Hello,
Is someone has tested this command on FortiOS 5.4.7 (diagnose firewall iprope clear 100004 ) ?
In my lab, the hit counter isn't reset...
Lucas
Confirmed on a 60E, v5.4.7, that the counters are reset.
Do you see reasonable values with 'diag fire iprope show 100004 <policy-ID>', compared to the GUI values?
I have a strange behavior.. In CLI, when I run the command, it looks good.. But when I ping from my computer to my server, the hit count restart from the previous value, not from 0. If I reset from web interface, the counter start from 0
Here the the debug output (FGT51E) :
FGT-Remote (R2) # diagnose firewall iprope show 100004 1 idx=1 pkts/bytes=310/32122 asic_pkts/asic_bytes=0/0flag=0x0 hit count:41 first:2018-01-18 18:29:04 last:2018-01-18 18:52:42
FGT-Remote (R2) # diagnose firewall iprope clear 100004
FGT-Remote (R2) # diagnose firewall iprope show 100004 1 idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0flag=0x0
#ping from my computer
FGT-Remote (R2) # diagnose firewall iprope show 100004 1
idx=1 pkts/bytes=2/120 asic_pkts/asic_bytes=0/0flag=0x0 hit count:42 first:2018-01-18 18:53:00 last:2018-01-18 18:53:00
#reset on web interface
FGT-Remote (R2) # diagnose firewall iprope show 100004 1 idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0flag=0x0
FGT-Remote (R2) # diagnose firewall iprope show 100004 1
#ping from my computer
FGT-Remote (R2) # diagnose firewall iprope show 100004 1 idx=1 pkts/bytes=2/120 asic_pkts/asic_bytes=0/0flag=0x0 hit count:1 first:2018-01-18 18:58:32 last:2018-01-18 18:58:32
Same behavior on my FGT300D
LAB-FG300D (New-Lab) # diagnose firewall iprope show 100004 136 idx=136 pkts/bytes=10885449/5234321004 asic_pkts/asic_bytes=3019453/2048360614flag=0x0 hit count:58343 first:2017-12-05 18:54:10 last:2018-01-18 19:00:16
LAB-FG300D (New-Lab) # diagnose firewall iprope clear 100004
LAB-FG300D (New-Lab) # diagnose firewall iprope show 100004 136 idx=136 pkts/bytes=0/0 asic_pkts/asic_bytes=3019453/2048360614flag=0x0
LAB-FG300D (New-Lab) # diagnose firewall iprope show 100004 136 idx=136 pkts/bytes=2/120 asic_pkts/asic_bytes=3019453/2048360614flag=0x0 hit count:58344 first:2018-01-18 19:02:29 last:2018-01-18 19:02:29
Lucas
Try this
cli-cmd diagnose firewall iprope clear 100004 <insert the policy #>
e.g
diagnose firewall iprope clear 100004 136
PCNSE
NSE
StrongSwan
It works fine if I specify the policy ID..
I found a KB : http://kb.fortinet.com/kb/viewContent.do?externalId=FD36666&sliceId=1
If we ommit the ID, it should reset the value for all firewall policy..
One more case to open.....
Lucas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1749 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.