>
    Strata Copilot
    inspect network-policy dropped
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Use CLI Commands
    4. Inspect Commands
    5. inspect network-policy dropped
    Download PDF
    Prisma SD-WAN

    inspect network-policy dropped

    Table of Contents

    inspect network-policy dropped

    Use the inspect network-policy dropped command to identify network policy rules the device dropped because the configuration's resource requirements exceed the system resource limit.
    Use the inspect network-policy dropped command to diagnose resource exhaustion in your network policy configuration. When the total resource cost of all configured rules exceeds the system resource limit, the device drops the most resource-intensive rules first to stay within the limit. The device does not enforce dropped rules; traffic that would have matched them may be handled by unintended rules or pass through uninspected. This command shows the current resource usage summary, which rules the device dropped, and the per-rule resource cost. Use this information to simplify or reorganize your policy and bring resource usage within the allowed limit.
    The resource cost of a rule is determined by the following factors:
    • Number of applications matched by the rule.
    • Number of source IP prefixes in the source prefix list.
    • Number of destination IP prefixes in the destination prefix list.
    • Application overlap within policy sets and within a policy set stack.
    If the policy is applied to multiple sites, test any policy change on a single site before deploying broadly. If a change causes resource exhaustion, the ION device may become unresponsive and unable to accept a rollback. Restarting the fabric controller (FC) in this state takes the ION offline and removes remote access, preventing further policy changes until the device recovers.

    Command

    inspect network-policy dropped

    Options

    None

    When to Use

    • After expanding a policy with new applications or large prefix lists, as part of post-change verification before confirming the deployment.
    • When replacing a device with a lower-capacity model, to confirm the existing policy fits within the new device's resource limit.
    • Periodically when the policy has grown significantly, before resource exhaustion causes silent rule drops on live traffic.

    Command Notes

    RoleSuper, Read Only
    Related CommandsNone
    Introduced inRelease 5.0.3

    Example

    When all rules are within the resource limit, the command reports no dropped rules:
    inspect network-policy dropped
Network Policy Resource Usage:
Resource Limit : 1350000
Required Resources : 10
Adjusted Resource Use : 10
Non-Optimized Resource Use : 10
No dropped rules found.
    When the resource limit is exceeded, the command lists each dropped rule:
    Resource values shown in this output are internal resource-cost units used by the policy compiler/optimizer. They do not represent memory, CPU, bandwidth, or percentage utilization.
    inspect network-policy dropped
Network Policy Resource Usage:
Resource Limit : 400
Required Resources : 423
Adjusted Resource Use : 400
Non-Optimized Resource Use : 423
Network Policy Rule : 15300304239150020 : newrelic-Policy
Policy Set : 15300304235910157 : MKC-OrigPolicySet1
Stack Index : 0
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1
Network Policy Rule : 15300304237690074 : scps-Policy
Policy Set : 15300304235910157 : MKC-OrigPolicySet1
Stack Index : 0
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1
. . .

    Output Fields

    • Resource Limit: The maximum number of resources the device can allocate across all network policy rules.
    • Required Resources: The total resources the device needs to enforce all configured rules without optimization.
    • Adjusted Resource Use: The actual resources the device uses after applying optimization. If this equals the resource limit, the device has dropped rules.
    • Non-Optimized Resource Use: The resources the device would need without optimization.
    • Network Policy Rule: The numeric ID and name of the dropped rule.
    • Policy Set: The ID and name of the policy set the dropped rule belongs to.
    • Stack Index: The position of the dropped rule within the policy set stack.
    • Application Count: The number of applications the dropped rule matches.
    • Source Prefix / Destination Prefix: The traffic match criteria defined in the dropped rule, or none if unconfigured.
    • Resource Count: The resource cost of this specific rule.

    Troubleshooting

    ConditionPossible CauseAction
    Rules are dropped even though Required Resources appears moderateThe device model has a lower resource limit than the default 1,350,000Check the Resource Limit value in the output; consolidate rules with overlapping applications or large prefix lists to reduce cost
    Adjusted Resource Use equals Resource Limit but only a few rules appear as droppedOther rules are consuming most of the budget; only the highest-cost ones are listed as droppedReview Resource Count per rule; identify and consolidate high-cost rules or split large prefix lists into smaller sets
    Non-Optimized Resource Use is much higher than Adjusted Resource UseThe device is applying optimization to stay within limits but the margin is narrowSimplify policy rules proactively before the device reaches the point where optimization alone is insufficient

    © 2026 Palo Alto Networks, Inc. All rights reserved.