Policy Hitcount

I would like to see a policy hit count report. That report should show the number of times that policies are used since reboot. It has also been recommended by a recent audit we had. Policy hit count would allow me to see if there are any policies that are not being used. Maybe also give the option to reset the count.
Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NSBTAdmin

    Check out the policy map in Dimension, it contains most of the information you're looking for in a visual (graph) form.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/policy_map_d.html

    -James Carson
    WatchGuard Customer Support

  • However, Policy Map will not show what policies are not being used.

  • Policy usage is available within the device monitor area of Watchguard Cloud if you are using it. So you can list policy hits, and data for a specified time period.

    Hope that helps

  • In the VM Dimension -> REPORTS > Device > Policy Usage will show the underutilised reports over an extended period..

    Adrian from Australia

  • so not using dimension or cloud, there isn't a way to see hit counts??

  • Since the firewalls don't have enormous storage, they only keep short term info on board.
    For long term - hours/days/weeks - you need some sort of logging/reporting.

    You can get short term info in WSM Firebox System Manager -> Service Watch and select Graph Type = Connections
    Or in the Web UI, try Dashboard -> Firewatch -> Connections (not the easiest display to interpret IMHO)

  • putting the box with Dimension Command as central management solution will show you policy usage at the summary page on the dimension server

    Dimension Command is a module in the total security suite

  • Try using CLI.

    SSH to internal IP of trusted network, port 4118.

    try the following:

    show connection count by-policy

    you will get a List of all policies , current and total connections since restart.

    I don't know exactly how this behaves in cluster environments, I am guessing it is just showing the connection that went through the currently active node, as I am guessing this is just a display that is using iptables -v -n in background, mapping the output to the correct policy names.

    Werner.

Sign In to comment.