>
    Strata Copilot
    inspect priority-policy hits policy-rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Use CLI Commands
    4. Inspect Commands
    5. inspect priority-policy hits policy-rules
    Download PDF
    Prisma SD-WAN

    inspect priority-policy hits policy-rules

    Table of Contents

    inspect priority-policy hits policy-rules

    Use the inspect priority-policy hits policy-rules command to display hit counts for priority policy rules, showing how much traffic each rule has matched.
    Use the inspect priority-policy hits policy-rules command to verify that your priority policy rules are matching traffic as expected. The output shows cumulative hit counts alongside a New Hits counter that tracks matches since the last reset. Use the reset-diff option to zero the New Hits counter, then run diff-only after a period of time to see only the rules that received traffic in that window. This workflow identifies active rules, detects rules that never match traffic, and confirms that policy changes take effect on live traffic.

    Command

    inspect priority-policy hits policy-rules ( all | reset-diff | diff-only )

    Options

    allDisplay hit count information for all priority policy rules.
    reset-diffReset the New Hits counter to zero for all priority policy rules.
    diff-onlyDisplay only those priority policy rules where the New Hits value is non-zero. Use after reset-diff to see rules that received traffic since the last reset.

    When to Use

    • When troubleshooting incorrect QoS on a specific application, to confirm at the rule level whether a match is occurring at all before investigating policy configuration.
    • Periodically, to identify rules that have accumulated zero hits since the last restart and are candidates for removal.

    Command Notes

    RoleSuper, Read Only
    Related Commands
    inspect priority-policy lookup
inspect priority-policy dropped
    Introduced inRelease 5.0.1

    Example

    The following example uses diff-only to list only the rules that have recorded new hits since the last reset:
    inspect priority-policy hits policy-rules diff-only
 Priority Policy Name      Policy ID                  Total Hits   New Hits
------------------        --------------------------  -----------  --------
enterprise-default          15037814306340038            175         175
Cloudgenix-Control-Policy   14732427836910250             58          58
ssl-Policy                  14732427833800136             18          18
Cloudgenix-PCM-Policy       14732427839350042             48          48
ntp-Policy                  14732427820940210              6           6

    Output Fields

    • Priority Policy Name: The name of the priority policy rule.
    • Policy ID: The numeric identifier of the policy rule.
    • Total Hits: The cumulative number of times this rule has matched traffic since the last system restart.
    • New Hits: The number of hits since the last reset-diff. Resets to zero when reset-diff runs.

    Troubleshooting

    ConditionPossible CauseAction
    A specific rule shows zero hits after sustained trafficTraffic is matched by a higher-priority rule in the stack before this rule is evaluatedUse inspect priority-policy lookup to see the evaluation order and identify which rule is actually matching the flow
    All hits are accumulating on the default rule while specific rules show zeroSpecific rules have match criteria that do not match the actual traffic, such as a wrong application ID or prefix that excludes the trafficVerify application IDs and prefix configurations in the specific rules; check for dropped rules with inspect priority-policy dropped

    © 2026 Palo Alto Networks, Inc. All rights reserved.