Thursday, October 16, 2008

Firewall Cleanup - Unused Policies

Here is a neat little trick that comes in handy in a number of situations. Let's assume that you inherit a Fortigate firewall with hundreds of policies defined. The previous administrator did not provide you with any information on what the rules do. You are left to figure out if all the rules are still required.
If you are running FortiOS 3.0 MR5 Patch 3 and later an easy way to see if your firewall policies are still being used is to modify the "Column Settings" under Firewall -> Policy. Select "Count" and click the right arrow to move it from "Available fields" to "Show these fields in this order".


Now your policies will show the "Count" column with indicates the number of times the policy has been invoked and the number of bytes transferred. Start your investigation with any rules that are "0/0" (i.e. not in active use) and continue by working on rules that have a low hit/byte count.

6 comments:

Alfredo said...

Nice trick dude, really useful. I've been looking for a feature like that for a long time in order to do some "tunning" to my Fortigates.

guzik said...

All counters are probably 0/0 after each reboot.

Anonymous said...

What is the command line to show this?

Joshua L said...

Aside from rebooting, is it possible to clear a particular policy count, or perhaps all of them?

Sebastian said...

A quick and dirty way is to disable a policy and re-enable it in the GUI. That'll reset the count.

npeep said...

To wipe them all out:
diag firewall iprope clear 100004