Is there a command to output traffic statistics for each policy?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
diagnose firewall iprope show 00100004 <policy-id>
diagnose firewall iprope show 00100004 3
idx=3 pkts/bytes=1572149/799803449 asic_pkts/asic_bytes=1501236/796584164 nturbo_pkts/nturbo_bytes=0/0 flag=0x0 hit count:12981
first:2019-05-24 08:23:47 last:2019-09-04 07:55:43
established session count:0
first est:2019-05-24 08:23:47 last est:2019-09-04 07:45:39
Thank you for the wonderful answer. You have made my way to the future.
The API would give the same details and would not require pre-knowledge of the policyid#
e.g api entry point
https://192.168.1.99/api/v2/monitor/firewall/policy/ Details would look similar to ; { "policyid":2, "uuid":"47cd84ec-ce3d-51e9-2d18-6ba8026ba89f", "active_sessions":430, "bytes":2643426116, "packets":35395089, "last_used":1568085842, "first_used":1567773847, "hit_count":29104, "session_last_used":1568085842, "session_first_used":1567773897, "session_count":4294967273 }
PCNSE
NSE
StrongSwan
Thank you very much!! Is it possible to authenticate from URL? Because I want to get information using "curl" or "wget".
Yes, you can look at this blog for various examples.
http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html
http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html
The last link shows a system wide get for monitoring firewall policy. Using the API you can ascertain counts for all policyid with out specifically apply them. This is an advantage over the diag firewal iprope show cmd which requires a "specific policyid" # to be included.
YMMV but the API is more advance for monitoring.
With either approach they help in auditing and identifying bad policy, or policy not being used. Policyid with no hits comes down to;
policy ordering
policy written wrong (src/dst-addr|interface, incorrect service, typo,...... )
or the request/project for that policy-rule no longer exist
Again YMMV on how you use the counts and hits. If I'm doing a project and audit. I always monitor the hits and last used time values in order to flag policyid thare no longer needed or to flag them for later review.
e.g
If you have a policyid and it has been used in 3+ month you probably do not need it
Ken Felix
PCNSE
NSE
StrongSwan
Thanks for your answer, I can do a good job !!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.