Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

Cant view local-in-policy hit-count ?

Hi, guys,

 

Just would like to know if any way to view the local-in-policy hit count, thx a lot ?

 

I tried the normal method, but failed, as the following:

 

For viewing the hit count of  a normal security policy ( working ) :

Ftg100E # diag firewall iprope show 00100004 36

idx=36 pkts/bytes=485923/517732782 asic_pkts/asic_bytes=474029/508168477 nturbo_pkts/nturbo_bytes=0/0 flag=0x0  hit count:207 first:2020-03-30 16:17:19 last:2020-07-22 12:46:59 established session count:0 first est:2020-03-30 16:23:14 last est:2020-07-22 12:46:59

 

 

For viewing the hit count of the local-in-policy ( not working ? :(

Ftg100E # diag firewall iprope show 00100001 1 idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 nturbo_pkts/nturbo_bytes=0/0 flag=0x0

 

Ftg100E # diag firewall iprope show 00100001 2 idx=2 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 nturbo_pkts/nturbo_bytes=0/0 flag=0x0

 

 

Please advice.

 

With many thanks.

Benson

 

 

 

 

 

 

1 Solution
darwin_FTNT
Staff
Staff

Just need to add a bit flag IPROPE_F_POL_STATISTIC to local-in policy struct it seems. I'll try to enable this bit and send a patch for verification.

View solution in original post

5 REPLIES 5
darwin_FTNT
Staff
Staff

Just need to add a bit flag IPROPE_F_POL_STATISTIC to local-in policy struct it seems. I'll try to enable this bit and send a patch for verification.

BensonLEI

Thx so much for your advice and recommendation

darwin_FTNT

Tracked by mantis 0757046: Local-in policy hit count is not available in 'diag firewall iprope show'

It is already committed to FOS 7.x branch and available in build 0261.

Seems scheduled for FOS v6.4.9 as it is still in pending status (next official release is v6.4.8, current is v6.4.7).

Toshi_Esumi
Esteemed Contributor II

Did this actually get implemented with 6.4.9? I still don't seem to be able to see it with my 40F running 6.4.9. Geo-blocking seems to be working so there should be some hits.

config firewall local-in-policy

   edit 4
    set intf "any"
    set srcaddr "Blocked-Countries"
    set dstaddr "all"
    set service "ALL"
    set schedule "always"
  next

end

 

fg40f-utm (root) # diag firewall iprope show 00100001 4
idx=4 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 nturbo_pkts/nturbo_bytes=0/0 flag=0x0

 

Toshi

kcheng

Hi @Toshi_Esumi 

 

Just to response to your query, this did not get implemented in 6.2.x and 6.4.x. The feature is only available from 7.0.x onwards.

Cheers,
Kayzie Cheng