Unused policies & trying to know which ports are used by a certain policy

SoRealCru · ‎05-15-2018

Hello!

Recently we invested in FortiAnalyzer VM and as off right now it’s working flawlessly and it has proven its worth already. But we are still trying to figure out how we could use FortiAnalyzer to show us the policies that aren't used or aren't used as much as others. Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy? Let's say for example Lan to Wan.

Thanks in advance!

Len. B

chall_FTNT · ‎05-15-2018

You can view policy hit count in FortiManager (if enabled in global settings). FortiAnalyzer only knows about policies if there are logs referencing those policies.

Chris Hall
Fortinet Technical Support

View solution in original post

chall_FTNT · ‎05-16-2018

Some more thoughts on unused policies:

1) you can run a "Policy Check" on a policy package in FortiManager that will identify policies which are "shadowed" and therefore are redundant and will never match traffic

2) a security fabric audit run on your FortiGate should also identify unnecessary policies

Chris Hall
Fortinet Technical Support

View solution in original post

chall_FTNT · ‎05-15-2018

You can view policy hit count in FortiManager (if enabled in global settings). FortiAnalyzer only knows about policies if there are logs referencing those policies.

Chris Hall
Fortinet Technical Support

emnoc · ‎05-15-2018

I don't you can get a repot for unused ports ( services in a policy id ), for example if you have a policy.id 444 with

set service HTTP HTTPS SSH PING TELNET LDAP mycommongroups

Nothing yu can do from a query or diagnostic against that polic.id #444 will show you the counts of HTTP vrs SSH vrs service -group . I could be wrong but some one will correct me ;)

PCNSE

NSE

StrongSwan

chall_FTNT · ‎05-15-2018

> Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy?

If you are looking at which ports ARE used ... in theory, you could design a query to evaluate traffic logs by policy ID & for each policy ID, rank the ports (dstport) which match that policy. But as emnoc as pointed out, this would not identify ports that are NEVER used ("unused"). You could only figure that out by a visual (aka manual) comparison of the report against policy configuration.

Chris Hall
Fortinet Technical Support

AtiT · ‎05-16-2018

Hello, As I know you cannot create report for unused policies as they are not in the logs. You can work with infromation they are in the logs.

For policy and port usage you can use maybe this dataset: - not sure whether the filters are for 100% correct

SELECT `policyid`, `dstport`, COUNT(*) AS totlanum FROM $log WHERE $filter AND `action`!='deny' AND `subtype`!='local' AND `policyid`!=0 GROUP BY `policyid`, `dstport` ORDER BY `policyid` ASC, `dstport` ASC

After that you can do a drilldown chart for PolicyID, Destination Port and the Totalnum:

AtiT

emnoc · ‎05-16-2018

Good Job

PCNSE

NSE

StrongSwan

chall_FTNT · ‎05-16-2018

Some more thoughts on unused policies:

1) you can run a "Policy Check" on a policy package in FortiManager that will identify policies which are "shadowed" and therefore are redundant and will never match traffic

2) a security fabric audit run on your FortiGate should also identify unnecessary policies

Chris Hall
Fortinet Technical Support

Unused policies & trying to know which ports are used by a certain policy

Nominate a Forum Post for Knowledge Article Creation