Focus

Prisma SD-WAN

inspect priority-policy conflicts

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Select a Document
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Select a Document
- ION 6.6
- 6.5
- 6.4
- 6.3
- 6.1
- 5.6
- Prisma SD-WAN Controller
- Prisma SD-WAN On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed

inspect policy-mix lookup-flow

inspect priority-policy dropped

inspect priority-policy conflicts

Use the inspect priority-policy conflicts command to identify priority policy rules with overlapping classification criteria, creating ambiguity about which rule applies to matching traffic.

Use the inspect priority-policy conflicts command to scan your priority policy configuration and surface rules with overlapping classification criteria. When two or more rules share the same source prefix, destination prefix, application, and network context, the resulting overlap creates a configuration conflict where the intended rule precedence may be ambiguous. Run this command to pinpoint exactly which rules have overlapping criteria, which specific source and destination address pairs trigger the overlap, and which policy set and stack position each rule occupies. Use this information to resolve ambiguity by adjusting match criteria or rule ordering.

Command

inspect priority-policy conflicts

Options

None

When to Use

After modifying priority policy rules with shared application scope, before the changes go live, to confirm no new overlaps were introduced.
When the same application receives inconsistent QoS priority across sessions and the likely cause is overlapping rule criteria rather than a path issue.
Before promoting a policy configuration from staging to production.

Command Notes

Role	Super, Read Only
Related Commands	inspect priority-policy lookup
Introduced in	Release 5.0.1

Example

inspect priority-policy conflicts
Priority Policy Rule : 15035327235830701 : Rule701
Policy Set : 15035327235850301 : Set301
Stack Index | Order Number: 0 | 1024
Source Prefix : 15035327235860302 : Prefix302
Destination Prefix : 15035327235860301 : Prefix301
Application Id : 15035327118070156 : ms-olap
Network_Context Id : 77770500
Source :      Destination :    Conflicting Policy
10.1.3.3/32 : 172.16.0.0/16 :   15035327235830702 : Rule702

Priority Policy Rule : 15035327235830702 : Rule702
Policy Set : 15035327235850301 : Set301
Stack Index | Order Number: 0 | 1024
Source Prefix : 15035327235860402 : Prefix402
Destination Prefix : 15035327235860401 : Prefix401
Application Id : 15035327118070156 : ms-olap
Network_Context Id : 15035327235870500
Source :      Destination :    Conflicting Policy
10.1.3.3/32 : 172.16.0.0/16 :   15035327235830701 : Rule701

Output Fields

Priority Policy Rule: The numeric ID and name of the rule being evaluated.
Policy Set: The ID and name of the policy set the rule belongs to.
Stack Index | Order Number: The stack position and evaluation order of the rule within the policy set.
Source Prefix / Destination Prefix: The traffic match criteria (prefix ID and name) defined in the rule.
Application Id: The application in the rule's scope.
Network_Context Id: The network context the rule applies to, or a numeric ID if unnamed.
Source / Destination / Conflicting Policy: The specific source and destination IP pairs that overlap, and the ID and name of the rule they conflict with.

Troubleshooting

Condition	Possible Cause	Action
Conflict reported between rules in different policy sets	Policy sets on the same stack can produce cross-set rule overlap even when the rules belong to separate sets	Adjust rule ordering in the stack or tighten source and destination prefix criteria to eliminate overlap between the conflicting rules
Rules conflict on application but have different network contexts, and one uses a wildcard	A rule with no network context overlaps with a context-specific rule when the source and destination prefixes also overlap	Add a specific network context to the wildcard rule, or narrow the prefix criteria to prevent overlap
No conflicts reported but QoS assignment is still inconsistent	This command detects classification-criteria conflicts only; stack ordering also determines which rule applies to a flow when criteria partially overlap	Use inspect priority-policy lookup to see the actual rule evaluation order and identify which rule applies to the affected flow

inspect policy-mix lookup-flow

inspect priority-policy dropped

Prisma SD-WAN Docs

inspect priority-policy conflicts

Prisma SD-WAN Docs

inspect priority-policy conflicts

Command

Options

When to Use

Command Notes

Example

Output Fields

Troubleshooting

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources