Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdabhade
Staff
Staff

Created on ‎07-27-2022 01:14 AM Edited on ‎02-16-2025 10:21 PM By Community Manager

Article Id 218581

Technical Tip: How to check the Hit Count, First hit, last hit, and established session count for single or multiple Firewall Policies through CLI and GUI

Description This article describes how to check the Hit Count, first hit, last hit, first established, last established and established session count for single or multiple firewall policies through CLI and GUI.
Scope FortiGate.
Solution

To check the stats for the single firewall policy:

 

diagnose firewall iprope show <policy-group> <policy-idx>

 

The 'policy-group' ID is 00100004, this value is for configurable firewall policies.

The Policy ID number is different from the policy sequence number which is shown in the 'Seq#' column on the GUI. The Policy ID number which is the index number of the firewall policy can be found under the 'ID' column on the GUI.

 

Example:

 

To check the stats for the firewall policy ID 1:

 

diagnose firewall iprope show 00100004 1
idx:1
pkts:172139 (0 0 0 0 0 0 0 0)
bytes:100413507 (0 0 0 0 0 0 0 0)
asic_pkts:702 (0 0 0 0 0 0 0 0)
asic_bytes:171463 (0 0 0 0 0 0 0 0)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
ntubro_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:5170 (0 0 0 0 0 0 0 0)
first hit:2022-06-21 11:56:39 last hit:2022-06-24 22:07:27
established session count:10
first est:2022-06-21 11:56:39 last est:2022-06-24 22:07:27


To check the stats for the multiple firewall policies:

 

diagnose firewall iprope show <policy-group> <policy-idx-1> <policy-idx-2> <policy-idx-3> ...

 

Example:

To check the stats for the firewall policy ID 1, 2 & 3:

 

diagnose firewall iprope show 00100004 1 2 3

 

The 'policy-group' ID 00100001 is for configurable firewall local-in-policiesThis feature is only available from v7.0.x onwards:

 

diagnose firewall iprope show 00100001 1
idx:1
pkts:16 (16 0 0 0 0 0 0 0)
bytes:960 (960 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:1 (1 0 0 0 0 0 0 0)
first hit:2023-08-24 16:57:57 last hit:2023-08-24 16:57:57

 

For ZTNA-related policy lookup :

 

diag firewall iprope list 100017

 

Devices without disk after reboot of the counter statistic are cleared. Devices with disks keep the counter statistics.

 

Note: 

In SSL VPN  'diagnose firewall iprope show <policy-group> <policy-idx>'only works for tunnel mode, not for web mode.

 

Below is the process to check the hit counts in GUI.

 

  • Navigate to Policy & Objects -> Firewall Policy.
  • Ensure that the Bytes column is added.
  • Select a policy and hover over the Bytes column. It will show Hit Counts, First Hit, Last Hit, and Established Session Count.

 

pbisht_0-1697176582756.png

 

It will also show whether SPU is enabled or disabled.

 

To check the hit count for security policy in policy-mode use the below command:

 

diagnose ips pme policy stats

 

Refer to the following document for more information:

Seven-day policy hit counter

 

Related article:

Technical Tip: How to clear or reset policy counters on the firewall Policy via CLI
Labels:
15951
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.