Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
xshkurti
Staff
Staff

Created on ‎01-29-2025 12:35 AM Edited on ‎01-30-2025 12:28 AM By Moderator

Article Id 369445

Technical Tip: FortiGate Explicit proxy per policy hit count

Description This article describes how to get hit count for Explicit Proxy policies through CLI.
Scope FortiGate.
Solution

Firewall policy and explicit proxy policy operate on different levels. The same applies to statistics and how to read them.

A very useful guide on how to check firewall policy hit counts can be found on this link: Technical Tip: How to check the Hit Count, First hit, last hit, and established session count for si...

 

An explicit proxy is a service that is handled by the WAD process. Knowing this, to get statistics for these types of policies, WAD needs to be dumped.

 

To navigate through this, a simple proxy-policy is taken into account:

 

config firewall proxy-policy
    edit 1
        set name "Internet-Access-Hits"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
     next
  end

 

Note that policy ID is 1.

 

Using the command 'diagnose wad worker policy list' will list all proxy-policies currently active in the FortiGate.

 

FGT # diagnose wad worker policy list
explicit-web policy, vdom:root p_id:1 p_uuid:fd9c6632-cf61-51ef-c0a2-ca574d06cc04
Client In: 1688352, Out:218582251 server In: 218580739, Out: 1649386
active_sessions: 3, n_hits: 151
first access: Fri Jan 10 07:13:02 2025
last access: Fri Jan 10 07:22:38 2025

 

implicit proxy allow policy, vdom:root p_id:0 p_uuid:
Client In: 0, Out:0 server In: 0, Out: 0
active_sessions: 0, n_hits: 0
first access: never last access: never

 

implicit proxy deny policy, vdom:root p_id:0 p_uuid:
Client In: 0, Out:0 server In: 0, Out: 0
active_sessions: 0, n_hits: 0
first access: never last access: never


3 of 3 proxy policies have been displayed, 0 remaining.

 

Policy ID from this output is found at entry p_id:1, where number 1 is the policy ID.

 

To filter specific policies, use the grep command: 'diagnose wad worker policy list | grep p_id:1'.

To get 5 lines of output, -A switch with value 5 should be used.

 

FGT # diagnose wad worker policy list | grep p_id:1 -A 5
explicit-web policy, vdom:root p_id:1 p_uuid:fd9c6632-cf61-51ef-c0a2-ca574d06cc04
Client In: 1966365, Out:434010596 server In: 434011556, Out: 1913790
active_sessions: 5, n_hits: 219
first access: Fri Jan 10 07:13:02 2025
last access: Fri Jan 10 07:26:43 2025

 

The number of hits for this proxy-policy from CLI is 219 (n_hits: 219). The same thing can be seen via the GUI:

 

Hit.png

 

This is useful if scripts are configured to get the correct number of hits and other session information data.

 

Related document:

Seven-day rolling counter for policy hit counters
464
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.