Hot!Fortigate API date format

Author
Juquinha
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/24 12:46:47
  • Status: offline
2021/04/16 04:37:24 (permalink)
0

Fortigate API date format

I'm using the monitor/firewall/policy api to find the non-used policies for a while. The thing is that I couldn't figure what is the format of the information listed on the result. For example, when was the last_used time for the following policy?
The output is 
[
    {
        "policyid":  1,
        "uuid":  "bc2ef692-9860-51eb-7f52-51857f6b3028",
        "active_sessions":  0,
        "bytes":  791357216,
        "packets":  782809,
        "last_used":  1618340453,
        "first_used":  1617911276,
        "hit_count":  1222,
        "session_last_used":  1618340453,
        "session_first_used":  1618339490,
        "session_count":  0
    }
]
 
Thanks in advance.
#1

5 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6097
    • Scores: 414
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Fortigate API date format 2021/04/16 06:15:26 (permalink)
    0
    epoch
     
    That last_used in your example is  "Tuesday, April 13, 2021 7:00:53 PM UTC". You need to co convert the TS to local/UTC or whatever if you want it human readable
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    emnoc
    Expert Member
    • Total Posts : 6097
    • Scores: 414
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Fortigate API date format 2021/04/16 06:39:41 (permalink)
    0
    Hey just thought of something you're a good candidate for using snmp. You can easily get last used by a simple query of  the snmp oid for fwpolicy last_used and output is always  easy to read by local time
     
    socket1>snmpwalk -c mycommunity -v2c 192.168.1.99 .1.3.6.1.4.1.12356.101.5.1.2.1.1.4.1
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.0 = STRING: "03/12/2021 10:04 (34 day(s) ago)"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.1 = STRING: "No Session Data"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.2 = STRING: "No Session Data"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.5 = STRING: "03/24/2021 19:22 (22 day(s) ago)"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.6 = STRING: "03/12/2021 10:03 (34 day(s) ago)"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.7 = STRING: "No Session Data"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.8 = STRING: "03/12/2021 10:01 (34 day(s) ago)"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.9 = STRING: "No Session Data"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.10 = STRING: "No Session Data"
    SNMPv2-SMI::enterprises.12356.101.5.1.2.1.1.4.1.11 = STRING: "04/16/2021 08:28 (31 second(s) ago)"
     
    No Session data are also clue to as  zero its policy
     
    The above output is the same extract from diag fw iprope 
     
    e.g
     
    homefgt (root) # diag firewall iprope show 0x100004 0
    idx=0 pkts/bytes=4/336 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:174
        first:2021-03-11 16:40:27 last:2021-03-12 10:04:40
     
     
    I also wrote a blog piece on finding unsed policies by hits counts 
     
    http://socpuppet.blogspot.com/2020/07/howto-audit-unused-fwpolicy-on-fortios.html
     
    With snmp you get the date conversion plus how many days last_used. Just something to think about. When I audit fortigates that is one of many ways we easily ascertain if fwpolicy XYZ is used, when last used,etc......
     
    YMMV
     
    Ken Felix
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #3
    Juquinha
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/04/24 12:46:47
    • Status: offline
    Re: Fortigate API date format 2021/04/16 07:18:02 (permalink)
    0
    Hey, Ken!
     
    Glad to "meet" you, since I have been in your blog for some times. :)
     
    It ir really a good idea to catch these informations by SNMP. I'm now wondering about putting that information on my Zabbix and then let it warn me when a policy reaches more that N days without a hit. I will think about that and measure the load. We have some firewalls with more than 3000 policies.
     
    For now what I want to achieve is to do a big cleanup in this big equipment we have. It has not been cleaned yet and someone need to do the dirty work.
     
    For now, I'll try to convert the data as you said. SO I can fill an array in powershell with the policies I want. Is this TimeSpan format in miliseconds? I tried to convert using as miliseconds and the date does not match. Same in seconds.
     
     
    post edited by Juquinha - 2021/04/16 07:30:10
    #4
    emnoc
    Expert Member
    • Total Posts : 6097
    • Scores: 414
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Fortigate API date format 2021/04/16 07:30:34 (permalink)
    0
    yeah that is a big issue in every fw vendor on how to match and mark unused policies.
     
    FWIW I believe fortios is one of the best to audit. I did a massive lift and change 2 years ago where we a org had 7 individual firewalls that got place into one big firewall cluster and then had 2700 policies between them. At the end of the day they only had 600ish active policies.
     
    Most we eliminated where dups, written wrong, vpn-tunnels no long active, policies with services that where no long in use ,etc....
     
    We have a lot of the same going on in my day job with 3 different firewall vendor platforms ;)
     
    YMMV
     

    PCNSE 
    NSE 
    StrongSwan  
    #5
    Juquinha
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/04/24 12:46:47
    • Status: offline
    Re: Fortigate API date format 2021/04/16 07:41:38 (permalink)
    0
    Hi, Ken!
     
    Would you mind to tell me what unit did you use to do the time conversion? I am not being able to match the correct date in miliseconds, seconds or ticks.
    I cannot figure out what that number in the output means.
     
    [TimeSpan]::FromTicks(1618340453)
     
    Days : 0
    Hours : 0
    Minutes : 2
    Seconds : 41
    Milliseconds : 834
    Ticks : 1618340453
    TotalDays : 0,00187307922800926
    TotalHours : 0,0449539014722222
    TotalMinutes : 2,69723408833333
    TotalSeconds : 161,8340453
    TotalMilliseconds : 161834,0453
    #6
    Jump to:
    © 2021 APG vNext Commercial Version 5.5