Fortinet white logo
Fortinet white logo

Administration Guide

Policy hit count

Policy hit count

You can use FortiManager to view FortiGate policy hit counters. When you run a policy check on a policy package or select the Find Unused Policies option from the Tools dropdown for a policy package, FortiManager shows hit count information for unused policies with zero hit count.

Note

The Find Unused Policies option is unavailable when classic dual pane is enabled. To disable classic dual pane, go to System Settings > Advanced > Advanced Settings, and set the Display Policy & Object in Classic Dual Pane option to Disable.

In FortiManager, the policy hit counts are aggregated across all managed FortiGate units for the policy.

You can add policy hit count information to a policy package pane by enabling it in the Column Settings dropdown. The hit count is collected from managed FortiGate units when either the Refresh Now button in the Hit Counts column header or Refresh Hit Counts in the Tools dropdown is clicked.

The hit count information is excluded from the FortiManager event log, but it's included in the debug log for troubleshooting purposes.

To view policy hit counts:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy. The content pane for the policy is displayed.
  4. In the toolbar, click Column Settings, and enable the Hit Count column.
    Hit count information for each policy is displayed within the Hit Count column.
  5. In the toolbar, click Tools > Refresh Hit Counts to fetch an updated hit count report, or hover your mouse over the Hit Count column header and click Refresh Now.
To view the hit count information for unused policies using the Find Unused Policies option:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the toolbar, from the Tools dropdown, select Find Unused Policies.

    The Unused Policies window opens.

  4. In the tree menu, select the policy package, and expand the policy table of your choice in the content pane to see the hit count information for the unused policies only.
  5. To view all the policies and their hit count information, select No Filter from the Show Unused Policy field.
To view hit count information for unused policies in the Policy Check Report:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu, right-click the policy package and select Policy Check.

    The Policy Check dialog opens.

  4. In the Policy Check dialog, click Perform Policy Check, and then click OK.

    Once the policy check finishes, the results are displayed in the Policy Check window.

    The Policy Check window displays the hit count information for all the policies in a policy package.

  5. Select the Unused Only checkbox to view the hit count information for the unused policies only.
Saving Last Used values

FortiManager can be configured to save the Last Used timestamp value which allows it to retain the timestamp if the hit count is reset on the managed device. This feature is disabled by default.

When enabled, FortiManager discards any Last Used values that it receives from managed devices that are blank or older than the currently stored value. Non-blank values that are more recent than the stored value will be updated and displayed.

To enable saved last used values:
  1. In the FortiManager CLI, enter the following command to enable save-last-hit-in-adomdb.

    config system global

    set save-last-hit-in-adomdb enable

    end

  2. Enter the following command to view the "Last Used" timestamp value in the CLI.

    exe fmpolicy print-adom-packager <adom> <packageName> <policy-id>

Policy hit count

Policy hit count

You can use FortiManager to view FortiGate policy hit counters. When you run a policy check on a policy package or select the Find Unused Policies option from the Tools dropdown for a policy package, FortiManager shows hit count information for unused policies with zero hit count.

Note

The Find Unused Policies option is unavailable when classic dual pane is enabled. To disable classic dual pane, go to System Settings > Advanced > Advanced Settings, and set the Display Policy & Object in Classic Dual Pane option to Disable.

In FortiManager, the policy hit counts are aggregated across all managed FortiGate units for the policy.

You can add policy hit count information to a policy package pane by enabling it in the Column Settings dropdown. The hit count is collected from managed FortiGate units when either the Refresh Now button in the Hit Counts column header or Refresh Hit Counts in the Tools dropdown is clicked.

The hit count information is excluded from the FortiManager event log, but it's included in the debug log for troubleshooting purposes.

To view policy hit counts:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy. The content pane for the policy is displayed.
  4. In the toolbar, click Column Settings, and enable the Hit Count column.
    Hit count information for each policy is displayed within the Hit Count column.
  5. In the toolbar, click Tools > Refresh Hit Counts to fetch an updated hit count report, or hover your mouse over the Hit Count column header and click Refresh Now.
To view the hit count information for unused policies using the Find Unused Policies option:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the toolbar, from the Tools dropdown, select Find Unused Policies.

    The Unused Policies window opens.

  4. In the tree menu, select the policy package, and expand the policy table of your choice in the content pane to see the hit count information for the unused policies only.
  5. To view all the policies and their hit count information, select No Filter from the Show Unused Policy field.
To view hit count information for unused policies in the Policy Check Report:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu, right-click the policy package and select Policy Check.

    The Policy Check dialog opens.

  4. In the Policy Check dialog, click Perform Policy Check, and then click OK.

    Once the policy check finishes, the results are displayed in the Policy Check window.

    The Policy Check window displays the hit count information for all the policies in a policy package.

  5. Select the Unused Only checkbox to view the hit count information for the unused policies only.
Saving Last Used values

FortiManager can be configured to save the Last Used timestamp value which allows it to retain the timestamp if the hit count is reset on the managed device. This feature is disabled by default.

When enabled, FortiManager discards any Last Used values that it receives from managed devices that are blank or older than the currently stored value. Non-blank values that are more recent than the stored value will be updated and displayed.

To enable saved last used values:
  1. In the FortiManager CLI, enter the following command to enable save-last-hit-in-adomdb.

    config system global

    set save-last-hit-in-adomdb enable

    end

  2. Enter the following command to view the "Last Used" timestamp value in the CLI.

    exe fmpolicy print-adom-packager <adom> <packageName> <policy-id>