>
    Strata Copilot
    inspect priority-policy lookup
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Use CLI Commands
    4. Inspect Commands
    5. inspect priority-policy lookup
    Download PDF
    Prisma SD-WAN

    inspect priority-policy lookup

    Table of Contents

    inspect priority-policy lookup

    Use the inspect priority-policy lookup command to determine which priority policy rule applies to traffic based on source and destination IP addresses or IP prefixes.
    Use the inspect priority-policy lookup command to simulate a priority policy evaluation for a given flow without sending live traffic. By specifying the application, source IP, destination IP, and network context, the output shows exactly which priority policy rules match, the evaluation order, and whether another rule in the stack overrides a matched rule. Use app-wildcard to inspect rules that apply to all applications, or nctx-wildcard for rules that apply regardless of network context. This is useful for verifying QoS policy intent and troubleshooting unexpected priority or DSCP assignments.

    Command

    inspect priority-policy lookup ( app-wildcard | application= application_name | nctx-wildcard | network-context= network_context_ID | srcv4= src_ipv4 | dstv4= dst_ipv4 | srcv6= src_ipv6 | dstv6= dst_ipv6 )

    Options

    app-wildcardDisplay priority policy rules that do not specify any application.
    applicationEnter an application name or ID to display priority policy rules that match the specified application.
    nctx-wildcardDisplay priority policy rules that do not specify any network context.
    network-contextEnter a network context ID to display policy rules for the specified network context.
    srcv4Enter the source IPv4 address to filter the lookup.
    dstv4Enter the destination IPv4 address to filter the lookup.
    srcv6Enter the source IPv6 address to filter the lookup.
    dstv6Enter the destination IPv6 address to filter the lookup.

    When to Use

    • When QoS priority or DSCP assignment for a specific application does not match the policy configuration, to trace the rule evaluation order.
    • Before modifying priority policy rules, to understand which rule currently applies to the affected flow and confirm the intended change will take effect.
    • When using app-wildcard, to confirm no unintended rules override the flow before the wildcard catch-all applies.

    Command Notes

    RoleSuper, Read Only
    Related Commands
    inspect priority-policy dropped
    Introduced inRelease 5.0.1

    Example

    The following example looks up priority policy rules that match the adobeconnect application:
    inspect priority-policy lookup application=adobeconnect
Requested App Id : 15186805682900053 : adobeconnect
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Priority Policy Rule : 15306021021420040 : default
Policy Set : 15306021021010029 : QoS DR
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none
Network_Context Id : none
Source :     Destination  : Active Override
0.0.0.0/0    :  0.0.0.0/0 :
Priority Policy Rule : 15306021022360045 : enterprise-default
Policy Set : 15306021021010029 : QoS DR
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : 15272331126430048 : EnterpriseGlobalPrefix
Network_Context Id : none
Source :    Destination :      Active Override
0.0.0.0/0   : 192.168.0.0/16 :
            : 172.16.0.0/12  :
            : 10.0.0.0/8     :

    Output Fields

    • Requested App Id: The application ID and name used for the lookup.
    • Priority Policy Rule: The numeric ID and name of the matching rule.
    • Policy Set: The ID and name of the policy set the rule belongs to.
    • Stack Index | Order Number: The stack position and evaluation priority of the rule.
    • Matching App Id: The application the rule matches, or WILDCARD if the rule applies to all applications.
    • Source Prefix / Destination Prefix: The traffic match criteria defined in the rule, or none if unconfigured.
    • Network_Context Id: The network context the rule applies to, or none if unconfigured.
    • Source / Destination / Active Override: The source and destination address pairs that match the rule. If another rule overrides this one, the Active Override column shows the overriding rule's ID and name.

    Troubleshooting

    ConditionPossible CauseAction
    Active Override column shows a rule that should not apply to the flowA higher-stack-index rule with broader match criteria is overriding the intended ruleNarrow the broader rule's match criteria or adjust its stack position so the intended rule takes precedence
    No rules returned for a specific applicationNo priority policy rule matches the application and no wildcard rule exists in the policy setVerify that a rule covering the application or an app-wildcard rule exists; check for dropped rules with inspect priority-policy dropped
    WILDCARD appears as Matching App Id for an application-specific lookupNo application-specific rule exists; the matching rule uses app-wildcard as a catch-allThis is expected if the application is intentionally governed by the catch-all rule; create an application-specific rule if different QoS treatment is required

    © 2026 Palo Alto Networks, Inc. All rights reserved.