- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS CLI for Firewall Policy Usage & Hit Counts
Hello everyone,
I am in the process of building a short report for firewall policy usage and I am having a bit of a time trying to retrieve the firewall policy usage from any "diag" commands. Unfortunately, I don't have API access to the devices that I will need to run this against.
Any thoughts appreciated!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
diagnose firewall iprope show 00100004 <policy-id>
You will see output like this:
diagnose firewall iprope show 00100004 29
idx:29
pkts:2824088 (33439 82019 80809 61065 14034 14237 14608 14430)
bytes:699757775 (2867942 7497352 7811258 14975945 5220313 5328453 5333995 5306958)
asic_pkts:11149135 (169571 779782 805568 619348 66128 101557 108512 114915)
asic_bytes:10149102177 (117269646 709026900 734728839 612853232 60197080 101510881 107921223 115032183)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
nturbo_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:307605 (6409 15452 15152 8528 1727 1672 1652 1640)
first hit:2024-07-04 08:41:19 last hit:2024-11-07 10:12:06
established session count:3
first est:2024-07-04 08:41:19 last est:2024-11-07 10:12:06
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, that one works but you have to specify the policy id as opposed to just printing out a list of all polices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can specify multiple policy ids
diagnose firewall iprope show 00100004 1 2 3 4 5
It will print all of them with the same command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also correct, but that requires you to have a predefined list of IDs and I believe there is a constraint on that command to only allow for ~14 policy ID args. I was trying to avoid having to get a list of IDs and then iterate through that list running the command every time and grabbing the output.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here are some detailed steps and useful commands you can try:
- View Policy Hit Counts with CLI Commands
FortiGate CLI provides several diagnostic and monitoring commands that can give you insights into policy usage. The following commands can help:
- Check Policy Hit Count:
shell
Copy code
diagnose firewall iprope policy-list
This command shows all the firewall policies with their corresponding hit counts. It’s useful for understanding which policies are actively being used.
- Detailed Policy Usage Information:
shell
Copy code
diagnose firewall statistic list
This command displays a comprehensive list of statistics, including hit counts for each firewall policy.
- Using show firewall policy
The show command can also help you gather detailed policy information:
shell
Copy code
show firewall policy
While this won't provide direct usage statistics, it lists all policies, which you can cross-reference with hit counts from the diagnostic commands.
- Policy Sessions Monitoring
You can also monitor active sessions tied to specific firewall policies:
shell
Copy code
diagnose sys session list | grep policyid
This command will show you active sessions and the associated policy IDs. It can help identify which policies are currently in use.
- Using diag sys top for Real-Time Monitoring
For real-time monitoring of policy usage:
shell
Copy code
diag sys top
This command can help identify resource-intensive sessions and give you an overview of active traffic flows.
- Generating a Report (Manual Approach)
Since you don’t have API access, you can manually collate the data by exporting the command outputs:
- Copy the outputs from the CLI and paste them into a spreadsheet.
- Filter and sort by hit counts or policy IDs to identify the most used policies.
- Summarize the data in your report, focusing on high-usage policies or those with zero hits.
Bonus Tip: Save Output to File
You can save the CLI output directly to a file (if you have SSH access) using:
shell
Copy code
execute log filter category <category_name>
Or redirect the output (via SSH session) to a local file for analysis.
Conclusion
The combination of diagnose and show commands should give you a good overview of firewall policy usage. If you need deeper analysis, you might have to access logs (execute log display) or work with session lists.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There may be some discrepancy with the code versions on some of the commands, I am running 7.4.3 for testing. Those are all great commands but to point back to my original request, there is no native way to retrieve a hit count for all policies without some sort of iteration through a list. "diagnose firewall iprope list" does not display hit counts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you please confirm your request is solved?
Thank you in advance and good day!