I would say diagnose firewall iprope show  100004 <policyid> will give you if the policy was hit , but the last_used date/time is not included. Maybe support has alternative  for diagnose firewall iprope

As far as last use, you should write a log parser and use the UUIDs for the firewallpolicy in your parse jobs.

So example the order would be

To run a list of the policyid  from the get  or show of a firewall. This would be you seed file that you  based the foundations off off. Since each policyid is unique and outside of add/changes, you only need to update the seed list before running the parse job.

( building a seed from  vd=root )

echo -e "config vdom\n \n edit root\n show firewall policy | grep edit\n " | ssh 1.1.1.1 | awk '{print$2}'

1.1.1.1 would be your  firewall address

Than build   "diagnose firewall iprope show  100004" loop based on the policy-id in the seed  and  weed out any thing that has 0/0 for bytes

e.g

FWWALL (root) # diagnose firewall iprope show  100004  1 2 8 9 11 idx=1 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=2 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=8 pkts/bytes=0/0 asic_pkts/asic_bytes=0/0 flag=0x0 idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0

idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0

and

FWWALL (root) # diagnose firewall iprope show  100004  1 2 8 9 11| grep -v "pkts/bytes=0/0" idx=9 pkts/bytes=8120/5371085 asic_pkts/asic_bytes=0/0 flag=0x0

idx=11 pkts/bytes=1899920/2389353456 asic_pkts/asic_bytes=0/0 flag=0x0

So know you just need the UUID for firewallpolicy #5 and parse your logs.

echo -e " config vdom\n edit root\n show firewall policy 8 | grep uuid \n" | ssh 1.1.1.1 | grep set  | cut -d "#" -f 2

Outside of that, no easy way. The above suggestion would require you have

1: traffic log

2: probably logging off disk/memory

3: Spunk , sawmill ,  ELKstack or loggly would be   great for this btw

4: have access to the uuid  information

Once you have the uuid , it's straight forward to write queries for  date/time-ranges.

BTW, this is how we audit  fw Ole'school and manually. This helps determining if policies are used or when last-used and track any changes for policies that where working & now that has stopped.

Ken

thx for your Tips

FYI

running v5.4.5, you'll get your timestamps:

gate # diag firewall iprope show 100004 23
idx=23 pkts/bytes=151795/26928951 asic_pkts/asic_bytes=74137/9845236flag=0x0 hit count:1476
    first:2017-07-25 09:43:51 last:2017-07-25 15:14:53

That's good to know. The v5.2.11 and v5.4.0 does not btw. I didn't check my v5.6 until just know .

If you logging-target  is remote, it still best to  recover this from the  log-source ( disk or  FAZ or Syslogd )   due to 1> reboots 2> upgrades 3> etc......

Also if some one  diag firewall iprope clear, you will probably loose all correct diag information imho.

FWIW: We are going todo do a POC sometime later using SplunkApp and  fortigate logs to determine counts and timesstamps, I hope to post a success story ;)