Helpful ReplyHot!Unused policies & trying to know which ports are used by a certain policy

Author
SoRealCru
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/14 03:08:51
  • Status: offline
2018/05/15 03:18:32 (permalink)
0

Unused policies & trying to know which ports are used by a certain policy

Hello!
Recently we invested in FortiAnalyzer VM and as off right now it’s working flawlessly and it has proven its worth already. But we are still trying to figure out how we could use FortiAnalyzer to show us the policies that aren't used or aren't used as much as others. Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy? Let's say for example Lan to Wan.
Thanks in advance!
Len. B
post edited by SoRealCru - 2018/05/15 03:53:43
#1
chall_FTNT
skyhigh
  • Total Posts : 221
  • Scores: 19
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Unused policies & trying to know which ports are used by a certain policy 2018/05/15 11:13:04 (permalink) ☄ Helpfulby SoRealCru 2018/05/15 11:16:47
0
You can view policy hit count in FortiManager (if enabled in global settings).  FortiAnalyzer only knows about policies if there are logs referencing those policies. 
#2
emnoc
Expert Member
  • Total Posts : 4785
  • Scores: 290
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Unused policies & trying to know which ports are used by a certain policy 2018/05/15 11:55:44 (permalink)
0
I don't you can get a repot for unused ports ( services in a policy  id ), for example if you have a policy.id 444 with
 
 
set service HTTP HTTPS SSH PING TELNET  LDAP mycommongroups
 
Nothing yu can do from a query or diagnostic against that  polic.id #444 will show you the counts of  HTTP  vrs SSH vrs  service -group . I could be wrong but some one will correct me ;)

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#3
chall_FTNT
skyhigh
  • Total Posts : 221
  • Scores: 19
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Unused policies & trying to know which ports are used by a certain policy 2018/05/15 14:52:10 (permalink)
0
> Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy?
 
If you are looking at which ports ARE used ... in theory, you could design a query to evaluate traffic logs by policy ID & for each policy ID, rank the ports (dstport) which match that policy.    But as emnoc as pointed out, this would not identify ports that are NEVER used ("unused").  You could only figure that out by a visual (aka manual) comparison of the report against policy configuration.
#4
AtiT
Gold Member
  • Total Posts : 429
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: Unused policies & trying to know which ports are used by a certain policy 2018/05/16 08:18:48 (permalink)
5 (1)
Hello,
As I know you cannot create report for unused policies as they are not in the logs.
You can work with infromation they are in the logs.
For policy and port usage you can use maybe this dataset:
- not sure whether the filters are for 100% correct

SELECT `policyid`, `dstport`,
COUNT(*) AS totlanum
FROM $log WHERE $filter
AND `action`!='deny'
AND `subtype`!='local'
AND `policyid`!=0
GROUP BY `policyid`, `dstport`
ORDER BY `policyid` ASC, `dstport` ASC

After that you can do a drilldown chart for PolicyID, Destination Port and the Totalnum:

Attached Image(s)


AtiT
--------------------
NSE 8, CCNP R+S
#5
emnoc
Expert Member
  • Total Posts : 4785
  • Scores: 290
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Unused policies & trying to know which ports are used by a certain policy 2018/05/16 10:18:02 (permalink)
0
Good Job

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#6
chall_FTNT
skyhigh
  • Total Posts : 221
  • Scores: 19
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Unused policies & trying to know which ports are used by a certain policy 2018/05/16 10:58:26 (permalink) ☄ Helpfulby AtiT 2018/05/17 01:27:40
5 (1)
Some more thoughts on unused policies:
1) you can run a "Policy Check" on a policy package in FortiManager that will identify policies which are "shadowed" and therefore are redundant and will never match traffic
2) a security fabric audit run on your FortiGate should also identify unnecessary policies
#7
Jump to:
© 2018 APG vNext Commercial Version 5.5