected, port5过滤后仅有目标的2条路由被重发布至OSPF。
OSPF配置步骤
OSPF配置步骤1、设备配置将OSPF模块加载到网络设备上,并启用和配置路由协议,如果要使用指定路由协议,必须先进行配置。
2、配置Router IDRouter ID是使用OSPF协议进行通信的路由器节点的标识,在路由器中是唯一的,它必须在OSPF配置的初始步骤中显式定义,无法由系统选择。
可以使用任何32位的IPv4地址,通常是路由器接口的IP地址或者一个特定的Loopback地址。
3、定义网络网络是OSPF划分子网关系和路由器节点间连接点之间的逻辑连接。
定义网络时,需要指定一个“主机”IP地址,它将决定路由器节点间连续网络之间接口上启用OSPF的哪一方。
4、指定区域通过区域可以将路由器分割为一个或多个网络拓扑,以便管理路由条目的传输和收集。
OSPF协议分为区域型、网络型和主机型,每种类型运行不同的OSPF协议。
5、定义路由器节点路由器节点是OSPF网络中的分隔点,连接网络的另一部分。
在网络中,每一个路由器都是一个独立的实体,关联拥有不同或相同网络地址部分网络范围的路由器节点6、设置网络拓扑结构在网络设置完成后,可以按照自己的需求设置不同的网络拓扑结构,包括内网、外网、跨网等。
此外,还可以添加OSPF路由记录以控制流量,以及管理拓扑路由器之间的OSPF链路。
7、OSPF安全配置OSPF安全配置是重要的,可以防止“联盟”路由器的攻击,以及“源路由”攻击,让网络免受外界的威胁,保证网络的稳定性。
8、OSPF性能调整OSPF性能调整可以通过更改链路延迟,使用加权路由等方式来调整,以优化OSPF网络的通信效率和性能。
9、运行测试测试OSPF有效性并验证配置的正确性,以保证OSPF的正确性和安全性,测试过程中可以检查配置、状态和链接数据,以确保正确的路由决策和稳定的通信结果。
FortiGate防火墙常用配置命令(可编辑修改word版)
FortiGate 常用配置命令一、命令结构config Configure object. 对策略,对象等进行配置get Get dynamic and system information. 查看相关关对象的参数信息show Show configuration. 查看配置文件diagnose Diagnose facility. 诊断命令execute Execute static commands. 常用的工具命令,如ping exit Exit the CLI. 退出二、常用命令1、配置接口地址:FortiGate # config system interfaceFortiGate (interface) # edit lanFortiGate (lan) # set ip 192.168.100.99/24FortiGate (lan) # end2、配置静态路由FortiGate (static) # edit 1FortiGate (1) # set device wan1FortiGate (1) # set dst 10.0.0.0 255.0.0.0FortiGate (1) # set gateway 192.168.57.1FortiGate (1) # end3、配置默认路由FortiGate (1) # set gateway 192.168.57.1FortiGate (1) # set device wan1FortiGate (1) # end4、添加地址FortiGate # config firewall addressFortiGate (address) # edit clientnetnew entry 'clientnet' addedFortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0 FortiGate (clientnet) # end5、添加 ip 池FortiGate (ippool) # edit nat-poolnew entry 'nat-pool' addedFortiGate (nat-pool) # set startip 100.100.100.1FortiGate (nat-pool) # set endip 100.100.100.100FortiGate (nat-pool) # end6、添加虚拟 ipFortiGate # config firewall vipFortiGate (vip) # edit webservernew entry 'webserver' addedFortiGate (webserver) # set extip 202.0.0.167FortiGate (webserver) # set extintf wan1FortiGate (webserver) # set mappedip 192.168.0.168 FortiGate (webserver) # end7、配置上网策略FortiGate # config firewall policyFortiGate (policy) # edit 1FortiGate (1)#set srcintf internal //源接口FortiGate (1)#set dstintf wan1 //目的接口FortiGate (1)#set srcaddr all //源地址FortiGate (1)#set dstaddr all //目的地址FortiGate (1)#set action accept //动作FortiGate (1)#set schedule always //时间FortiGate (1)#set service ALL //服务FortiGate (1)#set logtraffic disable //日志开关FortiGate (1)#set nat enable //开启 natend8、配置映射策略FortiGate # config firewall policyFortiGate (policy) #edit 2FortiGate (2)#set srcintf wan1 //源接口FortiGate (2)#set dstintf internal //目的接口FortiGate (2)#set srcaddr all //源地址FortiGate (2)#set dstaddr FortiGate1 //目的地址,虚拟 ip 映射,事先添加好的FortiGate (2)#set action accept //动作FortiGate (2)#set schedule always //时间FortiGate (2)#set service ALL //服务FortiGate (2)#set logtraffic all //日志开关end9、把 internal 交换接口修改为路由口确保关于 internal 口的路由、dhcp、防火墙策略都删除FortiGate # config system globalFortiGate (global) # set internal-switch-mode interfaceFortiGate (global) #end重启1、查看主机名,管理端口FortiGate # show system global2、查看系统状态信息,当前资源信息FortiGate # get system performance status3、查看应用流量统计FortiGate # get system performance firewall statistics4、查看 arp 表FortiGate # get system arp5、查看 arp 丰富信息FortiGate # diagnose ip arp list6、清楚 arp 缓存FortiGate # execute clear system arp table7、查看当前会话表FortiGate # diagnose sys session stat 或 FortiGate # diagnose sys session full- stat;8、查看会话列表FortiGate # diagnose sys session list9、查看物理接口状态FortiGate # get system interface physical10、查看默认路由配置FortiGate # show router static11、查看路由表中的静态路由FortiGate # get router info routing-table static12、查看 ospf 相关配置FortiGate # show router ospf13、查看全局路由表FortiGate # get router info routing-table all1、查看 HA 状态FortiGate # get system ha status2、查看主备机是否同步FortiGate # diagnose sys ha showcsum3.诊断命令:FortiGate # diagnose debug application ike -1execute 命令:FortiGate #execute ping 8.8.8.8 //常规 ping 操作FortiGate #execute ping-options source 192.168.1.200 //指定 ping 数据包的源地址 192.168.1.200FortiGate #execute ping 8.8.8.8 //继续输入 ping 的目标地址,即可通过 192.168.1.200 的源地址执行 ping 操作FortiGate #execute traceroute 8.8.8.8FortiGate #execute telnet 2.2.2.2 //进行 telnet 访问FortiGate #execute ssh 2.2.2.2 //进行 ssh 访问FortiGate #execute factoryreset //恢复出厂设置FortiGate #execute reboot //重启设备FortiGate #execute shutdown //关闭设备。
Fortinet OSPF配置指南说明书
Integrating Fortinet into an OSPF NetworkVersion 1.0Date 10/11/04Product FortiOS 2.8Description This technical note describes the configuration stepsnecessary to integrate Fortinet into an OSPF network. Author Jason ClarkSend comments regarding this document to *******************ContentsIntroduction.......Configuration.....Validation...System Resources...Secure OSPF Configuration...Appendix.......References....... IntroductionOSPF is a link state routing protocol based on the SPF (shortest path first) algorithm.Hence each router maintains a link state database which defines the topology of theAutonomous System. An autonomous system is comprised of a group of areasconnected to a backbone.Fortinet can participate within OSPF areas, as well as act as an ABR or ASBR. Thereare four required configuration steps in order to enable OSPF support within a Fortigateplatform. This document covers these four requirements; router id, area, network, andinterfaces. We will also touch on some best practices for securing OSPF.This technical note assumes a basic understanding of the OSPF protocol. Foradditional OSPF information please review RFC 2328. ConfigurationThere are a number of configurable OSPF options within FortiOS 2.8. OSPF settings are currently configurable via the FortiOS command line interface. This section covers therequired configurable parameters for enabling OSPF. The four parameters discussed are as follows:Router IDAreaNetworkOSPF InterfaceRouter IDBy default Fortinet does not create a Router ID value. Thus, this must be manuallyconfigured. The Router ID should be a 32-bit number that uniquely identifies aparticipating router with a routing domain or Autonomous System. A Router ID of 0.0.0.0is not allowed as this value is used during the designated router and BDR elections.Perform the following steps to configure the router idEnter OSPF router configuration modeconfigure router ospf <enter>From the ospf# prompt, set the 32-bit router id.set router-id ip address <enter>Type end to save changesExampleconfigure router ospfset router-id 192.168.1.99endAREARouting devices in an OSPF Autonomous System are organized into groupings referredto as areas. All routers within an area maintain link state databases for their specific area.An area id of 0 or 0.0.0.0 indicates the backbone area. There must be a backbone forwhich areas can connect to. Virtual links can be used for areas that do not have aconnection to the backbone. A maximum of 20 areas is allowed across all models.Perform the following steps to specify the area for with the Fortigate will participate in.Enter OSPF router configuration modeconfigure router ospf <enter>From the ospf# prompt enter the area sub menuconfigure area <enter>From the area# prompt create the area IDedit area ID <enter>Type end to save changesExampleconfigure router ospfconfigure areaedit 0.0.0.0endNote: Within the area menu, you have the option to configure additional parameters such as area type, authentication, and filtering. Some of these optional parameters will becovered later in this document.NetworkWithin a Fortigate the network command specifies networks and interfaces belonging to an Area. Multiple networks can be assigned to a single physical network. A maximum of 100 networks is allowed is across all models.Perform the following steps assign a network interface(s) to an area.Enter OSPF router configuration modeconfigure router ospf <enter>Enter the network configuration submenuconfigure network <enter>Create a network entry ID in the form of an integeredit integer <enter>Create subnet/supernetset prefix IP Subnet Mask <enter>Attach network to specific area.set area area_id <enter>Type end to save changes.Note: Multiple networks can be defined by creating additional ID Integers.OSPF InterfaceTo apply your OSPF configuration, you must specify an interface name, IP address, as well as a physical interface. Within the OSPF interface configuration you also have the ability to configure additional parameters that will help determine link state information.Such parameters include cost, priority, and status, among others. Descriptions of these optional parameters can be found in the Fortigate 2.8 CLI reference guide.Perform the following steps to apply an OSPF configuration to a specific interface(s)Enter OSPF router configuration modeconfigure router ospf <enter>Enter interface configuration modeconfigure ospf-interface <enter>Create a descriptive interface nameedit interface name <enter>Specify a physical interfaceset interface interface name <enter>Note: Interface_name must be a configured physical interfaceType end to save changes.Exampleconfigure router ospfconfigure ospf-interfaceedit internalset interface internalendValidationFortiOS offers various commands to validate and verify OSPF configuration. We willcover multiple verification options.To validate that OSPF is enabled on a specific interface we will use the followingcommandget router info ospf interface <enter>The output should be as followswan2 is down, line protocol is downOSPF not enabled on this interfacewan1 is up, line protocol is upOSPF not enabled on this interfacedmz is up, line protocol is upOSPF not enabled on this interfaceinternal is up, line protocol is upInternet Address 192.168.1.99/24, Area 0.0.0.0, MTU 1500Router ID 192.168.1.99, Network Type BROADCAST, Cost:10Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 192.168.1.99, InterfaceAddress 192.168.1.99No backup designated router on this networkTimer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5Hello due in 00:00:08Neighbor Count is 1, Adjacent neighbor count is 1Crypt Sequence Number is 0Hello received 81 sent 81, DD received 8 sent 3S-Req received 0 sent 3, LS-Upd received 4 sent 2LS-Ack received 2 sent 3, Discarded 0root is up, line protocol is upOSPF not enabled on this interfaceppp0 is up, line protocol is upOSPF not enabled on this interfaceThe above output tells us that OSPF is enabled on the internal interface and this deviceis acting as the Designated Router. We also see that our adjacent neighbor count is 1.To view our OSPF neighbors use the following commandget router info ospf neighbor <enter>The output should be as followsNeighbor ID Pri State Dead Time Address Interface 192.168.1.32 0 Full 00:00:38 192.168.1.32 internalTo view the current OSPF routing entries use the followingget router info ospf route <enter>The output should be as followsOSPF process 1:Codes: C - connected, D - Discard, O - OSPF, IA - OSPFinter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSAexternal type 2 E1 - OSPF external type 1, E2 - OSPFexternal type 2E1 0.0.0.0/0 [12] via 192.168.1.99, port1E1 10.33.3.1/32 [11] via 192.168.1.99, port1O 192.168.1.0/24 [10] is directly connected, port1, area 0E1 192.168.102.0/24 [11] via 192.168.1.99, port1The OSPF routing table may also be viewed from the Web UI as shown belowSystem Resources There are two main system resource factors to keep in mind when implementing a Fortigate into your OSPF network. The first is memory as OSPF utilizes system memory to store routing information. The size of an OSPF LSA is a minimum of 32 bytes, although is typically around 64 bytes. The second resource factor is CPU utilization. The SPF algorithm uses CPU cycles to generate routing entries when link state changes. By default a Fortigate will perform an SPF calculation 5 seconds after receiving new routing information. When integrating a Fortigate into an OSPF network proper sizing is critical as FortiOS utilizes memory and CPU for additional functions. Additional parameters can be tuned to ensure optimum resource utilization. Some of these parameters will be covered below.SPF TimersFortinet allows for the configuration of SPF delay time and SPF hold time as discussedbelow.The SPF delay_integer specifies the delay after a routing update is received until the SPF calculation is performed. The SPF hold_integer specifies the time between SPFcalculations. The default in seconds is 5 for the delay_integer and 10 for the hold_integer.If the OSPF routing environment permits, you can increase the delay and frequency inwhich SPF calculations are performed.To adjust these values, perform the followingEnter OSPF router configuration modeconfigure router ospf <enter>Configure values where the first number is the delay integer and the second is the holdintegerset spf-timers delay_integer hold_integer <enter> Exampleconfigure router ospfset spf-timers 60 3600endDatabase OverflowDatabase overflow configuration can provide relief from unnecessary or sudden floodingof LSA s. While database overflow state cannot validate the quality of an LSA it can limitthe database usage. Additional information on the database overflow state can be foundin RFC 1765.To enable database overflow follow the steps belowEnter ospf router configuration modeConfigure router ospf <enter>Enable database overflowSet database-overflow enable <enter>Set the number of external LSA s that can be stored in a link state database beforeentering the overflow state. A valid integer is between 0 and 4294967294.Set database-overflow-max-lsas integer <enter> Type end to save changesExampleconfigure router ospfset database-overflow enableset database-overflow-max-lsas 5000endendStub AreaConfiguring your Fortigate to participate in a stub area can also reduce the size of the database as well as the number of SPF calculations. Stub areas reject the flooding of external LSA s into the area.For Fortigate stub area configuration follow the below stepsEnter ospf router configurationconfigure router ospf <enter>Enter area configurationconfigure area <enter>Edit desired areaedit area area_id <enter>Set area typeset type stub <enter>Examplec onfigure router ospfconfigure areaedit 0.0.0.0set type stubendendSecure OSPF ConfigurationOSPF is not an inherently secure routing protocol, thus there are some security issues that should be discussed. OSPF is not only vulnerable to malicious activity, butadministrator mis-configurations as well.BroadcastingThe default OSPF behavior within a Fortigate is to broadcast LSA updates via multicast.With broadcast mode enabled mis-configurations in routing can be propagatedthroughout a routing domain. Adjacent devices configured to broadcast can introduce possible malicious route injections.FortiOS offers multiple network types per OSPF interface including broadcast, non-broadcast, point-to-point, and point-to-multipoint. For our purposes, we will cover thesteps necessary to configure non-broadcast mode.Enter OSPF router configuration modeconfigure router ospf <enter>Enter interface configuration modeconfigure ospf-interface <enter>Edit the ospf interfaceedit interface name <enter>Set the network-type to non-broadcastset network-type non-broadcast <enter>Now that non-broadcast is enabled, we must configure our adjacent neighbors.The following steps are required to configure adjacent neighborsEnter OSPF router configuration modeconfigure router ospf <enter>Enter the neighbor configuration sub categoryconfigure neighbor <enter>Create a neighbor entry ID in the form of an integeredit integer <enter>Specify the IP address of the neighbor routerset ip IP address <enter>Type end to save changesExampleconfigure router ospfconfigure ospf-interfaceedit internalset network-type non-broadcastendconfigure neighboredit 1set ip 192.168.1.32endendAuthenticationBy default authentication is not required to receive routing updates into the link statedatabase. This introduces obvious vulnerabilities such as unauthorized route injectionsand spoofed routing devices.To enable authentication for an interface follow the below stepsEnter OSPF router configuration modeconfigure router ospf <enter>Enter the OSPF interface sub categoryconfigure ospf-interface <enter>Edit the desired OSPF interfaceedit Interface_name <enter>Set authentication typeset authentication md5 <enter>Create an md5 entry and key to be used for authenticationset md5-key integer_id md5_key <enter>Type end to save changes.Exampleconfigure router ospfconfigure ospf-interfaceedit internalset authentication md5set md5-key 1 fortinetendendAccess ListsAlthough a Fortigate employs stateful inspection firewall functionality, firewall rules arenot applied to OSPF routing updates destined for itself. Fortinet does however providethe ability to create access lists to control source and destination routing communication.To configure OSPF access lists follow the steps below.Enter the access list configuration sub menuconfigure router access-list <enter>Create a descriptive access list nameedit access_list_name <enter>Enter the rule configuration sub menuconfigure rule <enter>Create access rule number in the form of an integeredit integer_id <enter>Specify access list action as permit or denyset action permit | deny <enter>Specify network or IP that the action will apply toset prefix network number <enter>Type end to save changesOnce the access list has been created it is now necessary to apply it to the OSPF area Enter OSPF router configuration modeconfigure router ospf <enter>From the ospf# prompt enter the area sub menuconfigure area <enter>From the area# prompt create the area IDedit area ID <enter>Enter the filter list sub menuconfigure filter-list <enter>Create a new filter list in the form of an integeredit integer_id <enter>Specify the direction in which the access list will be appliedset direction in | out <enter>Specify access list to be appliedset list access_list_number <enter>Type end to save changesExampleconfigure router access-listedit OSPF_ACLconfigure ruleedit 1set action permitset prefix 192.168.1.0 255.255.255.0endconfigure router ospfconfigure areaedit 0.0.0.0configure filter-listedit 1set direction inset list ospfendendASBRIt is not recommended to configure your Fortigate platform as an ASBR (AutonomousSystem Border Router). ASBR s are used to receive and distribute external routinginformation. An ASBR will flood external LSA s throughout non-stub areas. Typicallyonly a single ASBR exists for a single Autonomous System. The implication of this is that routing updates cannot be verified against other ASBR s. This is in contrast to thebehavior of ABR s where multiple border routers may exist and perform an inherentvalidation of routing updates.When configuring a Fortigate as an ASBR is absolutely necessary, enabling databaseoverflow can help with the flooding of excess routes. Additional information on database overflow can be found in RFC 1765.To configure database overflow parameters follow the below stepsEnter ospf router configuration modeconfigure router ospf <enter>Enable database overflowset database-overflow enable <enter>Set the number of external LSA s that can be stored in a link state database beforeentering the overflow state. A valid integer is between 0 and 4294967294.set database-overflow-max-lsas integer <enter> Type end to save changesExampleconfigure router ospfset database-overflow enableset database-overflow-max-lsas 5000endendAppendixExtreme Configurationconfigure ospf add vlan vlan_192 area 0.0.0.0configure ospf vlan_192 authentication encrypted md5 1enable ospf export direct cost 10 type ase-type-1 tag 0enable ospfCisco Configurationrouter ospf 1network 192.168.1.0 255.255.255.0 area 0router-id 192.168.1.32FortiOS 2.8 Configurationconfigure router ospfset abr-type standardconfigure areaedit 0.0.0.0nextendset default-information-originate alwaysconfigure networkedit 1set prefix 192.168.1.0 255.255.255.0set area 0.0.0.0nextendconfigure ospf-interfaceedit "port1"set interface "port1"set ip 192.168.1.61nextendconfigure redistribute "connected"set status enableendconfigure redistribute "static"set status enableendconfigure redistribute "rip"set status enableendset router-id 192.168.1.61endReferencesFortigate 2.8 MR5 Command Line Reference GuideRFC 1765RFC 2328。
飞塔防火墙的路由与透明模式要点
策略路由
• 路由策略将流量与静态路由绑定,目的在于实现允许某些类型的流量进行不 同的路由。通过进入(向内)流量的协议、源地址或接口、目标地址或端口 号判断流量被发送到的目标位置。举例说明,通常情况下网络流量进入子网 中的路由器,但是您想SMTP或POP3流量直接发送到邮件服务器。这种情况 下可以应用策略路由。 路由策略已存在且数据包到达FortiGate设备时,FortiGate设备根据策略路由 表逐次查看并试图找到与该数据包相匹配的策略。如果发现匹配信息并且策 略中包含了足够的信息路由数据包(必须注明下一站路由的IP地址以及将数 据包转发FortiGate设备的接口),FortiGate设备使用策略中的信息路由数据 包。如果没有与数据包相匹配的策略,FortiGate设备使用路由表路由数据包。 注意:因为大多数策略设置是可选项,一个匹配的策略可能还不足以提供给 FortiGate设备足够的信息转发数据包。FortiGate设备将转向参考路由表试图 将传送的数据包报头的信息与路由表中的路由相匹配。举例说明,如果策略 中只列出向外的接口名称,FortiGate设备将在路由表中查询下一站路由的IP 地址。这种情况只有在FortiGate设备接口是动态的接收IP(例如对FortiGate 设备接口设置了DHCP或PPPoE)或因为IP地址是动态更改状态您不能够指 定下一站路由的IP地址下发生。
路由的判断过程(二)
判断的优先级: 1、子网掩码,子网掩码大的,也就是说网络范围小的,优先 2、管理距离(distance),管理距离小的有限 3、路由的优先级 优先级设置越低,越接近首选路由
如何让3优先于2?
路由的判断过程(三)
多路径选择
• 当路由表中几条进入的条目到达的是同一个目的地时,会发生多路径 路由。多路径路由发生时,FortiGate设备中对于进入的数据包可能 存在几个可能的目标地址,迫使FortiGate设备判定哪个下一站中继 是最佳的选择。 两种方法可以手动解决到达同一目的地存在多条路由路线的问题,一 是降低路线的管理距离,二是设置路由路线的优先级。管理距离决定 可用路由的优先级。 路由表中的所有条目都有对应的管理距离。如果路由表中包含的几个 条目指向同一个目的地时(这些条目可能具有不同的网关与接口通信 设置),FortiGate设备将各个条目的管理距离进行比较,选择具有 最低管理距离的条目将其放置在FortiGate转发列表中作为路由路线。 由此,FortiGate转发列表中只包含具有最低管理距离到达各个可能 的目的地的路由。
FortiGate 防火墙常用配置命令
FortiGate 常用配置命令一、命令结构config Configure object. 对策略,对象等进行配置get Get dynamic and system information. 查看相关关对象的参数信息show Show configuration. 查看配置文件diagnose Diagnose facility. 诊断命令execute Execute static commands. 常用的工具命令,如ping exit Exit the CLI. 退出二、常用命令1、配置接口地址:FortiGate # config system interfaceFortiGate (interface) # edit lanFortiGate (lan) # set ip 192.168.100.99/24FortiGate (lan) # end2、配置静态路由FortiGate (static) # edit 1FortiGate (1) # set device wan1FortiGate (1) # set dst 10.0.0.0 255.0.0.0FortiGate (1) # set gateway 192.168.57.1FortiGate (1) # end3、配置默认路由FortiGate (1) # set gateway 192.168.57.1FortiGate (1) # set device wan1FortiGate (1) # end4、添加地址FortiGate # config firewall addressFortiGate (address) # edit clientnetnew entry 'clientnet' addedFortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0 FortiGate (clientnet) # end5、添加ip池FortiGate (ippool) # edit nat-poolnew entry 'nat-pool' addedFortiGate (nat-pool) # set startip 100.100.100.1FortiGate (nat-pool) # set endip 100.100.100.100FortiGate (nat-pool) # end6、添加虚拟ipFortiGate # config firewall vipFortiGate (vip) # edit webservernew entry 'webserver' addedFortiGate (webserver) # set extip 202.0.0.167FortiGate (webserver) # set extintf wan1FortiGate (webserver) # set mappedip 192.168.0.168 FortiGate (webserver) # end7、配置上网策略FortiGate # config firewall policyFortiGate (policy) # edit 1FortiGate (1)#set srcintf internal //源接口FortiGate (1)#set dstintf wan1 //目的接口FortiGate (1)#set srcaddr all //源地址FortiGate (1)#set dstaddr all //目的地址FortiGate (1)#set action accept //动作FortiGate (1)#set schedule always //时间FortiGate (1)#set service ALL //服务FortiGate (1)#set logtraffic disable //日志开关FortiGate (1)#set nat enable //开启natend8、配置映射策略FortiGate # config firewall policyFortiGate (policy) #edit 2FortiGate (2)#set srcintf wan1 //源接口FortiGate (2)#set dstintf internal //目的接口FortiGate (2)#set srcaddr all //源地址FortiGate (2)#set dstaddr FortiGate1 //目的地址,虚拟ip映射,事先添加好的FortiGate (2)#set action accept //动作FortiGate (2)#set schedule always //时间FortiGate (2)#set service ALL //服务FortiGate (2)#set logtraffic all //日志开关end9、把internal交换接口修改为路由口确保关于internal口的路由、dhcp、防火墙策略都删除FortiGate # config system globalFortiGate (global) # set internal-switch-mode interfaceFortiGate (global) #end重启--------------------------------------1、查看主机名,管理端口FortiGate # show system global2、查看系统状态信息,当前资源信息FortiGate # get system performance status3、查看应用流量统计FortiGate # get system performance firewall statistics4、查看arp表FortiGate # get system arp5、查看arp丰富信息FortiGate # diagnose ip arp list6、清楚arp缓存FortiGate # execute clear system arp table7、查看当前会话表FortiGate # diagnose sys session stat 或FortiGate # diagnose sys session full-stat;8、查看会话列表FortiGate # diagnose sys session list9、查看物理接口状态FortiGate # get system interface physical10、查看默认路由配置FortiGate # show router static11、查看路由表中的静态路由FortiGate # get router info routing-table static12、查看ospf相关配置FortiGate # show router ospf13、查看全局路由表FortiGate # get router info routing-table all-----------------------------------------------1、查看HA状态FortiGate # get system ha status2、查看主备机是否同步FortiGate # diagnose sys ha showcsum---------------------------------------------------3.诊断命令:FortiGate # diagnose debug application ike -1---------------------------------------------------execute 命令:FortiGate #execute ping 8.8.8.8 //常规ping操作FortiGate #execute ping-options source 192.168.1.200 //指定ping数据包的源地址192.168.1.200FortiGate #execute ping 8.8.8.8 //继续输入ping 的目标地址,即可通过192.168.1.200的源地址执行ping操作FortiGate #execute traceroute 8.8.8.8FortiGate #execute telnet 2.2.2.2 //进行telnet访问FortiGate #execute ssh 2.2.2.2 //进行ssh 访问FortiGate #execute factoryreset //恢复出厂设置FortiGate #execute reboot //重启设备FortiGate #execute shutdown //关闭设备。
飞塔防火墙10_路由与透明模式
• 只能在命令行下创建 (set type loopback)
启动透明模式
比较透明模式与路由模式的区别
• 没有路由功能 • 不能支持SSL VPN、 PPTP和L2TP • 不能支持接口模式的 VPN
实验
0/0 192.168.3.254 10
0/0 192.168.11.254 10 Internet 映射地址为 192.168.11.2x 192.168.11.1/24 CERNET
目的网段 流出的接口 下一跳网关 Distance值
优先顺序如下: 1、子网掩码大的优先 2、路径长度小的优先 3、路由的priority(小的优先)
确认所设置的路由是否生效
路由>当前路由 查看当前生效的路由 路由生效取决于几个因素: • 所关联的接口是否工作(物理接线并且UP) • 根据掩码和distance值判断该路由是否有效
映射地址为 192.168.3.2x
192.168.3.1/24
服务器
10.0.X.0/24
实验1
• 内部流量通过两个链路实现负载均衡 • 10.0.X.1访问Internet的流量只能走DMZ • 内部的服务器被映射到两个链路上,供外网访问。
实验2
• 拔掉WAN2接口线路,将设备调整成透明模式,设置成能够上 网,防火墙的IP设置为192.168.11.100+x,PC通过DHCP获得 IP地址
路由与透明模式
Course 201 v4.0
支持的路由类型
设置FortiGate设备的路由是指设置提供给FortiGate设备将数据包转 发到一个特殊目的地的所需的信息 • 静态
静态路由 直连网络 缺省路由
• 动态
RIP OSPF BGP
设置FortiGate动态路由协议OSPF
设置FortiGate动态路由协议OSPF本文档针对所有FortiGate设备的动态路由协议OSPF配置进行说明。
环境介绍:本文使用FortiGate400A做演示。
本文支持的系统版本为FortiOS v2.8及更高。
OSPF :链路状态路由协议,采用多播更新,收敛快,适用于大中型网络。
FortiGate设备支持OSPF版本2,参见RFC2328。
步骤一:设置路由器ID路由器ID:唯一标识FortiGate设备的IP地址,可以任意设置。
如果不填,默认选择最大接口IP。
(点击放大)步骤二:创建区域,在各个区中点击新建区:用32位IP地址唯一标识一个区,区0.0.0.0为主干区域类型:FortiGate设备支持普通(regular)区域,NSSA区域,Stub区域认证:FortiGate设备支持明文和MD5认证,认证对该区域有效(点击放大)步骤三:发布网络,在各个网络中点击新建IP/掩码:宣告网路地址和掩码区域:选择该网络所在区域(点击放大)步骤四:发布接口,在各个接口中点击新建名称:自定义接口名称接口:选择要宣告的接口,路由更新会通过该接口发布出去IP:该宣告接口IP认证:FortiGate设备支持明文和MD5认证,认证对该接口有效Hello/Dead时间:定义该接口OSPF Hello/Dead时间,如果接口间时间不一致则不能建立邻居,即收不到对方路由(点击放大)步骤五:高级选项缺省信息:让FortiGate设备产生一条OSPF缺省路由经常:路由表中必须有静态缺省路由才能在OSPF中产生缺省路由总是:任何情况都可以在OSPF中产生缺省路由重发布:FortiGate设备支持将直连、静态、RIP和BGP重发布进OSPF距离:指重发布进OSPF路由的度量值(点击放大)步骤六:验证在另外一台FortiGate中可以看到该OSPF路由,选择路由----当前路由(点击放大)。
飞塔防火墙配置
Fortinet产品家族fortinet 的产品家族涵盖了完备的网络安全解决方案包括邮件,日志,报告,网络管理,安全性管理以及fortigate 统一安全性威胁管理系统的既有软件也有硬件设备的产品。
更多fortinet产品信息,详见/products.FortiGuard服务订制fortiguard 服务定制是全球fortinet安全专家团队建立,更新并管理的安全服务。
fortinet安全专家们确保最新的攻击在对您的资源损害或感染终端用户使用设备之前就能够被检测到并阻止。
fortiguard服务均以最新的安全技术构建,以最低的运行成本考虑设计。
fortiguard 服务订制包括:1、fortiguard 反病毒服务2、fortiguard 入侵防护(ips)服务3、fortiguard 网页过滤服务4、fortiguard 垃圾邮件过滤服务5、fortiguard premier伙伴服务并可获得在线病毒扫描与病毒信息查看服务。
FortiClientforticlient 主机安全软件为使用微软操作系统的桌面与便携电脑用户提供了安全的网络环境。
forticlient的功能包括:1、建立与远程网络的vpn连接2、病毒实时防护3、防止修改windows注册表4、病毒扫描forticlient还提供了无人值守的安装模式,管理员能够有效的将预先配置的forticlient分配到几个用户的计算机。
FortiMailfortimail安全信息平台针对邮件流量提供了强大且灵活的启发式扫描与报告功能。
fortimail 单元在检测与屏蔽恶意附件例如dcc(distributed checksum clearinghouse)与bayesian扫描方面具有可靠的高性能。
在fortinet卓越的fortios 与fortiasic技术的支持下,fortimail反病毒技术深入扩展到全部的内容检测功能,能够检测到最新的邮件威胁。
飞塔防火墙防火墙配置
系统管理-访问内容表
系统管理-管理员设置1
系统管理-管理员设置2
系统管理-固件升级
路由-静态路由
路由-策略路由
路由-当前路由表
防火墙-地址
防火墙-地址组
防火墙-预定义与定制
防火墙-服务组
防火墙-时间表
防火墙-流量整形器
防火墙-策略
防火墙-策略的顺序
防火墙-会话时间调整
20,000
100C
40,000
5000
38-42 8-12 500
16-18.5 6-9 100
产品介绍-3950B
3950B 前端面板
3950B 背部面板
2 2 特性
FMC-XD2
7
FMC-XG2
20 20 特性
FMC-C20
FMC-F20
8
模块内部专有处理器
• 4 网络处理器芯片 • 接口级的数据加速服务 • 低延迟, 百万级会话线速性能 • 加解密处理 • 异常检测,数据包重组 • 流量整形及队列优先级 • 2 安全处理器芯片 • 多核多线程安全处理 • 提供 4以外的功能服务 • 应用控制 • 入侵检测特征分析 • 拒绝服务攻击保护 • 多播加速
9
产品介绍-3950B结构
NP/SP
NP/SP
NP/SP
NP/SP
NP/SP
NP
FMC 0
PHY
FMC 1
PHY
FMC 2
PHY
FMC 3
PHY
FMC 4
I
On Board
S
F
PHY
PHY
4x1G
产品介绍-3040B
3040B 前端面板
3040B 背部面板
飞塔防火墙OSPFoveripsec
飞塔防火墙OSPFoveripsec
OSPF over ipsec 1、配置ipsec vpn阶段1和阶段2,确认VPN 隧道建立成功。
2、找到ipsec tunnel接口,并配置两端的互联ip地址
3、路由-动态路由-OSPF
4、创建router ID:1.1.1.1
5、创建区域 0
6、宣告子网
7、由于ipsec VPN属于点到点网络,在这种网络类型下,OSPF 无法自动建立邻居关系,因此需要手动建立邻居
通过以下命令手动建立,指定ipsec tunnel对端互联地址
FW-1 # config router ospf
FW-1 (ospf) # config neighbor
FW-1 (neighbor) # show
config neighbor
edit 1
set ip 100.0.130.2
next
end
8、路由重分发
如果需要将其他路由重分发到OSPF内,可以在OSPF高级选项勾选“重分布-直连”
9、查看路由表
这里O路由是对端私有网络重分发到OSPF内的直连路由,因此这里以E2开始
10、通过抓包查看两端hello的过程
FW-1 # diagnose sniffer packet to-fw2,如下图,
这是点到点网络上的,两端通过组播地址224.0.0.5动态发现邻居
11.查看邻接关系表
state为full,表明当前网络已经收敛。
12、测试网络连通性ping对端私有地址
在tunnel口抓包验证。
Fortigate防火墙简单配置指导
华为技术安全服务Fortigate防火墙简明配置指导书华为技术华为技术有限公司二〇一三年六月版权声明©2003 华为技术有限公司版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本书的部分或全部,并不得以任何形式传播。
作者信息修订记录目录第一章、产品简介 (4)第二章、FORTIGATE防火墙简明配置指导 (8)1、恢复缺省 (8)2、串口配置 (8)3、交叉网线连port3,进入web配置 (9)4、配置外口网关 (9)5、配置路由 (10)6、配置虚拟外网IP (10)7、配置端口服务 (11)8、组合服务 (11)9、将组合服务关联到映射IP (12)第一章、产品简介FortiGate安全和内容控制系列产品,是利用一种新的体系结构方法研发的,具有无与伦比的价格/性能比;是完全的、所有层网络安全和内容控制的产品。
经过一些安全行业深受尊重的安全专家多年的研究开发,FortiGate解决方案突破了网络的“内容处理障碍”。
提供了在网络边界所有安全威胁类型(包括病毒和其它基于内容的攻击)的广泛保护。
并且具备空前的消除误用和滥用文字的能力,管理带宽和减少设备与管理的费用。
常规的安全系统,像防火墙和VPN 网关在防止称为网络层攻击是有效的,它通过检查包头信息来保证来自信任源合法请求的安全。
但在现今,绝大多数破坏性的攻击包括网络层和应用层或基于内容的攻击进行联合攻击,例如病毒和蠕虫。
在这些更多诡辩的攻击中,有害的内容常常深入到包内容,通过许多表面上“友好的”很容易穿过传统防火墙的数据包传播。
同样的,有效的网络保护依靠辨认复杂和狡猾的若干信息包模式样本,并且需要除了网络层实时信息,还有分解和分析应用层内容(例如文件和指令)的能力。
然而,在现今的网络速度下,完成高效率的内容处理所必需的处理能力要超过最强大网络设备的性能。
结果,使用常规解决方案的机构面临着“内容处理障碍”,这就迫使他们在桌面和服务器上加强内容服务的配置。
飞塔防火墙fortigate的show命令显示相关配置
飞塔防火墙fortigate的show命令显示相关配置,而使用get命令显示实时状态show full-configuration显示当前完全配置show system global ?查看主机名,管理端口显示结果如下config system globalset admin-sport 10443set admintimeout 480set hostname "VPN-FT3016-02"set language simchset optimize antivirusset sslvpn-sport 443set timezone 55endshow system interface ?查看接口配置显示结果如下edit "internal"set vdom "root"set ipset allowaccess ping https ssh snmp http telnetset dns-query recursiveset type physicalnextget system inter physical查看物理接口状态,,如果不加physical参数可以显示逻辑vpn接口的状态==[port1]mode: staticipstatus: upspeed: 100Mbps Duplex: Full==[port2]mode: staticipstatus: upspeed: 1000Mbps Duplex: Fullshow router static ?查看默认路由的配置显示结果如下config router staticedit 1set device "wan1"nextendget router info routing-table static?查看路由表中的静态路由HuaiAnshow router ospf 查看ospf 的相关配置show system dns ?查看dns的相关配置显示结果如下config system dnsendget router info routing-table all 显示全局路由表(相当于cisco的show ip routing)VPN-FT3016# get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP? ? ? O - OSPF, IA - OSPF inter area? ? ? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2? ? ? E1 - OSPF external type 1, E2 - OSPF external type 2? ? ? i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area? ? ? * - candidate defaultget router info ospf neighbor 查看ospf邻居建立关系(相当于cisco的show ip ospf nei)。
飞塔防火墙OSPFoverIPSec及路由及冗余
飞塔防火墙OSPFoverIPSec及路由及冗余OSPF over IPSec及路由冗余目录1.目的 (3)2.环境介绍 (3)3.IPSec VPN配置 (4)4.OSPF配置 (5)4.1 GateA配置 (5)4.2 GateB配置 (6)4.3 配置完成后各FortiGate路由表 (7)4.4 通过命令查看OSPF状态 (8)5.冗余路由的验证 (8)6.参考 (10)1.目的OSPF使用组播协议路由,由于IPSec VPN不能支持组播和广播,因此不能运行动态路由协议,此时需要使用GRE协议封装OSPF后经过IPSec进行数据交互。
所以常用的多为OSPF over GRE。
Route-based方式的IPSec VPN极大的方便了OSPF over IPSec 的配置,无需再将数据先用GRE封装然后在运行在IPSec链路上。
本文档针对FortiGate的OSPF over IPSec的冗余路由进行说明。
2.环境介绍本文使用2台FortiGate进行说明, GateA与GateB建立2条IPSec VPN,在IPSec VPN链路上运行OSPF协议并同处于Area 0区域,以期达到任意主VPN隧道中断后,备份VPN隧道仍然继续工作,实现OSPF over IPSec及路由冗余的目的,本文使用的系统版本为FortiOS v4.0MR2 Patch8。
Router Port7 IP Port8 IP VPN1 IP VPN2 IP Loopback IPGateA 1.1.1.1 2.1.1.1 5.1.1.1 6.1.1.1 10.1.1.1GateB 1.1.1.2 2.1.1.2 5.1.1.2 6.1.1.2 10.2.2.1 3.IPSec VPN配置配置route-based模式(即接口模式) IPSec VPN的具体方法请参考站到站IPSec VPN设置4.2配置完成后在VPN-IPSec-监视器可以查看VPN状态。
飞塔防火墙fortigate的show命令显示相关配置
飞塔防火墙fortigate的show命令显示相关配置,而使用get命令显示实时状态show full-configuration 显示当前完全配置show system global 查看主机名,管理端口显示结果如下config system globalset admi n-sport 10443set adm in timeout 480set host name "VPN-FT3016-02"set Ian guage simchset optimize an tivirusset sslvp n-sport 443set timez one 55endset allowaccess ping https ssh snmp http telnet set dn s-query recursiveset type physicaln extget system in ter physical 查看物理接口状态,,如果不加physical参数可以显示逻辑vpn接口的状态==[port1] mode: static ip: 218.94.115.50 255.255.255.248 status: up speed: 100Mbps Duplex: Full ==[port2]mode: staticip: 88.2.192.52 255.255.255.240status: upspeed: 1000Mbps Duplex: Fulledit 1set device "wa n1" set gateway 27.151.120.Xn ext end get router info rout in g-table static查看路由表中的静态路由S* 0.0.0.0/0 [10/0] via 218.94.115.49, portlS 66.72.0.0/16 [120/0] via 88.0.195.130, HuaiAnset seco ndary 208.91.112.52 endget router info routing-table all 显示全局路由表(相当于cisco 的show ip routing )VPN-FT3016# get router info rout in g-table allCodes: K - kernel, C - conn ected, S - static, R - RIP , B - BGPO - OSPF, IA - OSPF in ter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - can didate defaultS* 0.0.0.0/0 [10/0] via 218.94.115.49, port1O 1.1.1.1/32 [110/2] via 88.2.192.50, port2, 07w2d23h。
飞塔防火墙配置手册
出厂默认的DHCP服务器配置 ......................................... 21 出厂默认的NAT/ 路由模式的网络配置 ................................ 21 出厂默认的透明模式的网络配置 ..................................... 23 出厂默认防火墙设置 ............................................... 23 出厂默认的防火墙保护内容设置 ..................................... 23 恢复出厂默认设置 ................................................. 24
FortiGate-60/60M/ADSL, FortiWiFi-60, FortiGate-100A
V3.0 MR1 设备安装手册
INSTALLGUI
V3.0 MR1 FortiGate-60系列以及FortiGate-100 A设备安装手册
2006年4月10日 01- 30001-0266-20060410
设置公共FortiGate接口对Ping命令请求不作出响应 .................... 29
NAT/路由模式安装 ................................................. 30
配置FortiGate设备的NAT/路由模式准备 ........................................................ 30 配置使用DHCP或PPPoE................................................................................... 31
FortiGate飞塔防火墙 简明配置指南
FortiGate飞塔防火墙简明配置指南说明:本文档针对所有飞塔 FortiGate设备的基本上网配置说明指南。
要求:FortiGate® 网络安全平台,支持的系统版本为FortiOS v3.0及更高。
步骤一:访问防火墙连线:通过PC与防火墙直连需要交叉线(internal接口可以用直通线),也可用直通线经过交换机与防火墙连接。
防火墙出厂接口配置:Internal或port1:192.168.1.99/24,访问方式:https、ping把PC的IP设为同一网段后(例192.168.1.10/24),即可以在浏览器中访问防火墙https://192.168.1.99防火墙的出厂帐户为admin,密码为空登陆到web管理页面后默认的语言为英文,可以改为中文在system----admin----settings中,将Idle TimeOut(超时时间)改为480分钟,Language 为simplified chinses (简体中文)。
如果连不上防火墙或不知道接口IP,可以通过console访问,并配置IP连线:PC的com1(九针口)与防火墙的console(RJ45)通过console线连接,有些型号的防火墙console是九针口,这时需要console转RJ45的转接头超级终端设置:所有程序----附件----通讯----超级终端连接时使用选择com1,设置如下图输入回车即可连接,如没有显示则断电重启防火墙即可连接后会提示login,输入帐号、密码进入防火墙查看接口IP:show system interface配置接口IP:config system interfaceedit port1或internal 编辑接口set ip 192.168.1.1 255.255.255.0 配置IPset allowaccess ping https http telnet 配置访问方式set status upend配置好后就可以通过网线连接并访问防火墙步骤二:配置接口在系统管理----网络中编辑接口配置IP和访问方式本例中内网接口是internal,IP,192.168.1.1 访问方式,https ping http telnet本例中外网接口是wan1,IP,192.168.100.1访问方式,https ping步骤三:配置路由在路由----静态中写一条出网路由,本例中网关是192.168.100.254步骤四:配置策略在防火墙----策略中写一条出网策略,即internal到wan1并勾选NAT即可。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
FortiGate OSPF设置目录1.目的 (3)2.环境介绍 (3)3.OSPF介绍 (4)3.1 DR与BDR选举 (4)3.2 OSPF邻居建立过程 (5)3.3 LSA的类型 (6)3.4 OSPF的区域 (7)4.FortiGate OSPF配置 (8)4.1 GateA配置 (8)4.2 GateB配置 (8)4.3 GateC配置 (8)4.4 配置完成后各个Gate路由表 (9)4.5 通过命令查看OSPF状态 (9)5.OSPF路由重发布 (10)6.Total stub与T otal NSSA (11)7.OSPF的Troubleshooting (12)8.参考 (13)1.目的本文档针对FortiGate的OSPF动态路由协议说明。
OSPF路由协议是一种典型的链路状态(Link-state)的路由协议,一般用于同一个路由域内。
在这里,路由域是指一个自治系统,即AS,它是指一组通过统一的路由政策或路由协议互相交换路由信息的网络。
在这个AS中,所有的OSPF路由器都维护一个相同的描述这个AS结构的数据库,该数据库中存放的是路由域中相应链路的状态信息,OSPF路由器正是通过这个数据库计算出其OSPF路由表的。
作为一种链路状态的路由协议,OSPF将链路状态广播数据LSA(Link State Advertisement)传送给在某一区域内的所有路由器。
2.环境介绍本文使用4台FortiGate进行说明, 本文使用的系统版本为FortiOS v4.0MR2 Patch8。
Router Router ID Role Interface IP AreaGateA 0.0.0.10 Area 0 DR 192.168.118.234 area0,area1GateB 0.0.0.9 Area 0 BDR 192.168.118.235 area0,area2area0,area3 GateC 0.0.0.8 Area 0 DRother 192.168.118.233/172.16.3.1GateD 0.0.0.7 Area 3 DR 172.16.3.2 area33.OSPF介绍3.1 DR与BDR选举DR--指定路由器,BDR--备份指定路由器。
在动态路由协议中,配置在同一区域内的路由器之间要互相学习链路状态信息,当所有同一区域内的设备都具有相同的数据链路信息后就可以计算出正确的路由。
如果每两台设备之间互相学习,工作量非常大。
为了减少工作量,在这个网络上的设备中选出一个作为DR,所有其他设备都只需要和这台这设备交互信息即可完成链路状态的学习。
DR,BDR选举规则:1.当选举DR/BDR的时候要比较hello包中的优先级,优先级最高的为DR,次高的为BDR.2.如果OSPF路由器的优先级,全部都是默认值1,路由器默认通过Router-ID,选举DR/BDR,如果Router-ID最大的成为DR,次大的成为BDR。
其余的统统都是DR-other。
如果路由ID未设置,则使用接口最大地址。
3.将优先级改为0的设备将永远不参与DR选举。
FortiGate的优先级需要在命令行下配置config router ospfset abr-type standardconfig ospf-interface #配置OSPF接口edit “ex” #编辑OSPF接口名称set interface "port5"set ip 192.168.118.233set priority 10 #设置优先级endend3.2 OSPF邻居建立过程1.Down:此状态还没有与其他路由器交换信息。
首先从其ospf接口向外发送hello分组,还并不知道DR(若为广播网络)和任何其他路由器。
发送hello分组使用组播地址224.0.0.5。
2.Attempt: 只适于NBMA网络,在NBMA网络中邻居是手动指定的,在该状态下,路由器将使用HelloInterval取代PollInterval来发送Hello包.3.Init: 表明在DeadInterval里收到了Hello包,但是2-Way通信仍然没有建立起来.4.two-way: 双向会话建立,而RID彼此出现在对方的邻居列表中。
(若为广播网络:例如:以太网。
在这个时候应该选举DR,BDR)5.ExStart: 信息交换初始状态,在这个状态下,本地路由器和邻居将建立Master/Slave关系,并确定DD Sequence Number,路由器ID大的的成为Master.6.Exchange: 信息交换状态,本地路由器和邻居交换一个或多个DBD分组(也叫DDP) 。
DBD包含有关LSDB中LSA条目的摘要信息)。
7.Loading: 信息加载状态:收到DBD后,将收到的信息同LSDB中的信息进行比较。
如果DBD中有更新的链路状态条目,则向对方发送一个LSR,用于请求新的LSA 。
8.Full: 完全邻接状态,邻接间的链路状态数据库同步完成,通过邻居链路状态请求列表为空且邻居状态为Loading判断。
3.3 LSA的类型LSA(链路状态广播)是链接状态协议使用的一个分组,它包括有关邻居和通道成本的信息。
LSAs被接收路由器用于维护它们的路由选择表。
LSA: Link-State Advertisement。
LSA常用类型分为以下几种:类型1:Router LSA:每个路由器都将产生Router LSA,这种LSA只在本区域内传播,描述了路由器所有的链路和接口,状态和开销.类型2:Network LSA:在每个多路访问网络中,DR都会产生Network LSA,它只在产生这条Network LSA的区域泛洪描述了所有和它相连的路由器。
类型3:Network Summary LSA:由ABR路由器始发,用于通告该区域外部的目的地址.当其他的路由器收到来自ABR的Network Summary LSA以后,它不会运行SPF算法,它只简单的加上到达该ABR的开销和Network Summary LSA中包含的开销,通过ABR,至目标地址的路由和开销一起被加进路由表里。
类型4:ASBR Summary LSA:由ABR发出,ASBR汇总LSA除了所通告的目的地是一个ASBR而不是一个网络外,其他同Network Summary LSA.类型5:AS External LSA:发自ASBR路由器,用来通告到达OSPF自治系统外部的目的地,或者OSPF自治系统那个外部的缺省路由的LSA.这种LSA将在全AS内泛洪(4个特殊区域除外)类型7:NSSA External LSA:来自非完全Stub区域(not-so-stubby area)内ASBR路由器始发的LSA通告它只在NSSA区域内泛洪,这是与LSA-Type5的区别.3.4 OSPF的区域主干区(backbone area):主干区是OSPF的主区域,每个AS内必须有主干区,所有其他区域连接至主干区,2个区域之间需要传递路由信息,也将经过主干区域。
主干区拥有AS内部及外部路由。
主干区域以IP地址0.0.0.0标识,即area 0 常规区(regular area):连接至主干区域,不转发其他区域路由,仅拥有AS内部路由。
末梢区域(stub area):只有一个区域相连的非骨干区域,不接受自治系统外部的LSA(类型5),仅拥有本区域路由,使用默认路由访问其他区域及AS外部。
非完全末梢区域(NSSA):允许外部路由通告到ospf自治系统内部,而同时保留自治系统其余部分的末梢区域部分,并将从NSSA收到的AS外部路由LSA 7转通过ABR换为LSA5通告给AS内部,拥有本区及外部路由。
4.FortiGate OSPF配置4.1 GateA配置4.2 GateB配置4.3 GateC配置4.4 配置完成后各个Gate路由表GateA OSPF路由表GateB OSPF路由表GateC OSPF路由表4.5 通过命令查看OSPF状态查看OSPF邻居状态GateA # get router info ospf neighbor OSPF process 0:Neighbor ID Pri State Dead Time Address Interface0.0.0.8 1 Full/DROther 00:00:31 192.168.118.233 port1 0.0.0.9 1 Full/Backup 00:00:40 192.168.118.235 port1 查看OSPF路由表GateA # get router info ospf routeC 172.16.1.0/24 [10] is directly connected, port5, Area 0.0.0.1IA 172.16.2.0/24 [20] via 192.168.118.235, port1, Area 0.0.0.0IA 172.16.3.0/24 [20] via 192.168.118.233, port1, Area 0.0.0.0C 192.168.118.0/24 [10] is directly connected, port1, Area 0.0.0.05.OSPF路由重发布路由重发布可将其他路由协议以外部路由方式引入到OSPF网络当中,如将GateC中的直连路由发布至OSPF网络。
重发布后的GateA,B,C路由表GateA路由表GateB路由表GateC 路由表6.Total stub与Total NSSATotal Stub与NSSA 同普通Stub,NSSA区域的区别在于,Total stub,nssa 不接收LSA3,LSA4的路由更新。
可以通过命令行将其配置不接受汇总路由的更新。
Total stub 配置config router ospfconfig areaedit 0.0.0.2set stub-type no-summary #关闭汇总路由更新set type stubnextendendTotal NSSA 配置config router ospfconfig areaedit 0.0.0.3set stub-type no-summary #关闭汇总路由更新set type nssanextendend7.OSPF的Troubleshooting查看OSPF协议状态get router info ospf status查看OSPF邻居信息及状态get router info ospf neighbor查看OSPF接口状态信息get router info ospf interface查看OSPF 路由表get router info ospf route重启OSPF进程execute router clear ospf process详尽的debug信息可通过以下命令开启。