Hot!"Last Used" from CLI?

Author
penguruh
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/05/23 09:30:03
  • Status: offline
2017/07/24 07:40:50 (permalink)
0

"Last Used" from CLI?

Hi,
 
It is possible to get the "last used" Counter from the CLI? I want that to do automated by scripting ...
 

Best Regards,
 
 

Attached Image(s)

#1

5 Replies Related Threads

    jhouvenaghel_FTNT
    New Member
    • Total Posts : 15
    • Scores: 4
    • Reward points: 0
    • Joined: 2007/11/30 00:26:42
    • Status: offline
    Re: "Last Used" from CLI? 2017/07/24 07:55:41 (permalink)
    0
    Hello,
     
    I am not aware of a way to get it from CLI but you can use snmp polling to get the info. It may help
     
    Regards
    Jocelyn
    #2
    emnoc
    Expert Member
    • Total Posts : 4137
    • Scores: 231
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: "Last Used" from CLI? 2017/07/24 09:31:44 (permalink)
    0
    I would say diagnose firewall iprope show  100004 <policyid> will give you if the policy was hit , but the last_used date/time is not included. Maybe support has alternative  for diagnose firewall iprope
     
    As far as last use, you should write a log parser and use the UUIDs for the firewallpolicy in your parse jobs.
     
    So example the order would be
     
    To run a list of the policyid  from the get  or show of a firewall. This would be you seed file that you  based the foundations off off. Since each policyid is unique and outside of add/changes, you only need to update the seed list before running the parse job.
     
    ( building a seed from  vd=root )
     
    echo -e "config vdom\n \n edit root\n show firewall policy | grep edit\n " | ssh 1.1.1.1 | awk '{print$2}'
     
    1.1.1.1 would be your  firewall address
     
    Than build   "diagnose firewall iprope show  100004" loop based on the policy-id in the seed  and  weed out any thing that has 0/0 for bytes
     
    e.g
     
    FWWALL (root) # diagnose firewall iprope show  100004  1 2 8 9 11
    idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0
    idx=2 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0
    idx=8 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0
    idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0
    idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0
     
     
    and
    FWWALL (root) # diagnose firewall iprope show  100004  1 2 8 9 11| grep -v "pkts/bytes=0/0"
    idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0
    idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0
     
     
    So know you just need the UUID for firewallpolicy #5 and parse your logs.
     
    echo -e " config vdom\n edit root\n show firewall policy 8 | grep uuid \n" | ssh 1.1.1.1 | grep set  | cut -d "#" -f 2
     
    Outside of that, no easy way. The above suggestion would require you have
     
    1: traffic log
    2: probably logging off disk/memory
    3: Spunk , sawmill ,  ELKstack or loggly would be   great for this btw
    4: have access to the uuid  information
     
    Once you have the uuid , it's straight forward to write queries for  date/time-ranges.
     
    BTW, this is how we audit  fw Ole'school and manually. This helps determining if policies are used or when last-used and track any changes for policies that where working & now that has stopped.
     
     
     
     
    Ken
     
     
     
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #3
    penguruh
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/23 09:30:03
    • Status: offline
    Re: "Last Used" from CLI? 2017/07/25 03:51:13 (permalink)
    0
    thx for your Tips
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5195
    • Scores: 322
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: "Last Used" from CLI? 2017/07/25 06:16:55 (permalink)
    5 (1)
    FYI
    running v5.4.5, you'll get your timestamps:
    gate # diag firewall iprope show 100004 23
    idx=23 pkts/bytes=151795/26928951 asic_pkts/asic_bytes=74137/9845236flag=0x0 hit count:1476
        first:2017-07-25 09:43:51 last:2017-07-25 15:14:53


    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    emnoc
    Expert Member
    • Total Posts : 4137
    • Scores: 231
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: "Last Used" from CLI? 2017/07/25 07:16:05 (permalink)
    0
    That's good to know. The v5.2.11 and v5.4.0 does not btw. I didn't check my v5.6 until just know .
     
    If you logging-target  is remote, it still best to  recover this from the  log-source ( disk or  FAZ or Syslogd )   due to 1> reboots 2> upgrades 3> etc......
     
    Also if some one  diag firewall iprope clear, you will probably loose all correct diag information imho.
     
    FWIW: We are going todo do a POC sometime later using SplunkApp and  fortigate logs to determine counts and timesstamps, I hope to post a success story ;)
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #6
    Jump to:
    © 2017 APG vNext Commercial Version 5.5