Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SoRealCru
New Contributor

Unused policies & trying to know which ports are used by a certain policy

Hello!

Recently we invested in FortiAnalyzer VM and as off right now it’s working flawlessly and it has proven its worth already. But we are still trying to figure out how we could use FortiAnalyzer to show us the policies that aren't used or aren't used as much as others. Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy? Let's say for example Lan to Wan.

Thanks in advance!

Len. B

2 Solutions
chall_FTNT
Staff
Staff

You can view policy hit count in FortiManager (if enabled in global settings).  FortiAnalyzer only knows about policies if there are logs referencing those policies. 

Chris Hall
Fortinet Technical Support

View solution in original post

chall_FTNT

Some more thoughts on unused policies:

1) you can run a "Policy Check" on a policy package in FortiManager that will identify policies which are "shadowed" and therefore are redundant and will never match traffic

2) a security fabric audit run on your FortiGate should also identify unnecessary policies

Chris Hall
Fortinet Technical Support

View solution in original post

6 REPLIES 6
chall_FTNT
Staff
Staff

You can view policy hit count in FortiManager (if enabled in global settings).  FortiAnalyzer only knows about policies if there are logs referencing those policies. 

Chris Hall
Fortinet Technical Support
emnoc
Esteemed Contributor III

I don't you can get a repot for unused ports ( services in a policy  id ), for example if you have a policy.id 444 with

 

 

set service HTTP HTTPS SSH PING TELNET  LDAP mycommongroups

 

Nothing yu can do from a query or diagnostic against that  polic.id #444 will show you the counts of  HTTP  vrs SSH vrs  service -group . I could be wrong but some one will correct me ;)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chall_FTNT

> Also we would like to know if there is a way to generate a report or place some filter options that could show us which ports/services are used by a certain policy?

 

If you are looking at which ports ARE used ... in theory, you could design a query to evaluate traffic logs by policy ID & for each policy ID, rank the ports (dstport) which match that policy.    But as emnoc as pointed out, this would not identify ports that are NEVER used ("unused").  You could only figure that out by a visual (aka manual) comparison of the report against policy configuration.

Chris Hall
Fortinet Technical Support
AtiT
Valued Contributor

Hello, As I know you cannot create report for unused policies as they are not in the logs. You can work with infromation they are in the logs.

For policy and port usage you can use maybe this dataset: - not sure whether the filters are for 100% correct

SELECT `policyid`, `dstport`, COUNT(*) AS totlanum FROM $log WHERE $filter AND `action`!='deny' AND `subtype`!='local' AND `policyid`!=0 GROUP BY `policyid`, `dstport` ORDER BY `policyid` ASC, `dstport` ASC

After that you can do a drilldown chart for PolicyID, Destination Port and the Totalnum:

AtiT

AtiT
emnoc
Esteemed Contributor III

Good Job

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chall_FTNT

Some more thoughts on unused policies:

1) you can run a "Policy Check" on a policy package in FortiManager that will identify policies which are "shadowed" and therefore are redundant and will never match traffic

2) a security fabric audit run on your FortiGate should also identify unnecessary policies

Chris Hall
Fortinet Technical Support
Labels
Top Kudoed Authors