'Last Used' and 'Hit Count' may not be updated despite a working firewall policy:

• A firewall policy #2 only has one established session:

FGT-60 (root) # diagnose sys session list

session info: proto=6 proto_state=01 duration=172 expire=1635 timeout=1800 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 log-start
statistic(bytes/packets/allow_err): org=3248/18/1 reply=3561/17/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.0.5.2/10.0.6.8
hook=post dir=org act=snat 10.0.6.8:59248->10.0.5.2:22(10.0.5.60:59248)
hook=pre dir=reply act=dnat 10.0.5.2:22->10.0.5.60:59248(10.0.6.8:59248)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 pol_uuid_idx=14745 auth_info=0 chk_client_info=0 vd=0
serial=000005f9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session 1

• 35 packets hit the policy #2, but 'hit count' is '1'. 'first hit' and 'last hit' are the same value:

FGT-60 (root) # diagnose firewall iprope show 100004 2
idx:2
pkts:35 (35 0 0 0 0 0 0 0) <<< Sum of "org" + "reply"
bytes:6809 (6809 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:1 (1 0 0 0 0 0 0 0)
first hit:2025-02-04 16:14:36 last hit:2025-02-04 16:14:36
established session count:1
first est:2025-02-04 16:14:36 last est:2025-02-04 16:14:36

• Even though subsequent packets hit the policy #2, 'hit count' is '1'. 'first hit' and 'last hit' are the same value:

FGT-60 (root) # diagnose sys session list

session info: proto=6 proto_state=01 duration=254 expire=1747 timeout=1800 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 log-start
statistic(bytes/packets/allow_err): org=3680/24/1 reply=3969/20/1 tuples=2
tx speed(Bps/kbps): 5/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.0.5.2/10.0.6.8
hook=post dir=org act=snat 10.0.6.8:59248->10.0.5.2:22(10.0.5.60:59248)
hook=pre dir=reply act=dnat 10.0.5.2:22->10.0.5.60:59248(10.0.6.8:59248)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 pol_uuid_idx=14745 auth_info=0 chk_client_info=0 vd=0
serial=000005f9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session 1

FGT-60 (root) # diagnose firewall iprope show 100004 2
idx:2
pkts:44 (44 0 0 0 0 0 0 0) <<< Sum of "org" + "reply"
bytes:7649 (7649 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:1 (1 0 0 0 0 0 0 0)
first hit:2025-02-04 16:14:36 last hit:2025-02-04 16:14:36
established session count:1
first est:2025-02-04 16:14:36 last est:2025-02-04 16:14:36

• When a packet that does not belong to the existing session newly comes in and hits the policy #2:

FGT-60 (root) # diagnose sys session list

A new session:

session info: proto=6 proto_state=01 duration=13 expire=1786 timeout=1800 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255
state=log may_dirty f00 log-start
statistic(bytes/packets/allow_err): org=153/3/1 reply=152/3/1 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 10/0
orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.0.5.2/10.0.6.8
hook=post dir=org act=snat 10.0.6.8:59282->10.0.5.2:21(10.0.5.60:59282)
hook=pre dir=reply act=dnat 10.0.5.2:21->10.0.5.60:59282(10.0.6.8:59282)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 pol_uuid_idx=14745 auth_info=0 chk_client_info=0 vd=0
serial=0000095f tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

An existing session:

session info: proto=6 proto_state=01 duration=362 expire=1727 timeout=1800 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 log-start
statistic(bytes/packets/allow_err): org=16968/153/1 reply=21241/147/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.0.5.2/10.0.6.8
hook=post dir=org act=snat 10.0.6.8:59248->10.0.5.2:22(10.0.5.60:59248)
hook=pre dir=reply act=dnat 10.0.5.2:22->10.0.5.60:59248(10.0.6.8:59248)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 pol_uuid_idx=14745 auth_info=0 chk_client_info=0 vd=0
serial=000005f9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session 2

• 'hit count' value increases from '1' to '2'. 'last hit' is now updated:

FGT-60 (root) # diagnose firewall iprope show 100004 2
idx:2
pkts:306 (306 0 0 0 0 0 0 0) <<< Sum of "org" + "reply"
bytes:38514 (38514 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:2 (2 0 0 0 0 0 0 0)
first hit:2025-02-04 16:14:36 last hit:2025-02-04 16:20:25
established session count:2
first est:2025-02-04 16:14:36 last est:2025-02-04 16:20:25

This proves that if a packet newly hits the firewall policy for any reason, 'hit count' and 'last used' are updated.

Related articles :

Troubleshooting Tip: Hit Count shows as 0 in firewall policies on FortiGate 6000 models 

Technical Tip: How to check the Hit Count, First hit, last hit, and established session count for si... 
Technical Tip: How to check which firewall policy was last used on a FortiGate 
Technical Tip: How to clear or reset policy counters on the firewall Policy via CLI