Description | This article describes how to check the Hit Count, First hit, last hit, and established session count for single or multiple Firewall Policies through CLI and GUI. |
Scope | FortiGate. |
Solution |
To check the stats for the single firewall policy:
diagnose firewall iprope show <policy-group> <policy-idx>
The 'policy-group' ID is 00100004, this value is for configurable firewall policies.
Example. To check the stats for the firewall policy ID 1:
diagnose firewall iprope show 00100004 1
diagnose firewall iprope show <policy-group> <policy-idx-1> <policy-idx-2> <policy-idx-3> ...
Example. To check the stats for the firewall policy ID 1, 2 & 3:
diagnose firewall iprope show 00100004 1 2 3
The 'policy-group' ID 00100001 is for configurable firewall local-in-policies. This feature is only available from 7.0.x onwards:
diagnose firewall iprope show 00100001 1
For ZTNA-related policy lookup :
diag firewall iprope list 100017
Devices without disk after reboot of the counter statistic are cleared. Devices with disks keep the counter statistics.
Below is the process to check the hit counts in GUI.
It will also show whether SPU is enabled or disabled.
Related article: Technical Tip: How to clear or reset policy counters on the firewall Policy via CLI |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.