Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Juquinha
New Contributor

Fortigate API date format

I'm using the monitor/firewall/policy api to find the non-used policies for a while. The thing is that I couldn't figure what is the format of the information listed on the result. For example, when was the last_used time for the following policy?

The output is 

[     {         "policyid":  1,         "uuid":  "bc2ef692-9860-51eb-7f52-51857f6b3028",         "active_sessions":  0,         "bytes":  791357216,         "packets":  782809,         "last_used":  1618340453,         "first_used":  1617911276,         "hit_count":  1222,         "session_last_used":  1618340453,         "session_first_used":  1618339490,         "session_count":  0     } ]

 

Thanks in advance.

5 REPLIES 5
emnoc
Esteemed Contributor III

epoch

 

That last_used in your example is  "Tuesday, April 13, 2021 7:00:53 PM UTC". You need to co convert the TS to local/UTC or whatever if you want it human readable

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

emnoc
Esteemed Contributor III

Hey just thought of something you're a good candidate for using snmp. You can easily get last used by a simple query of  the snmp oid for fwpolicy last_used and output is always  easy to read by local time

 

socket1>snmpwalk -c mycommunity -v2c 192.168.1.99 .1.3.6.1.4.1.12356.101.5.1.2.1.1.4.1

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.0 = STRING: "03/12/2021 10:04 (34 day(s) ago)"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.1 = STRING: "No Session Data"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.2 = STRING: "No Session Data"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.5 = STRING: "03/24/2021 19:22 (22 day(s) ago)"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.6 = STRING: "03/12/2021 10:03 (34 day(s) ago)"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.7 = STRING: "No Session Data"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.8 = STRING: "03/12/2021 10:01 (34 day(s) ago)"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.9 = STRING: "No Session Data"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.10 = STRING: "No Session Data"

SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.11 = STRING: "04/16/2021 08:28 (31 second(s) ago)"

 

No Session data are also clue to as  zero its policy

 

The above output is the same extract from diag fw iprope 

 

e.g

 

homefgt (root) # diag firewall iprope show 0x100004 0

idx=0 pkts/bytes=4/336 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:174

    first:2021-03-11 16:40:27 last:2021-03-12 10:04:40

 

 

I also wrote a blog piece on finding unsed policies by hits counts 

 

http://socpuppet.blogspot.com/2020/07/howto-audit-unused-fwpolicy-on-fortios.html

 

With snmp you get the date conversion plus how many days last_used. Just something to think about. When I audit fortigates that is one of many ways we easily ascertain if fwpolicy XYZ is used, when last used,etc......

 

YMMV

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

Juquinha
New Contributor

Hey, Ken!

 

Glad to "meet" you, since I have been in your blog for some times. :)

 

It ir really a good idea to catch these informations by SNMP. I'm now wondering about putting that information on my Zabbix and then let it warn me when a policy reaches more that N days without a hit. I will think about that and measure the load. We have some firewalls with more than 3000 policies.

 

For now what I want to achieve is to do a big cleanup in this big equipment we have. It has not been cleaned yet and someone need to do the dirty work.

 

For now, I'll try to convert the data as you said. SO I can fill an array in powershell with the policies I want. Is this TimeSpan format in miliseconds? I tried to convert using as miliseconds and the date does not match. Same in seconds.

 

 

emnoc
Esteemed Contributor III

yeah that is a big issue in every fw vendor on how to match and mark unused policies.

 

FWIW I believe fortios is one of the best to audit. I did a massive lift and change 2 years ago where we a org had 7 individual firewalls that got place into one big firewall cluster and then had 2700 policies between them. At the end of the day they only had 600ish active policies.

 

Most we eliminated where dups, written wrong, vpn-tunnels no long active, policies with services that where no long in use ,etc....

 

We have a lot of the same going on in my day job with 3 different firewall vendor platforms ;)

 

YMMV

 

PCNSE 

NSE 

StrongSwan  

Juquinha
New Contributor

Hi, Ken!

 

Would you mind to tell me what unit did you use to do the time conversion? I am not being able to match the correct date in miliseconds, seconds or ticks.

I cannot figure out what that number in the output means.

 

[TimeSpan]::FromTicks(1618340453)

 

Days : 0 Hours : 0 Minutes : 2 Seconds : 41 Milliseconds : 834 Ticks : 1618340453 TotalDays : 0,00187307922800926 TotalHours : 0,0449539014722222 TotalMinutes : 2,69723408833333 TotalSeconds : 161,8340453 TotalMilliseconds : 161834,0453