Hello,
I am not aware of a way to get it from CLI but you can use snmp polling to get the info. It may help
Regards
Jocelyn
I would say diagnose firewall iprope show 100004 <policyid> will give you if the policy was hit , but the last_used date/time is not included. Maybe support has alternative for diagnose firewall iprope
As far as last use, you should write a log parser and use the UUIDs for the firewallpolicy in your parse jobs.
So example the order would be
To run a list of the policyid from the get or show of a firewall. This would be you seed file that you based the foundations off off. Since each policyid is unique and outside of add/changes, you only need to update the seed list before running the parse job.
( building a seed from vd=root )
echo -e "config vdom\n \n edit root\n show firewall policy | grep edit\n " | ssh 1.1.1.1 | awk '{print$2}'
1.1.1.1 would be your firewall address
Than build "diagnose firewall iprope show 100004" loop based on the policy-id in the seed and weed out any thing that has 0/0 for bytes
e.g
FWWALL (root) # diagnose firewall iprope show 100004 1 2 8 9 11 idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=2 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=8 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0
idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0
and
FWWALL (root) # diagnose firewall iprope show 100004 1 2 8 9 11| grep -v "pkts/bytes=0/0" idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0
idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0
So know you just need the UUID for firewallpolicy #5 and parse your logs.
echo -e " config vdom\n edit root\n show firewall policy 8 | grep uuid \n" | ssh 1.1.1.1 | grep set | cut -d "#" -f 2
Outside of that, no easy way. The above suggestion would require you have
1: traffic log
2: probably logging off disk/memory
3: Spunk , sawmill , ELKstack or loggly would be great for this btw
4: have access to the uuid information
Once you have the uuid , it's straight forward to write queries for date/time-ranges.
BTW, this is how we audit fw Ole'school and manually. This helps determining if policies are used or when last-used and track any changes for policies that where working & now that has stopped.
Ken
PCNSE
NSE
StrongSwan
thx for your Tips
FYI
running v5.4.5, you'll get your timestamps:
gate # diag firewall iprope show 100004 23
idx=23 pkts/bytes=151795/26928951 asic_pkts/asic_bytes=74137/9845236flag=0x0 hit count:1476
first:2017-07-25 09:43:51 last:2017-07-25 15:14:53
That's good to know. The v5.2.11 and v5.4.0 does not btw. I didn't check my v5.6 until just know .
If you logging-target is remote, it still best to recover this from the log-source ( disk or FAZ or Syslogd ) due to 1> reboots 2> upgrades 3> etc......
Also if some one diag firewall iprope clear, you will probably loose all correct diag information imho.
FWIW: We are going todo do a POC sometime later using SplunkApp and fortigate logs to determine counts and timesstamps, I hope to post a success story ;)
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1780 | |
1116 | |
767 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.