Skip to main content
SoRealCru
SoRealCru
New Member
May 15, 2018
Solved

Unused policies & trying to know which ports are used by a certain policy

  • May 15, 2018
  • 2 replies
  • 16692 views

Hello!

Recently we invested in FortiAnalyzer VM and as off right now it’s working flawlessly and it has proven its worth already. But we are still trying to figure out how we could use FortiAnalyzer to show us the policies that aren't used or aren't used as much as others. Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy? Let's say for example Lan to Wan.

Thanks in advance!

Len. B

Best answer by chall_FTNT

You can view policy hit count in FortiManager (if enabled in global settings).  FortiAnalyzer only knows about policies if there are logs referencing those policies. 

2 replies

chall_FTNT
Staff
chall_FTNTAnswer
Staff
May 15, 2018

You can view policy hit count in FortiManager (if enabled in global settings).  FortiAnalyzer only knows about policies if there are logs referencing those policies. 

emnoc
emnoc
New Member
May 15, 2018

I don't you can get a repot for unused ports ( services in a policy  id ), for example if you have a policy.id 444 with

 

 

set service HTTP HTTPS SSH PING TELNET  LDAP mycommongroups

 

Nothing yu can do from a query or diagnostic against that  polic.id #444 will show you the counts of  HTTP  vrs SSH vrs  service -group . I could be wrong but some one will correct me ;)

chall_FTNT
Staff
chall_FTNT
Staff
May 15, 2018

> Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy?

 

If you are looking at which ports ARE used ... in theory, you could design a query to evaluate traffic logs by policy ID & for each policy ID, rank the ports (dstport) which match that policy.    But as emnoc as pointed out, this would not identify ports that are NEVER used ("unused").  You could only figure that out by a visual (aka manual) comparison of the report against policy configuration.

AtiT
AtiT
New Member
May 16, 2018

Hello, As I know you cannot create report for unused policies as they are not in the logs. You can work with infromation they are in the logs.

For policy and port usage you can use maybe this dataset: - not sure whether the filters are for 100% correct

SELECT `policyid`, `dstport`, COUNT(*) AS totlanum FROM $log WHERE $filter AND `action`!='deny' AND `subtype`!='local' AND `policyid`!=0 GROUP BY `policyid`, `dstport` ORDER BY `policyid` ASC, `dstport` ASC

After that you can do a drilldown chart for PolicyID, Destination Port and the Totalnum:

emnoc
emnoc
New Member
May 16, 2018

Good Job

chall_FTNT
Staff
chall_FTNT
Staff
May 16, 2018

Some more thoughts on unused policies:

1) you can run a "Policy Check" on a policy package in FortiManager that will identify policies which are "shadowed" and therefore are redundant and will never match traffic

2) a security fabric audit run on your FortiGate should also identify unnecessary policies

Terms & ConditionsAccessibility statement