Choice Guide Lab

Learn more

APO Tool: FortiGate Firewall Policy Analyzer for Network Engineers

What Is APO Tool?

APO Tool (AI Policy Optimizer) is a standalone Windows desktop application designed for network engineers who need to audit, analyze, and optimize FortiGate firewall policies — without sending configuration data to any external server, cloud service, or third-party storage.

You load your FortiGate configuration file. The tool parses it locally. Everything stays on your machine.

Privacy Guarantee

APO Tool operates entirely offline. Your FortiGate configuration files, policy data, and audit results are never transmitted to any cloud service, external API, or remote storage. All processing happens on your local machine. No account, no internet connection, and no data upload are required.

Development Background

Firewall policy optimization is a recurring task driven by security audits — typically performed on a semi-annual basis. Until now, the only available approach was to manually parse FortiGate configuration files using HTML parsers to identify and organize target policies.

That process consistently produced three operational problems:

  • Repeated manual work in Excel — policy data had to be extracted, reformatted, and verified by hand every cycle
  • High time cost for policy validation and comparison — cross-referencing hit counts, object values, and policy states took days per device
  • Inconsistent results between engineers — different analysts applying the same criteria produced different outputs

APO Tool was built to eliminate these inefficiencies — automating the full analysis workflow and delivering consistent, audit-ready output from a single config file upload. It runs as a standalone executable in both local Windows environments and VDI environments, with no installation required.

What APO Tool Delivers

Before APO Tool After APO Tool
1 week per device (alongside other work) Under 10 minutes per device to final deliverable
Manual Excel reformatting every cycle Automated Excel report generation
Results varied by analyst Identical output regardless of who runs it
Manual policy comparison across snapshots Automated config diff with structured change review

Key Features

Feature Description
Automatic Policy Classification Identifies and categorizes: Disabled-only policies, Hit Count = 0, Last Used within 1 year, expired policies, unnamed policies (No Name), policies without a change ticket reference (No RITM), and deletion candidates — automatically, in a single pass.
Excel Report Generation Exports a structured audit report in Excel format — ready to deliver to stakeholders without additional formatting.
IP-Based Policy Lookup Instantly retrieves all policies matching a specific source or destination IP address — useful for impact analysis before making changes.
Object & Policy Statistics Visualizes the composition of your policy table and address objects — giving a clear picture of environment complexity at a glance.
Object Value Resolution Resolves address objects and group objects to their actual IP/CIDR values — eliminating the need to manually trace nested object definitions.
Configuration Diff Compares two FortiGate config snapshots and identifies added, removed, and changed policies — and added or removed objects — in a structured change review view.
Fully Offline / No Install Single .exe file. No installation. No internet connection. Runs on Windows desktops and VDI environments.

How to Use APO Tool

Step 1 — Extract and Launch

Unzip the downloaded archive and run APO Tool.exe as Administrator (right-click → Run as administrator). The application starts a local web server and opens automatically in your default browser at:

http://127.0.0.1:5000

Step 2 — Back Up the Target Device Config

Export the FortiGate configuration file for the device you want to analyze. From the FortiGate GUI: Dashboard → System Information → Backup. Save the .conf file to your local machine.

Tip: If you have the BackupScheduler Tool, it automates config collection across multiple devices on a schedule.

Step 3 — Export the Policy CSV from FortiGate GUI

In the FortiGate GUI, navigate to Policy & Objects → Firewall Policy. Before exporting, enable the following columns in the table view:

  • ID
  • Hit Count
  • Last Used

Then export the policy table as a CSV file. This CSV provides the hit count and last-used data that APO Tool uses to classify policies for cleanup.

Note: Hit count data can also be retrieved via CLI using diagnose firewall iprope show 100004, but APO Tool uses the GUI CSV export — no CLI access to the live device is required.

Step 4 — Upload Both Files

In the APO Tool browser interface, use the Config File and Policy CSV upload buttons to load the two files you just exported. Both files are processed locally — nothing is transmitted outside your machine.

Step 5 — Review and Download Results

APO Tool displays the full policy analysis in the browser. Use the filter controls to review policies by category (disabled, zero hit count, no name, etc.). When ready, download the Excel report for stakeholder delivery or archive.

Who Is APO Tool For?

Network Engineers

Performing routine policy cleanup, hit count reviews, or preparing for firewall refresh projects.

Security Auditors

Reviewing FortiGate policy tables for compliance findings without requiring live device access.

IT Managers

Tracking configuration changes between maintenance windows and documenting policy modifications.

VDI / Air-Gap Environments

Fully offline operation makes APO Tool suitable for restricted environments where internet access is not available.

Data Privacy — Your Config Files Stay Local

No Cloud. No Upload. No Exceptions.

  • FortiGate config files are parsed entirely in local memory — they are never written to any external service.
  • APO Tool makes no outbound network requests of any kind during operation.
  • No user account, license server, or telemetry system is involved.
  • Audit results and exports remain on your local filesystem. You control where they go.
  • Suitable for environments with data residency requirements or strict network egress controls.

System Requirements

  • OS: Windows 10 / Windows 11 (64-bit)
  • RAM: 4 GB minimum (8 GB recommended for large config files)
  • Disk: 150 MB free space
  • Internet: Not required
  • Installation: None — single .exe file, run directly

Get APO Tool

APO Tool is available as a standalone Windows executable. No installation required — download, extract, and run.

APO Tool v22 — Windows 64-bit


Download APO Tool (.exe)

Windows 10 / 11  |  ~27 MB  |  No installation required

Questions or feedback? Use the contact form on this site — response within one business day.

Leave a comment