LEARN rule is the new thing in FortiOS 5.4.1. You have another fw rule to ACCEPT and DENY named LEARN, which checks packets and according to docs after some time shows its results in Log & Report pane.

[link]https://www.youtube.com/watch?v=LI3bW2eO-ck[/link]

Emnoc is right. Can you verify that traffic is truly hitting this policy? Chances are it needs to be higher up on the policy set as an existing policy may be letting the traffic traverse before it gets down to the learn rule you created.

The learn rule is most useful (to me at least) when deploying a new fortigate in an environment using an ASA or whatever. Throw it in line in transparent mode and from there let it learn. Then you can make the policy in NAT mode and use it to replace the existing device.

It's the only rule which is active on device. And as I wrote already, more than 30GB went through this rule. Should I consider it as a bug?

Could  be a bug 

1: try deleting it

2: re applying

or another rule that's specific for example like ICMP and see what happens

Sorry, It's Monday haha. I would think it would have shown something by now. I will deploy one in my lab tonight and see what happens. 

just seen this tidbit in the rls notes:

Because this feature requires a minimum level of logging capabilities, it is only available on FortiGates with hard drives. Smaller models may not be able to use this feature.

Oops,

good find. I think Fortinet should disable these kind of options in GUI, it's just confusing people.