>
    Strata Copilot
    inspect network-policy hits policy-rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Use CLI Commands
    4. Inspect Commands
    5. inspect network-policy hits policy-rules
    Download PDF
    Prisma SD-WAN

    inspect network-policy hits policy-rules

    Table of Contents

    inspect network-policy hits policy-rules

    Use the inspect network-policy hits policy-rules command to display hit counts for network policy rules, showing how much traffic each rule has matched.
    Use the inspect network-policy hits policy-rules command to verify that your network policy rules are matching traffic as expected. The output shows cumulative hit counts alongside a New Hits counter that tracks matches since the last reset. Use the reset-diff option to zero the New Hits counter, then run diff-only after a period of time to see only the rules that received traffic in that window. This workflow identifies active rules, detects rules that never match traffic, and confirms that policy changes take effect on live traffic.

    Command

    inspect network-policy hits policy-rules ( all | reset-diff | diff-only )

    Options

    allDisplay hit count information for all network policy rules.
    reset-diffReset the New Hits counter to zero for all network policy rules.
    diff-onlyDisplay only those network policy rules where the New Hits value is non-zero. Use after reset-diff to see rules that received traffic since the last reset.

    When to Use

    • When troubleshooting unexpected path selection or service context for a specific application, to confirm at the rule level whether a match is occurring at all.
    • Periodically, to audit which rules have accumulated zero hits since the last restart and are candidates for cleanup.

    Command Notes

    RoleSuper, Read Only
    Related Commands
    inspect network-policy lookup
inspect network-policy dropped
    Introduced inRelease 5.0.1

    Example

    The following example uses diff-only to list only the rules that have recorded new hits since the last reset:
    inspect network-policy hits policy-rules diff-only
 Network Policy Name       Policy ID                  Total Hits   New Hits
------------------        --------------------------  -----------  ----------
enterprise-default          15037814306340038            175         175
Cloudgenix-Control-Policy   14732427836910250             58          58
ssl-Policy                  14732427833800136             18          18
Cloudgenix-PCM-Policy       14732427839350042             48          48
ntp-Policy                  14732427820940210              6           6

    Output Fields

    • Network Policy Name: The name of the network policy rule.
    • Policy ID: The numeric identifier of the policy rule.
    • Total Hits: The cumulative number of times this rule has matched traffic since the last system restart.
    • New Hits: The number of hits since the last reset-diff. Resets to zero when reset-diff runs.

    Troubleshooting

    ConditionPossible CauseAction
    A rule shows zero Total Hits after sustained trafficThe rule's match criteria (application, prefix, or network context) do not match the traffic currently on the deviceUse inspect network-policy lookup to simulate the flow and determine which rule is actually matching
    The catch-all or default rule has disproportionately high hit countsMore specific rules do not match the traffic as intended, causing it to fall through to the defaultVerify application IDs and prefix lists in the specific rules; check for dropped rules with inspect network-policy dropped
    New Hits remain zero after reset-diff even though traffic is flowingA higher-priority rule matches the traffic before it reaches this oneReview rule ordering in the policy set stack; use inspect network-policy lookup to check for overriding rules

    © 2026 Palo Alto Networks, Inc. All rights reserved.