Added new cheat sheets, removed duplicates, fixed few typos

2025-12-21 13:23:11 +01:00 · 2022-03-12 11:42:24 +02:00
parent c1e0802ee4
commit 67490bafb3
4 changed files with 0 additions and 4276 deletions
--- a/cheat-sheets/Fortigate-SD-WAN-debug-diagnostics-and-verification-commands-cheat-sheet.adoc
+++ b/cheat-sheets/Fortigate-SD-WAN-debug-diagnostics-and-verification-commands-cheat-sheet.adoc
@@ -1,63 +0,0 @@
 = Fortigate SD-WAN debug and verification commands cheat sheet
 :homepage: https://yurisk.info
 Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
 == SD-WAN verification and debug
 [cols=2, options="header"]
 |===
 |Command
 |Description
 |*diagnose sys sdwan health-check* (6.4 and newer)
 *diagnose sys virtual-link  health-check* (5.6 up to 6.4)     
 | Show state of all the health checks/probes. Successful  probes are marked `alive`, failed probes are marked `dead`. Also displays `packet-loss, latency, jitter` for each probe. 
 |*diagnose sys sdwan member* (6.4 and newer)
 *diagnose sys virtual-wan-link member*
 |Show list of SD-WAN zone/interface members. Also gives each interface gateway IP (if was set, 0.0.0.0 if not), `priority`, and `weight` both by default equal `0`, used with some SLA Types. 
 |*diagnose sys sdwan service* (6.4 and newer)
 *diagnose sys virtual-wan-link service*
 |List configured SD-WAN rules (aka `services`), except the Implied one which is always present and cannot be disabled, but is editable for the default load balancing method used. Shows member interfaces and their status `alive` or `dead` for this rule. 
 |*diag sys sdwan  intf-sla-log <interface name>*  (6.4 and newer)
 *diag sys virtual-wan-link intf-sla-log <interface name>*
 |Print log of <interface name> real-time usage for the last 10 minutes. The statistics shown in bps: `inbandwidth`, `outbandwidth`, `bibandwidth`, `tx bytes`, `rx bytes`. 
 |*diag netlink interface clear <interface name>*
 |Clear traffic statistics on the given interface, this resets statistics of the SD-WAN Monitor GUI widget for this interface as well. Needed, if, for example, you changed SD-WAN rules, but not sure if it's already active. E.g. `diag netlink interface clear port1`. 
 |*diagnose firewall proute list*
 |List ALL Policy Based Routes (PBR). SD-WAN in Fortigate, after all, is implemented as a variation of PBR. This command lists manual (classic) PBR rules, along with the ones created via SD-WAN rules. *Important*: Manually created PBR rules (via `Network -> Policy Routes` or on CLI `config route policy`) always have preference over the SD-WAN rules, and this command will show them higher up.
 |*diagnose debug flow filter*
 *diagnose debug flow filter <filtering param>*
 *diagnose debug flow show function-name enable*
 *diagnose debug flow trace start [number]*
 *diagnose debug enable*
 |Use `diagnose debug flow` to see how the traffic is being routed via SD-WAN. Look for something like `Match policy routing id=2131951617: to 10.10.10.13 via ifindex-3` and `out port1 vwl_zone_id 2, state2 0x1,` here `id=2131951617` is the SD-WAN PBR rule id  as seen in `diagnose firewall proute list` and `vwl_zone_id 2` is the SD-WAN zone in the list of virtual-links.
 |===
--- a/cheat-sheets/Fortigate-SD-WAN-debug-diagnostics-and-verification-commands-cheat-sheet.pdf
+++ b/cheat-sheets/Fortigate-SD-WAN-debug-diagnostics-and-verification-commands-cheat-sheet.pdf
--- a/cheat-sheets/PF-firewall-configuration-and-debug-cheat-sheet.adoc
+++ b/cheat-sheets/PF-firewall-configuration-and-debug-cheat-sheet.adoc
@@ -1,49 +0,0 @@
 = PF firewall (FreeBSD, OpenBSD) configuration and debug commands cheat sheet
 :homepage: https://yurisk.info
 Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
 == PF (Packet Filter) management for FreeBSD & OpenBSD
 [cols=2, options="header"]
 |===
 |Command
 |Description
 |*pfct -d*
 |Disable PF in place, does not survive reboot.
 |*pfctl -ef /etc/pf.conf*
 |Enable PF and load the rule set from file `/etc/pf.conf` in one go.
 |*pfctl -nf /etc/pf.conf*
 |Parse security rules stored in a file without installing them (dry run).
 |*pfctl -F <all/rules/nat/states>*
 a|  Flush, accordingly:  
 - `all` Everything (filter rules, nat, but NOT sateful table - those already connected will stay so). Blank/flushed rules mean "permit any any".
 - `rules` Rules only (stateful table of existing connections stay intact)
 - `nat` NAT rules only
 - `states` Stateful table (but again - active connections stay alive)
 |*pfct -k <source IP of connection to clear> [-k <destination>]*
 |Kill an active connection from the state table. You can specify IP address as the 1st selector to the 1st `-k` and optionally, destination selector with another `-k` key. `0.0.0.0/0` as a wildcard can be used. E.g. to clear all connections from any to 10.10.10.13/32 `pfctl -k 0.0.0.0/0 10.10.10.13/32`. To add selectors, look at available ones via *pfctl -s state*.   
 |*pfctl -z*
 |Clear all per rule statistics/counters
 |*pass in quick on egress from 62.13.77.141 to any*
 | 'Quick' rule, means allow this traffic to pass through on all interfaces, otherwise we would need 2nd rule allowing this traffic in _outgoing_ direction on egress interface, to allow destined to ANY port/protocol with the source being `62.13.77.141` and destination being ANY IP address behind the PF firewall. NOTE: here, `egress` is not a direction, but a group name to which the interface in question (`em0`) belongs to. In OpenBSD you set it in a file `/etc/hostname.em0: group egress` or in real-time with the command: `ifconfig em0 group egress`. 
 |===
--- a/cheat-sheets/PF-firewall-configuration-and-debug-cheat-sheet.pdf
+++ b/cheat-sheets/PF-firewall-configuration-and-debug-cheat-sheet.pdf