Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
penguruh
New Contributor

"Last Used" from CLI?

Hi,

 

It is possible to get the "last used" Counter from the CLI? I want that to do automated by scripting ...

 

Best Regards,

 

 

5 REPLIES 5
jhouvenaghel_FTNT

Hello,

 

I am not aware of a way to get it from CLI but you can use snmp polling to get the info. It may help

 

Regards

Jocelyn

emnoc
Esteemed Contributor III

I would say diagnose firewall iprope show  100004 <policyid> will give you if the policy was hit , but the last_used date/time is not included. Maybe support has alternative  for diagnose firewall iprope

 

As far as last use, you should write a log parser and use the UUIDs for the firewallpolicy in your parse jobs.

 

So example the order would be

 

To run a list of the policyid  from the get  or show of a firewall. This would be you seed file that you  based the foundations off off. Since each policyid is unique and outside of add/changes, you only need to update the seed list before running the parse job.

 

( building a seed from  vd=root )

 

echo -e "config vdom\n \n edit root\n show firewall policy | grep edit\n " | ssh 1.1.1.1 | awk '{print$2}'

 

1.1.1.1 would be your  firewall address

 

Than build   "diagnose firewall iprope show  100004" loop based on the policy-id in the seed  and  weed out any thing that has 0/0 for bytes

 

e.g

 

FWWALL (root) # diagnose firewall iprope show  100004  1 2 8 9 11 idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=2 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=8 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0

idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0

 

 

and

FWWALL (root) # diagnose firewall iprope show  100004  1 2 8 9 11| grep -v "pkts/bytes=0/0" idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0

idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0

 

 

So know you just need the UUID for firewallpolicy #5 and parse your logs.

 

echo -e " config vdom\n edit root\n show firewall policy 8 | grep uuid \n" | ssh 1.1.1.1 | grep set  | cut -d "#" -f 2

 

Outside of that, no easy way. The above suggestion would require you have

 

1: traffic log

2: probably logging off disk/memory

3: Spunk , sawmill ,  ELKstack or loggly would be   great for this btw

4: have access to the uuid  information

 

Once you have the uuid , it's straight forward to write queries for  date/time-ranges.

 

BTW, this is how we audit  fw Ole'school and manually. This helps determining if policies are used or when last-used and track any changes for policies that where working & now that has stopped.

 

 

 

 

Ken

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
penguruh
New Contributor

thx for your Tips

ede_pfau
Esteemed Contributor III

FYI

running v5.4.5, you'll get your timestamps:

gate # diag firewall iprope show 100004 23
idx=23 pkts/bytes=151795/26928951 asic_pkts/asic_bytes=74137/9845236flag=0x0 hit count:1476
    first:2017-07-25 09:43:51 last:2017-07-25 15:14:53


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

That's good to know. The v5.2.11 and v5.4.0 does not btw. I didn't check my v5.6 until just know .

 

If you logging-target  is remote, it still best to  recover this from the  log-source ( disk or  FAZ or Syslogd )   due to 1> reboots 2> upgrades 3> etc......

 

Also if some one  diag firewall iprope clear, you will probably loose all correct diag information imho.

 

FWIW: We are going todo do a POC sometime later using SplunkApp and  fortigate logs to determine counts and timesstamps, I hope to post a success story ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors