Home

Mastering FortiGate Policy Logs: A Comprehensive Guide to Auditing, Diagnostics, and Retrieval

.

In the high-stakes world of network security, the FortiGate firewall log is the silent witness to every allowed connection and every blocked intruder. However, for many administrators, the gap between "logging is enabled" and "I know exactly which policy is causing the bottleneck" can be vast.

This guide synthesizes official Fortinet documentation and battle-tested commands from senior network engineers to provide a complete roadmap for checking policy logs, analyzing hit counts, and overcoming the unique challenge of retrieving data for deleted policies.

The Foundation: Configuring Logs for Baseline Success

Before an administrator can troubleshoot an anomaly, they must first understand what "normal" looks like. The official Fortinet Administration Guide emphasizes that effective troubleshooting is impossible without a recorded baseline.

The GUI Configuration Path: To establish this baseline, administrators should navigate to Log & Report > Log Settings.

  • The Balancing Act: Fortinet recommends logging as much information as possible during initial configuration. If storage becomes constrained, logging for non-essential features can be scaled back.
  • The Warning Level Trap: When hunting for elusive bugs, administrators are advised to increase logging verbosity from Warning to Information. However, the documentation issues a clear red flag: always configure email alerts for disk usage when increasing log levels to avoid service disruptions caused by full storage quotas.

The Philosophy of Logs: The guide offers a crucial reality check for engineers: "Logs can help identify and locate any problems, but they do not solve them. The purpose of logs is to speed up your problem solving."

The CLI Arsenal: Extracting Policy Hit Counts and Live Usage

For environments where API access is restricted or immediate diagnostics are required, the Command Line Interface remains the administrator's scalpel. A detailed thread in the Fortinet Community Forum reveals the specific commands currently validated on FortiOS 7.4.3 and 7.6.x.

Retrieving Hit Counts for Specific Policies

Unlike basic "show" commands that merely display configuration, the diagnose firewall iprope command reveals the actual performance of a rule.

Syntax:

diagnose firewall iprope show 00100004 <policy-id>

Output Example:

idx:29 pkts:2824088 bytes:699757775 hit count:307605 first hit:2024-07-04 08:41:19 last hit:2024-11-07 10:12:06

Expert Insight: A significant limitation discussed by engineers is that this command requires a predefined policy ID. It does not support a "wildcard" output for all policies simultaneously. Users can stack multiple IDs (e.g., 1 2 3 4 5), but the command has a hard limit of approximately 14 arguments per execution.

Broad Spectrum Diagnostics

For a wider view, community experts recommend the following combination:

  1. View Active Sessions by Policy: diagnose sys session list | grep policyid Use case: Identifying which policy is currently handling a specific traffic spike.
  2. General Firewall Statistics: diagnose firewall statistic list Provides a comprehensive list including hit counts.
  3. Real-time Resource Monitoring: diag sys top Useful for correlating high CPU usage with active firewall sessions.

Community Verdict: As of the latest threads, there is no native, single CLI command to output a hit count for every single policy simultaneously without scripting an iteration workaround.

The FortiManager Challenge: Retrieving Logs for Deleted Policies

One of the most stressful scenarios for a security auditor is the discovery that a specific firewall policy has been deleted, leaving no visible trace in the current policy list. A Reddit user posed a critical use case: "I need to collect a deleted firewall rule from the last 24 hours... Is there any CLI command?"

The Harsh Reality (Current Limitations): According to peer responses and available documentation, FortiManager does not offer a native CLI command or a straightforward API (JSONRPC) call specifically dedicated to listing recently deleted firewall policies.

Workarounds Suggested by the Community: While direct "deleted policy" logs are not neatly packaged, forensic analysts can reconstruct deletions through indirect methods:

  1. FortiManager Change Logs: Administrators should check the FortiManager database event logs, which often record configuration changes, including policy deletions, as part of the device history.
  2. FortiAnalyzer Integration: If logs are being offloaded to FortiAnalyzer, traffic logs referencing the now-deleted Policy ID will still exist. Searching FortiAnalyzer for the orphaned Policy ID during the suspected time frame will confirm the traffic that was processed by that rule.
  3. Automation Scripting: Users attempting Python automation reported difficulty finding a direct API endpoint for "deleted objects." The suggested path involves pulling periodic snapshots of the policy list and comparing them—a manual diff process.

Status: This remains a high-demand feature request within the user base.

Conclusion: The Layered Approach to Policy Visibility

Effective policy log analysis on Fortinet equipment requires a three-tiered strategy:

  1. Prevention (FortiGate): Configure verbose logging and maintain baselines via the GUI.
  2. Inspection (FortiGate CLI): Use diagnose firewall iprope for real-time hit counts and session verification.
  3. Forensics (FortiManager/Analyzer): Accept that deleted policies vanish from the manager's active view; rely on external log collectors or pre-emptive configuration backups to capture evidence of removed rules.

In the evolving landscape of network security, the ability to prove what a policy used to do is just as important as what the current policies are doing now.

Frequently Asked Questions (FAQ)

How do I check if a specific firewall policy is actually being used?

Use the FortiGate CLI command: diagnose firewall iprope show 00100004 <policy_id>. Look for the "hit count" and "last hit" fields. A high hit count with a recent timestamp indicates active usage.

Can I get a report of all policies with zero hits?

There is no single command for this. You must script a solution that extracts all Policy IDs (via show firewall policy) and iterates them through the diagnose firewall iprope command to filter for zero counts.

I deleted a policy yesterday. Can I see its logs in FortiManager?

Not directly as a "deleted policy" entry. However, if your traffic logs are stored in FortiAnalyzer, you can search for that specific Policy ID. On FortiManager, you must check the Change Log or Audit Log to see the record of the deletion event itself.

What is the difference between "Log & Report" and CLI diagnostic commands?

Log & Report shows historical traffic records (who connected, what application, etc.). CLI diagnostic commands (like diagnose firewall iprope) show statistical counters and current sessions, telling you how many times a policy has been hit.

Why can't I open some of the official Fortinet documentation links?

This is usually due to link rot (deprecated versions being removed) or URL structure changes. Always navigate to the root of docs.fortinet.com and search for your specific firmware version (e.g., 7.6.6) to find the latest guides.