Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hideki_Uemura
New Contributor

Command to output traffic statistics for each policy

Is there a command to output traffic statistics for each policy?

7 REPLIES 7
OneOfUs
New Contributor III

diagnose firewall iprope show 00100004 <policy-id>

 

diagnose firewall iprope show 00100004 3
idx=3 pkts/bytes=1572149/799803449 asic_pkts/asic_bytes=1501236/796584164 nturbo_pkts/nturbo_bytes=0/0 flag=0x0 hit count:12981
    first:2019-05-24 08:23:47 last:2019-09-04 07:55:43
 established session count:0
    first est:2019-05-24 08:23:47 last est:2019-09-04 07:45:39
Hideki_Uemura

Thank you for the wonderful answer. You have made my way to the future.

emnoc
Esteemed Contributor III

The API would give the same details and would not require pre-knowledge of the policyid#

 

e.g api entry point 

 

https://192.168.1.99/api/v2/monitor/firewall/policy/

 

Details would look similar to ;

 

    {

      "policyid":2,

      "uuid":"47cd84ec-ce3d-51e9-2d18-6ba8026ba89f",

      "active_sessions":430,

      "bytes":2643426116,

      "packets":35395089,

      "last_used":1568085842,

      "first_used":1567773847,

      "hit_count":29104,

      "session_last_used":1568085842,

      "session_first_used":1567773897,

      "session_count":4294967273

    }

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Hideki_Uemura

Thank you very much!! Is it possible to authenticate from URL? Because I want to get information using "curl" or "wget".

emnoc
Esteemed Contributor III

Yes, you can look at this blog for various examples.

 

http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

 

The last link shows a system wide get for monitoring firewall policy. Using the API you can ascertain counts for all policyid with out specifically apply them. This is an advantage over the diag firewal iprope show cmd which requires a "specific policyid" # to be included.

 

YMMV but the API is more advance for monitoring.

 

With either approach they help in auditing and identifying bad policy, or policy not being used. Policyid with no hits comes down to;

 

   policy ordering

   policy written wrong (src/dst-addr|interface, incorrect service, typo,...... )

   or the request/project for that policy-rule no longer exist

   

Again YMMV on how you use the counts and hits. If I'm doing a project and audit. I always monitor the hits and last used time values in order to flag policyid thare no longer needed or to flag them for later review.

 

e.g

If you have a policyid and it has been used in 3+ month you probably do not need it 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Hideki_Uemura

Thanks for your answer, I can do a good job !!

Ev
New Contributor

Top Kudoed Authors