Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mec313
New Contributor II

Finding firewall policy by Policy ID

I often see policy references pointing to the Policy ID, which is fine, however I can't find a user friendly way to locate whatever policy is being referred to.

 

The biggest culprit I've run into is the system log. If I'm trying to monitor policy changes, it lets me know the policy id of the rule that was changed. Policy ID 254 means nothing to me and depending on what was changed, the context of the message may not shed any additional light on what rule it is.

 

Preferably, I would love to be able to pull the policy name into my reports instead of the ID, but I imagine looking up a policy ID might be easier/possible. Any assistance or direction would be appreciated.

 

Thanks,

ME

18 REPLIES 18
emnoc
Esteemed Contributor III

Could be a bug, what I would do

 

1:  execute logging to memory 1st

 

set a log display and filter to read a policyid or two from memory.

 

e.g

 

2:

execute log filter category 0

execute log filter field policyid < insert a known policy with logging enabled and carry traffic>

execute log display

 

3:

now switch to  FAZ

 

execute log filter device 2

execute log display

 

 

Double check each logging device ( note note sure what number mem/faz/disk is on your device so double check

execute log filter device ??

 

If you see the  uuid in the memory log, it should be present in the log traffic to the FAZ. Sorry I have nothing on 5.6 logging to FAZ.

 

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

mec313
New Contributor II

I ended up finding a workable solution to my original post. I am detailing it here so that hopefully it can help someone else down the road if they run into the same issue. 

 

While making some adjustments to a policy today, I noticed that the Policy ID is used as part of the URL. I adjusted my FortiAnalyzer dataset to use the Policy ID and create a link to the policy. So while there still isn't any detail about the altered policy in the report itself, I do at least have a way to quickly jump to the policy in question. Below is my dataset.

 

select to_timestamp(itime) as time, `user` as user, ui, action, '[link]https://<Firewall[/link] Address>/ng/firewall/policy/policy/standard/edit/' || cfgobj AS Link, cfgattr from $log

where $filter and subtype = 'system' and logid in ('0100032132','0100032172','0100032173','0100032174','0100032222','0100032252','0100032545','0100044544','0100044545','0100044546','0100044547') and cfgpath like 'firewall.policy' order by time

 

Replace <Firewall Address> with your firewall link. I have this dataset limited to certain logids as well as limited to just the firewall.policy type. You may want to adjust as needed. Hopefully this will spare someone else some frustration down the road.

 

Thanks to everyone who replied.

gt
New Contributor

The best way I've found is connecting via SSH and running the command "show firewall policy #" where you replace # with the number of the policy. There are also a few ways in the GUI depending on what screen you're finding the information on, but it differs a bit between the pages.

enotspe
New Contributor

On FortiOS - Log Reference Version 6.2.0, 

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/be3d0e3d-4b62-11e9-94bf-005056...

 

There is a field named:

policyname

 

but i am not getting this field on my syslog logs. Has anybody been able to see this field.

Manuel Montes de Oca
emnoc
Esteemed Contributor III

Each log event has uuid #, if you want to find the policy the id can be track by that and the policyID is in the logDate field for policyid. You can also  query the logs and set cli filters to find the log details also .

 

e.g

   http://socpuppet.blogspot.com/2016/08/using-execute-log-filters-to-monitor.html

 

Those same filters are pretty much the same in the FAZ and you can construct likewise search and use wildcards in a lot of case.

 

e.g

 

 srcip=10.20.0.* and dstip=8.8.*

 

YMMV it depends solely on how creative you are ;)

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

enotspe
New Contributor

I am running 6.2.1. on a FGT100E. I do have logs for category=0, I dont have policyname field on those logs, but I do get this field when I run "execute log filter field"

 

This looks very weird to me! My guess is that policyname is not related to firewall policy name. If so, when does this field get populated?

 

 

Connected Alianza_Lima # execute log filter category 0 Alianza_Lima # execute log filter field policyid 5 Alianza_Lima # execute log display 2947 logs found. 10 logs returned. 3.4% of logs has been searched. 1: date=2019-08-30 time=13:41:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190513658497081 tz="-0500" srcip=192.168.2.41 srcname="RENZOGAYOSO" srcport=53155 srcintf="port1" srcintfrole="lan" dstip=209.73.179.253 dstport=443 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=516699 proto=6 action="close" policyid=5 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=53155 appid=15839 app="Yahoo.Mail" appcat="Email" apprisk="medium" applist="AC_General" duration=7 sentbyte=3325 rcvdbyte=9175 sentpkt=16 rcvdpkt=19 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" wanin=8403 wanout=2485 lanin=2485 lanout=2485 utmaction="allow" countweb=1 countapp=2 osname="Windows" srcswversion="10 / 2016" mastersrcmac="00:22:4d:ae:40:28" srcmac="00:22:4d:ae:40:28" srcserver=0 utmref=65508-39426 2: date=2019-08-30 time=13:41:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190507748497346 tz="-0500" srcip=192.168.2.69 srcname="JUANCARLOS" srcport=30119 srcintf="port1" srcintfrole="lan" dstip=192.16.48.200 dstport=80 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=516086 proto=6 action="close" policyid=5 policytype="policy" service="HTTP" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=30119 appid=41474 app="Root.Certificate.URL" appcat="Update" apprisk="low" applist="AC_General" duration=61 sentbyte=542 rcvdbyte=447 sentpkt=6 rcvdpkt=4 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" wanin=275 wanout=282 lanin=282 lanout=282 utmaction="allow" countweb=1 countapp=1 osname="Windows" srcswversion="10" mastersrcmac="18:31:bf:b1:04:30" srcmac="18:31:bf:b1:04:30" srcserver=0 utmref=65508-39400 3: date=2019-08-30 time=13:41:47 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190507430704729 tz="-0500" srcip=192.168.2.71 srcname="UTM_AL.alianzalima.local" srcport=57783 srcintf="port1" srcintfrole="lan" dstip=52.139.250.253 dstport=443 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=446525 proto=6 action="accept" policyid=5 policytype="policy" service="HTTPS" dstcountry="Singapore" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=57783 appid=41469 app="Microsoft.Portal" appcat="Collaboration" apprisk="elevated" applist="AC_General" duration=9610 sentbyte=3630 rcvdbyte=6223 sentpkt=24 rcvdpkt=27 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" sentdelta=153 rcvddelta=205 osname="Windows" srcswversion="10 / 2016" mastersrcmac="00:22:4d:ab:d7:28" srcmac="00:22:4d:ab:d7:28" srcserver=0 4: date=2019-08-30 time=13:41:43 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190503578490542 tz="-0500" srcip=192.168.2.15 srcname="SERVER" srcport=57253 srcintf="port1" srcintfrole="lan" dstip=200.62.191.11 dstport=53 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=515105 proto=17 action="accept" policyid=5 policytype="policy" service="DNS" dstcountry="Peru" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=57253 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="AC_General" duration=180 sentbyte=71 rcvdbyte=152 sentpkt=1 rcvdpkt=1 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" srchwvendor="HP" osname="Windows" srcswversion="8.1" mastersrcmac="70:10:6f:b9:e6:16" srcmac="70:10:6f:b9:e6:16" srcserver=0 5: date=2019-08-30 time=13:41:39 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190499718483987 tz="-0500" srcip=192.168.2.15 srcname="SERVER" srcport=56463 srcintf="port1" srcintfrole="lan" dstip=200.62.191.11 dstport=53 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=515077 proto=17 action="accept" policyid=5 policytype="policy" service="DNS" dstcountry="Peru" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=56463 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="AC_General" duration=180 sentbyte=85 rcvdbyte=192 sentpkt=1 rcvdpkt=1 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" srchwvendor="HP" osname="Windows" srcswversion="8.1" mastersrcmac="70:10:6f:b9:e6:16" srcmac="70:10:6f:b9:e6:16" srcserver=0 6: date=2019-08-30 time=13:41:38 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190498563207028 tz="-0500" srcip=192.168.2.41 srcname="RENZOGAYOSO" srcport=53071 srcintf="port1" srcintfrole="lan" dstip=157.240.197.17 dstport=443 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=510020 proto=6 action="accept" policyid=5 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=53071 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" applist="AC_General" duration=897 sentbyte=9789 rcvdbyte=9862 sentpkt=62 rcvdpkt=79 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" sentdelta=1308 rcvddelta=1017 osname="Windows" srcswversion="10 / 2016" mastersrcmac="00:22:4d:ae:40:28" srcmac="00:22:4d:ae:40:28" srcserver=0 7: date=2019-08-30 time=13:41:34 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190494848479959 tz="-0500" srcip=192.168.2.207 srcname="HUAWEI_Mate_10_lite-9d30a" srcport=36870 srcintf="port1" srcintfrole="lan" dstip=172.217.8.110 dstport=443 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=516483 proto=6 action="close" policyid=5 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=36870 appid=31077 app="YouTube" appcat="Video/Audio" apprisk="elevated" applist="AC_General" duration=11 sentbyte=1057 rcvdbyte=4158 sentpkt=9 rcvdpkt=7 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" wanin=3786 wanout=581 lanin=581 lanout=581 utmaction="allow" countweb=1 countapp=2 srchwvendor="Huawei" devtype="Phone" srcfamily="Mate" osname="Android" srcswversion="8.0.0" mastersrcmac="e4:0e:ee:94:65:91" srcmac="e4:0e:ee:94:65:91" srcserver=0 utmref=65508-39324 8: date=2019-08-30 time=13:41:30 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190490128452572 tz="-0500" srcip=192.168.2.15 srcname="SERVER" srcport=56105 srcintf="port1" srcintfrole="lan" dstip=200.62.191.11 dstport=53 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=515015 proto=17 action="accept" policyid=5 policytype="policy" service="DNS" dstcountry="Peru" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=56105 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="AC_General" duration=180 sentbyte=78 rcvdbyte=94 sentpkt=1 rcvdpkt=1 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" srchwvendor="HP" osname="Windows" srcswversion="8.1" mastersrcmac="70:10:6f:b9:e6:16" srcmac="70:10:6f:b9:e6:16" srcserver=0 9: date=2019-08-30 time=13:41:28 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190489152136981 tz="-0500" srcip=192.168.2.15 srcname="SERVER" srcport=51612 srcintf="port1" srcintfrole="lan" dstip=38.90.226.52 dstport=8883 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=3836 proto=6 action="accept" policyid=5 policytype="policy" service="tcp/8883" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=51612 appid=41540 app="SSL_TLSv1.2" appcat="Network.Service" apprisk="medium" applist="AC_General" duration=70743 sentbyte=49316 rcvdbyte=40163 sentpkt=590 rcvdpkt=299 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 198Mbps, selected" sentdelta=165 rcvddelta=125 srchwvendor="HP" osname="Windows" srcswversion="8.1" mastersrcmac="70:10:6f:b9:e6:16" srcmac="70:10:6f:b9:e6:16" srcserver=0 10: date=2019-08-30 time=13:41:27 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1567190487718480099 tz="-0500" srcip=192.168.2.113 srcport=40802 srcintf="port1" srcintfrole="lan" dstip=192.168.0.60 dstport=49152 dstintf="wan2" dstintfrole="wan" poluuid="225466f0-1b46-51e8-ae6c-c13e17014cd2" sessionid=516396 proto=6 action="timeout" policyid=5 policytype="policy" service="tcp/49152" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=190.116.76.4 transport=40802 appcat="unknown" applist="AC_General" duration=13 sentbyte=120 rcvdbyte=0 sentpkt=2 rcvdpkt=0 vwlid=1 vwlquality="Seq_num(1), alive, bibandwidth: 197Mbps, selected" mastersrcmac="00:03:22:28:69:fa" srcmac="00:03:22:28:69:fa" srcserver=0 Alianza_Lima # Alianza_Lima # Alianza_Lima # execute log filter field Available fields: timestamp action agent ap app appact appcat appid applist apprisk apsn authserver centralnatid channel collectedemail comment countapp countav countcifs countdlp countdns countemail countff countips countssh countssl countwaf countweb craction crlevel crscore date devcategory devid devtype devtype dstcollectedemail dstcountry dstdevcategory dstdevtype dstdevtype dstfamily dsthwvendor dsthwversion dstinetsvc dstintf dstintfrole dstip dstmac dstname dstosname dstosversion dstport dstserver dstssid dstswversion dstunauthuser dstunauthusersource dstuuid duration eventtime fctuid group identifier lanin lanout level logid masterdstmac mastersrcmac msg osname osversion policyid policyname policytype poluuid proto radioband rcvdbyte rcvddelta rcvdpkt securityact securityid sentbyte sentdelta sentpkt service sessionid shaperdroprcvdbyte shaperdropsentbyte shaperperipdropbyte shaperperipname shaperrcvdname shapersentname shapingpolicyid srccountry srcfamily srchwvendor srchwversion srcinetsvc srcintf srcintfrole srcip srcmac srcname srcport srcserver srcssid srcswversion srcuuid sslaction subtype time trandisp tranip tranport transip transport type tz unauthuser unauthusersource url user utmaction vd vpn vpntype vrf vwlid vwlquality vwlservice vwpvlanid wanin wanoptapptype wanout Alianza_Lima #

Manuel Montes de Oca
emnoc
Esteemed Contributor III

If so, when does this field get populated?

 

if you have a FAZ it would be in that that device for sure if you enable it. I believe you have an option to enable policyname in the logging details depending on the FortiOS.

 

* from my memory so forgive me if the syntax is off

 

config log setting 

    set log-policy-comment enable

    set log-policy-name enable 

end

 

PCNSE 

NSE 

StrongSwan  

enotspe
New Contributor

great! now i see it!! thanks a lot!

Manuel Montes de Oca
Andreas77_FTNT

Hi ME,

 

If you go to Policy and Objects > IPv4 Policy, you should be able to right click on the top horizontal bar and select desired column to display.

See attached screenshot