FortiOS CLI for Firewall Policy Usage & Hit Counts

Hello,

diagnose firewall iprope show 00100004 <policy-id>

You will see output like this:

diagnose firewall iprope show 00100004 29

idx:29
pkts:2824088 (33439 82019 80809 61065 14034 14237 14608 14430)
bytes:699757775 (2867942 7497352 7811258 14975945 5220313 5328453 5333995 5306958)
asic_pkts:11149135 (169571 779782 805568 619348 66128 101557 108512 114915)
asic_bytes:10149102177 (117269646 709026900 734728839 612853232 60197080 101510881 107921223 115032183)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
nturbo_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:307605 (6409 15452 15152 8528 1727 1672 1652 1640)
first hit:2024-07-04 08:41:19 last hit:2024-11-07 10:12:06
established session count:3
first est:2024-07-04 08:41:19 last est:2024-11-07 10:12:06

here are some detailed steps and useful commands you can try:

1. View Policy Hit Counts with CLI Commands

FortiGate CLI provides several diagnostic and monitoring commands that can give you insights into policy usage. The following commands can help:

• Check Policy Hit Count:

shell

Copy code

diagnose firewall iprope policy-list

This command shows all the firewall policies with their corresponding hit counts. It’s useful for understanding which policies are actively being used.

• Detailed Policy Usage Information:

shell

Copy code

diagnose firewall statistic list

This command displays a comprehensive list of statistics, including hit counts for each firewall policy.

1. Using show firewall policy

The show command can also help you gather detailed policy information:

shell

Copy code

show firewall policy

While this won't provide direct usage statistics, it lists all policies, which you can cross-reference with hit counts from the diagnostic commands.

1. Policy Sessions Monitoring

You can also monitor active sessions tied to specific firewall policies:

shell

Copy code

diagnose sys session list | grep policyid

This command will show you active sessions and the associated policy IDs. It can help identify which policies are currently in use.

1. Using diag sys top for Real-Time Monitoring

For real-time monitoring of policy usage:

shell

Copy code

diag sys top

This command can help identify resource-intensive sessions and give you an overview of active traffic flows.

1. Generating a Report (Manual Approach)

Since you don’t have API access, you can manually collate the data by exporting the command outputs:

• Copy the outputs from the CLI and paste them into a spreadsheet.
• Filter and sort by hit counts or policy IDs to identify the most used policies.
• Summarize the data in your report, focusing on high-usage policies or those with zero hits.

Bonus Tip: Save Output to File

You can save the CLI output directly to a file (if you have SSH access) using:

shell

Copy code

execute log filter category <category_name>

Or redirect the output (via SSH session) to a local file for analysis.

Conclusion

The combination of diagnose and show commands should give you a good overview of firewall policy usage. If you need deeper analysis, you might have to access logs (execute log display) or work with session lists.

Hi,

Can you please confirm your request is solved?

Thank you in advance and good day!