FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdabhade
Staff
Staff
Article Id 218581
Description This article describes how to check the Hit Count, First hit, last hit, and established session count for single or multiple Firewall Policies through CLI and GUI.
Scope FortiGate.
Solution

To check the stats for the single firewall policy:

 

diagnose firewall iprope show <policy-group> <policy-idx>

 

The 'policy-group' ID is 00100004, this value is for configurable firewall policies.
The Policy ID number is different from the policy sequence number which is shown in 'Seq#' column on the GUI.


The Policy ID number which is the index number of the firewall policy can be found under 'ID' column on the GUI.

 

Example.

To check the stats for the firewall policy ID 1:

 

diagnose firewall iprope show 00100004 1
idx:1
pkts:172139 (0 0 0 0 0 0 0 0)
bytes:100413507 (0 0 0 0 0 0 0 0)
asic_pkts:702 (0 0 0 0 0 0 0 0)
asic_bytes:171463 (0 0 0 0 0 0 0 0)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
ntubro_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:5170 (0 0 0 0 0 0 0 0)
first hit:2022-06-21 11:56:39 last hit:2022-06-24 22:07:27
established session count:10
first est:2022-06-21 11:56:39 last est:2022-06-24 22:07:27


To check the stats for the Multiple firewall policies:

 

diagnose firewall iprope show <policy-group> <policy-idx-1> <policy-idx-2> <policy-idx-3> ...

 

Example.

To check the stats for the firewall policy ID 1, 2 & 3:

 

diagnose firewall iprope show 00100004 1 2 3

 

The 'policy-group' ID 00100001 is for configurable firewall local-in-policiesThis feature is only available from 7.0.x onwards:

 

diagnose firewall iprope show 00100001 1
idx:1
pkts:16 (16 0 0 0 0 0 0 0)
bytes:960 (960 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:1 (1 0 0 0 0 0 0 0)
first hit:2023-08-24 16:57:57 last hit:2023-08-24 16:57:57

 

For ZTNA-related policy lookup :

 

diag firewall iprope list 100017

 

Devices without disk after reboot of the counter statistic are cleared. Devices with disks keep the counter statistics.

 

Below is the process to check the hit counts in GUI.

 

  • Navigate to Policy & Objects > Firewall Policy.
  • Ensure that the Bytes column is added
  • Select a policy and hover over the Bytes column. It will show Hit Counts, First Hit, Last Hit, and Established Session Count.

 

pbisht_0-1697176582756.png

 

 

It will also show whether SPU is enabled or disabled.


The same can be viewed from the CLI as well. Refer to the below document:

Technical Tip: How to check the Hit Count, First hit, last hit, and established session count for si...

 

Related article:

Technical Tip: How to clear or reset policy counters on the firewall Policy via CLI