Skip to main content
Juquinha
Juquinha
New Member
April 16, 2021
Question

Fortigate API date format

  • April 16, 2021
  • 2 replies
  • 6304 views

I'm using the monitor/firewall/policy api to find the non-used policies for a while. The thing is that I couldn't figure what is the format of the information listed on the result. For example, when was the last_used time for the following policy?

The output is 

[     {         "policyid":  1,         "uuid":  "bc2ef692-9860-51eb-7f52-51857f6b3028",         "active_sessions":  0,         "bytes":  791357216,         "packets":  782809,         "last_used":  1618340453,         "first_used":  1617911276,         "hit_count":  1222,         "session_last_used":  1618340453,         "session_first_used":  1618339490,         "session_count":  0     } ]

 

Thanks in advance.

    2 replies

    emnoc
    emnoc
    New Member
    April 16, 2021

    epoch

     

    That last_used in your example is  "Tuesday, April 13, 2021 7:00:53 PM UTC". You need to co convert the TS to local/UTC or whatever if you want it human readable

     

    Ken Felix

    emnoc
    emnoc
    New Member
    April 16, 2021

    Hey just thought of something you're a good candidate for using snmp. You can easily get last used by a simple query of  the snmp oid for fwpolicy last_used and output is always  easy to read by local time

     

    socket1>snmpwalk -c mycommunity -v2c 192.168.1.99 .1.3.6.1.4.1.12356.101.5.1.2.1.1.4.1

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.0 = STRING: "03/12/2021 10:04 (34 day(s) ago)"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.1 = STRING: "No Session Data"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.2 = STRING: "No Session Data"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.5 = STRING: "03/24/2021 19:22 (22 day(s) ago)"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.6 = STRING: "03/12/2021 10:03 (34 day(s) ago)"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.7 = STRING: "No Session Data"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.8 = STRING: "03/12/2021 10:01 (34 day(s) ago)"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.9 = STRING: "No Session Data"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.10 = STRING: "No Session Data"

    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.11 = STRING: "04/16/2021 08:28 (31 second(s) ago)"

     

    No Session data are also clue to as  zero its policy

     

    The above output is the same extract from diag fw iprope 

     

    e.g

     

    homefgt (root) # diag firewall iprope show 0x100004 0

    idx=0 pkts/bytes=4/336 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:174

        first:2021-03-11 16:40:27 last:2021-03-12 10:04:40

     

     

    I also wrote a blog piece on finding unsed policies by hits counts 

     

    http://socpuppet.blogspot.com/2020/07/howto-audit-unused-fwpolicy-on-fortios.html

     

    With snmp you get the date conversion plus how many days last_used. Just something to think about. When I audit fortigates that is one of many ways we easily ascertain if fwpolicy XYZ is used, when last used,etc......

     

    YMMV

     

    Ken Felix

     

     

    Juquinha
    JuquinhaAuthor
    New Member
    April 16, 2021

    Hey, Ken!

     

    Glad to "meet" you, since I have been in your blog for some times. :)

     

    It ir really a good idea to catch these informations by SNMP. I'm now wondering about putting that information on my Zabbix and then let it warn me when a policy reaches more that N days without a hit. I will think about that and measure the load. We have some firewalls with more than 3000 policies.

     

    For now what I want to achieve is to do a big cleanup in this big equipment we have. It has not been cleaned yet and someone need to do the dirty work.

     

    For now, I'll try to convert the data as you said. SO I can fill an array in powershell with the policies I want. Is this TimeSpan format in miliseconds? I tried to convert using as miliseconds and the date does not match. Same in seconds.

     

     

    emnoc
    emnoc
    New Member
    April 16, 2021

    yeah that is a big issue in every fw vendor on how to match and mark unused policies.

     

    FWIW I believe fortios is one of the best to audit. I did a massive lift and change 2 years ago where we a org had 7 individual firewalls that got place into one big firewall cluster and then had 2700 policies between them. At the end of the day they only had 600ish active policies.

     

    Most we eliminated where dups, written wrong, vpn-tunnels no long active, policies with services that where no long in use ,etc....

     

    We have a lot of the same going on in my day job with 3 different firewall vendor platforms ;)

     

    YMMV

     

    Terms & ConditionsAccessibility statement