I'm using the monitor/firewall/policy api to find the non-used policies for a while. The thing is that I couldn't figure what is the format of the information listed on the result. For example, when was the last_used time for the following policy?
Hey just thought of something you're a good candidate for using snmp. You can easily get last used by a simple query of the snmp oid for fwpolicy last_used and output is always easy to read by local time
socket1>snmpwalk -c mycommunity -v2c 192.168.1.99 .184.108.40.206.4.1.123220.127.116.11.18.104.22.168.1SNMPv2-SMI::enterprises.12322.214.171.124.126.96.36.199.1.0 = STRING: "03/12/2021 10:04 (34 day(s) ago)"SNMPv2-SMI::enterprises.123188.8.131.52.184.108.40.206.1.1 = STRING: "No Session Data"SNMPv2-SMI::enterprises.123220.127.116.11.18.104.22.168.1.2 = STRING: "No Session Data"SNMPv2-SMI::enterprises.12322.214.171.124.126.96.36.199.1.5 = STRING: "03/24/2021 19:22 (22 day(s) ago)"SNMPv2-SMI::enterprises.123188.8.131.52.184.108.40.206.1.6 = STRING: "03/12/2021 10:03 (34 day(s) ago)"SNMPv2-SMI::enterprises.123220.127.116.11.18.104.22.168.1.7 = STRING: "No Session Data"SNMPv2-SMI::enterprises.12322.214.171.124.126.96.36.199.1.8 = STRING: "03/12/2021 10:01 (34 day(s) ago)"SNMPv2-SMI::enterprises.123188.8.131.52.184.108.40.206.1.9 = STRING: "No Session Data"SNMPv2-SMI::enterprises.123220.127.116.11.18.104.22.168.1.10 = STRING: "No Session Data"SNMPv2-SMI::enterprises.12322.214.171.124.126.96.36.199.1.11 = STRING: "04/16/2021 08:28 (31 second(s) ago)" No Session data are also clue to as zero its policy The above output is the same extract from diag fw iprope e.ghomefgt (root) # diag firewall iprope show 0x100004 0idx=0 pkts/bytes=4/336 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:174 first:2021-03-11 16:40:27 last:2021-03-12 10:04:40 I also wrote a blog piece on finding unsed policies by hits counts http://socpuppet.blogspot.com/2020/07/howto-audit-unused-fwpolicy-on-fortios.html With snmp you get the date conversion plus how many days last_used. Just something to think about. When I audit fortigates that is one of many ways we easily ascertain if fwpolicy XYZ is used, when last used,etc...... YMMV Ken Felix
Glad to "meet" you, since I have been in your blog for some times. :)
It ir really a good idea to catch these informations by SNMP. I'm now wondering about putting that information on my Zabbix and then let it warn me when a policy reaches more that N days without a hit. I will think about that and measure the load. We have some firewalls with more than 3000 policies.
For now what I want to achieve is to do a big cleanup in this big equipment we have. It has not been cleaned yet and someone need to do the dirty work.
For now, I'll try to convert the data as you said. SO I can fill an array in powershell with the policies I want. Is this TimeSpan format in miliseconds? I tried to convert using as miliseconds and the date does not match. Same in seconds.
yeah that is a big issue in every fw vendor on how to match and mark unused policies.
FWIW I believe fortios is one of the best to audit. I did a massive lift and change 2 years ago where we a org had 7 individual firewalls that got place into one big firewall cluster and then had 2700 policies between them. At the end of the day they only had 600ish active policies.
Most we eliminated where dups, written wrong, vpn-tunnels no long active, policies with services that where no long in use ,etc....
We have a lot of the same going on in my day job with 3 different firewall vendor platforms ;)