When visiting Firewall or Proxy policies, it is possible to observe zero hit count and non-zero Byte count as below.

The packet counter is mostly stuck. To rectify the issue, below steps can be actioned.

Make sure there are no active sessions on the policy by running the commands below:

diagnose sys session filter policy 3000
diagnose sys session list

total session: 0

If there are any active sessions, clear them using the command below.

Note:

This will affect sessions of users who are using this policy.

Verify the current status of the packet count by using the command below. The example below is for a policy where there is current traffic with a hit count that is non-zero.

diagnose firewall iprope show 100004 2
idx:2
pkts:22540 (0 0 0 0 0 0 0 0)
bytes:12995204 (0 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:822 (0 0 0 0 0 0 0 0)
first hit:2025-12-04 09:40:32 last hit:2025-12-04 16:13:32
established session count:0
first est:2025-12-04 09:40:32 last est:2025-12-04 16:13:32

The example below is for a policy where there is no current traffic, with a hit count is zero, but the Byte count shows a non-zero value due to stuck packets.

diagnose firewall iprope show 100004 3000
idx:3000
pkts:110 (0 0 0 0 0 0 0 0)   <----- Even though the hit count is zero, there are stuck packets.
bytes:12207 (0 0 0 0 0 0 0 0)
asic_pkts:1563648 (0 0 0 0 0 0 0 0)
asic_bytes:205030362 (0 0 0 0 0 0 0 0)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
nturbo_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0

Clear the packet counts:

diagnose firewall iprope clear 100004 3000

diagnose firewall iprope show 100004 3000
idx:2
pkts:0 (0 0 0 0 0 0 0 0)
bytes:0 (0 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0