Use the following command to check for local-in policy hit count: 

diagnose firewall iprope show 100001 <policy id>

This command will show the first hit and the last hit as well.

Example output:

Local-in policy configuration:

config firewall local-in-policy
    edit 1
        set intf "WAN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "HTTPS"
        set schedule "always"
    next
end

diagnose firewall iprope show <ID> <stage>

diagnose firewall iprope show 100001 1   
idx:1
pkts:11372 (11372 0 0 0 0 0 0 0)
bytes:8167893 (8167893 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:461 (461 0 0 0 0 0 0 0)
first hit:2025-06-23 09:12:55 last hit:2025-06-23 09:15:12
established session count:1                                  
first est:2025-06-23 09:13:53 last est:2025-06-23 09:14:56

To clear the counter, the following command can be used:

diagnose firewall iprope clear <ID> <stage>

diagnose firewall iprope clear 100001 1 

Output may vary depending on the action and service configured in the local-in policy.

For a comprehensive explanation of iprope policy groups, refer to Technical Tip: iprope policies group.