Skip to main content
ydong01
Staff
ydong01
Staff
November 3, 2024

Technical Tip: How to find unused (no hit count) policy in FortiGate via API

  • November 3, 2024
  • 0 replies
  • 1578 views
Description This article describes two API methods to find an unused policy easily for IT audit.
Scope FortiGate.
Solution

In the FortiGate policy default view, there is no column for hit count. It looks like this:

 

normal-policy.PNG

 

It is necessary to select Configure Table to add a Hit Count column. After that, the firewall policy looks like this:

 

add-hitcount.PNG

 

A 0 hit count policy means the policy is not in use, which matches IT audit requirement. However, this is not easy when the policy is big.

 

There are 2 methods to do the same thing via the API, which will be useful for a programming audit.

 

Example:

Firewall policy 1 is in use, firewall policy 2 hit count is 0 which means it is not in use and can be deleted.

  1. Use the browser: 

     https://<FortiGate IP>/api/v2/monitor/firewall/policy/?vdom=Internet&access_token=<access token>

hitcount-api.PNG

 

  1. Use the CLI:

curl -k -X 'GET' 'https://<FortiGate IP>:443/api/v2/monitor/firewall/policy/?vdom=Internet&access_token=<access token>' -H 'accept: application/json'

 

hitcount-cli-1.PNG

 

hitcount-cli-2.PNG

 

For more details, visit https://fndn.fortinet.net/.

 

Related article:

Technical Tip: How to find unused (no hit count) policy in FortiGate via API
Terms & ConditionsAccessibility statement