Finding firewall policy by Policy ID

Forum|Forum|9 years ago
June 15, 2017
3 replies
56582 views

I often see policy references pointing to the Policy ID, which is fine, however I can't find a user friendly way to locate whatever policy is being referred to.

The biggest culprit I've run into is the system log. If I'm trying to monitor policy changes, it lets me know the policy id of the rule that was changed. Policy ID 254 means nothing to me and depending on what was changed, the context of the message may not shed any additional light on what rule it is.

Preferably, I would love to be able to pull the policy name into my reports instead of the ID, but I imagine looking up a policy ID might be easier/possible. Any assistance or direction would be appreciated.

Thanks,

ME

emnoc

New Member

Preferably, I would love to be able to pull the policy name into my reports instead of the ID

That your 1st problem, there's no policyname. This is not a paloalto where you have named policies.

What you might find easier " Mange the fwpolicies by using tags " and then you can filter validate by tags. The only problem with this approach is I believe their's max-value for tags at 4K tags per vdom.

e.g ( tag uses )

FWSEC01 (CUSTB2B) $ diag sys check system.object-tag.name CITRIX entry used by child table tags:name 'CITRIX' of table firewall.policy:policyid '3333' entry used by child table tags:name 'CITRIX' of table firewall.policy:policyid '3353' entry used by child table tags:name 'CITRIX' of table firewall.policy:policyid '3367'

config firewall policy edit 3333 set uuid 14fb21ee-35d2-31e7-a60d-121bad1d87d4 set srcintf "NCTRIXSERVE" set dstintf "VNET01" set srcaddr "CTXAPPLSREVERS set dstaddr "STOREFRONT" set action accept set schedule "always" set service "CTXGROUP" set tags "CITRIX" "NCTXCHI" next end

Hope that helps

Ken

mec313Author

New Member

Actually you can name your policies. You can even make the policy name a required field within the Feature Select section.

System -> Feature Select -> Additional Features -> Allow Unnamed Policies

I'll take a look in the reports to see if I am able to display the tags. I don't recall seeing it listed as an available log field, but since I wasn't specifically looking for it, I may have overlooked it.

Thank you for your post.

emnoc

New Member

True that's anew feature in v5.4 or higher, I don't that will help him in what he wants but he can give it a try.

Ken

gtArizonachristian

New Member

The best way I've found is connecting via SSH and running the command "show firewall policy #" where you replace # with the number of the policy. There are also a few ways in the GUI depending on what screen you're finding the information on, but it differs a bit between the pages.

enotspe

New Member

On FortiOS - Log Reference Version 6.2.0,

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/be3d0e3d-4b62-11e9-94bf-00505692583a/FortiOS_6.2.0_Log_Reference.pdf

There is a field named:

policyname

but i am not getting this field on my syslog logs. Has anybody been able to see this field.

emnoc

New Member

Each log event has uuid #, if you want to find the policy the id can be track by that and the policyID is in the logDate field for policyid. You can also query the logs and set cli filters to find the log details also .

e.g

http://socpuppet.blogspot.com/2016/08/using-execute-log-filters-to-monitor.html

Those same filters are pretty much the same in the FAZ and you can construct likewise search and use wildcards in a lot of case.

e.g

srcip=10.20.0.* and dstip=8.8.*

YMMV it depends solely on how creative you are ;)

Ken Felix