Thursday, October 16, 2008

Firewall Cleanup - Unused Policies

Here is a neat little trick that comes in handy in a number of situations. Let's assume that you inherit a Fortigate firewall with hundreds of policies defined. The previous administrator did not provide you with any information on what the rules do. You are left to figure out if all the rules are still required.
If you are running FortiOS 3.0 MR5 Patch 3 and later an easy way to see if your firewall policies are still being used is to modify the "Column Settings" under Firewall -> Policy. Select "Count" and click the right arrow to move it from "Available fields" to "Show these fields in this order".


Now your policies will show the "Count" column with indicates the number of times the policy has been invoked and the number of bytes transferred. Start your investigation with any rules that are "0/0" (i.e. not in active use) and continue by working on rules that have a low hit/byte count.

at

6 comments:

  1. AnonymousOctober 30, 2008 at 7:36 AM

    Nice trick dude, really useful. I've been looking for a feature like that for a long time in order to do some "tunning" to my Fortigates.

    ReplyDelete
  2. guzikJuly 15, 2009 at 1:45 AM

    All counters are probably 0/0 after each reboot.

    ReplyDelete
  3. AnonymousJanuary 26, 2010 at 10:59 AM

    What is the command line to show this?

    ReplyDelete
  4. UnknownApril 11, 2011 at 10:40 AM

    Aside from rebooting, is it possible to clear a particular policy count, or perhaps all of them?

    ReplyDelete
  5. SebastianApril 11, 2011 at 10:47 AM

    A quick and dirty way is to disable a policy and re-enable it in the GUI. That'll reset the count.

    ReplyDelete
  6. npeepAugust 7, 2013 at 12:38 PM

    To wipe them all out:
    diag firewall iprope clear 100004

    ReplyDelete