There is a requirement from IT audit department for find unused policy. It can use FortiGate API to find it, but if lot of FortiGate managed by FortiManager, use FortiManager API will be quick. 

Hitcount information is not actively updated in FortiManager. It needs to be manually refreshed by GUI or API as described below to get the latest values ​​by associating the FortiGate via the API sent by FortiManager.

Example:

1. The FortiManager default policy view does not contain a hit count:

2. After adding a hit count, the policy looks like this:

3. Refresh hit count:

4. Refresh option triggers a task：

5. Task result:

6. Use tools to find unused policies:

7. Find unused policies:

The above operations are manual and are not easy for plenty of FortiGate and ADOMs.

The following are the API steps:

1. Log in to FortiManager to get the session ID:

2. Get ADOMs list:

3. Get policy package name:

4. Trigger hit count task:
                                  

5. Get unused policy ID:
                                                  

6. Logout FortiManager:
                                                

Troubleshooting:

The below commands can be used on FortiManager CLI to debug the API Calls:

diagnose debug service httpd 255

diagnose debug service main 255

For more details, visit https://fndn.fortinet.net/