To determine which firewall policy was last used on a FortiGate firewall, follow these steps:

1. Log in to the FortiGate firewall's web-based management interface.
2. Navigate to Policy & Objects or Policy Object (the exact name may vary depending on the FortiGate version).
3. Under Policy & Objects, select 'Firewall Policy'.

4. Look for a column labeled 'Last Used' or 'Last Matched' in the list of firewall policies. This column should display the date and time when each policy was last used or matched.

5. it is possible to select the column header to sort the policies by the 'Last Used' timestamp in ascending or descending order to identify the policy that was last used.

In CLI, the output of the command below will show the first hit and last hit as well:

diag firewall iprope show 100004 <policy_id>

For example:

diag firewall iprope show 100004 35
idx:35
pkts:211865 (7677 20673 19757 18952 19994 19036 19263 18879)
bytes:21002251 (652549 2243693 2005623 1795485 2048681 1792136 1846935 1779403)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
nturbo_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:2316 (71 248 210 209 221 219 212 195)
first hit:2024-12-21 12:55:56 last hit:2025-01-01 09:52:59
established session count:4
first est:2024-12-21 12:55:56 last est:2025-01-01 09:52:59