My suggestion would be:
- enable "count" option to all the security rules.
- clear all the count statistics.
- check policies with count of 0. After 30 days or so, if it's still 0, then the rule may no longer be needed.
To clear count stats: "clear security policies hit-count"
To check policies with count of 0: "show security policies hit-count less-than 1"
I still see 2 gotchas:
1. device may have a limit as to the maximum number of rules that can have 'count' configured
2. it may be normal for some rules not to be hit within the 30 days or so you monitor.
Hope this helps.
Regards,
Sam