Focus

Prisma SD-WAN

inspect network-policy lookup

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Select a Document
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Select a Document
- ION 6.6
- 6.5
- 6.4
- 6.3
- 6.1
- 5.6
- Prisma SD-WAN Controller
- Prisma SD-WAN On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed

inspect network-policy hits policy-rules

inspect performance-policy error-correction status

inspect network-policy lookup

Use the inspect network-policy lookup command to determine which network policy rule applies to traffic based on source and destination IP addresses or IP prefixes.

Use the inspect network-policy lookup command to simulate a policy lookup for a given flow without sending live traffic. By specifying the application, source IP, destination IP, and network context, the output shows exactly which policy rules match, the evaluation order, and whether another rule in the stack overrides a matched rule. Use this command to verify policy intent, troubleshoot unexpected traffic handling, and confirm that rule changes take effect as expected. When another rule overrides a matched rule, the Active Override column identifies the active rule.

Command

inspect network-policy lookup ( app-wildcard | application= application_name | nctx-wildcard | network-context= network_context_ID | srcv4= src_ipv4 | dstv4= dst_ipv4 )

Options

app-wildcard	Display policy rules that do not specify any application.
application	Enter an application name or ID to display policy rules that match the specified application.
nctx-wildcard	Display policy rules that do not specify any network context.
network-context	Enter a network context ID to display policy rules for the specified network context.
srcv4	Enter the source IPv4 address to filter the lookup.
dstv4	Enter the destination IPv4 address to filter the lookup.

When to Use

Before adding a new network policy rule, to confirm the intended traffic will match and the rule will not be overridden by a higher-priority rule already in the stack.
When a flow is taking an unexpected path or not receiving the expected service context, to trace exactly which rule applies to it.
When a rule has user or user group scope, to confirm identity-based filtering applies correctly to a specific flow.

Command Notes

Role	Super, Read Only
Related Commands	inspect policy-mix lookup-flow
Introduced in	Release 5.0.1

Example

The following example looks up policy rules that match the icmp application with a specific source and destination IP, using a network context wildcard:

inspect network-policy lookup application=1658139887050014528 srcv4=192.168.1.2 dstv4=10.1.1.2 nctx-wildcard
Requested App Id:   1658139887050014528 : icmp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Policy Rule :   1664343200310006628 : match icmp
  Policy Set        :   1662009498094024828 : test user-id
  Stack Index | Order Number:  0 | 1024
  Matching App Id   :   1658139887050014528 : icmp
  Source Prefix     :  none
  Destination Prefix:  none
  Users             : UserGroups        :
                    : CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
                    : CN=sales,DC=sdwanamsteltest,DC=onmicrosoft,DC=com       :
  Network_Context Id:  none
  Source            : Destination       : Active Override
  0.0.0.0/0         : 0.0.0.0/0         :

Output Fields

Requested App Id: The application ID and name used for the lookup.
Network Policy Rule: The numeric ID and name of the matching rule.
Policy Set: The ID and name of the policy set the rule belongs to.
Stack Index | Order Number: The stack position and evaluation priority of the rule.
Matching App Id: The application the rule matches, or WILDCARD if the rule applies to all applications.
Source Prefix / Destination Prefix: The traffic match criteria defined in the rule, or none if unconfigured.
Users / UserGroups: The user or group scope of the rule, or any if unrestricted.
Network_Context Id: The network context the rule applies to, or none if unconfigured.
Source / Destination / Active Override: The source and destination address pairs that match the rule. If another rule overrides this one, the Active Override column shows the overriding rule's ID and name.

Troubleshooting

Condition	Possible Cause	Action
Active Override column shows a rule that should not apply to the flow	A higher-stack-index rule with broader match criteria is overriding the intended rule	Adjust rule ordering or tighten the overriding rule's match criteria to stop it from overriding the intended rule
No rules returned for a known application flow	The application name or ID passed to the command does not match how the device has classified the flow	Use inspect policy-mix lookup-flow to see the actual application classification the device assigns to the flow
Users or UserGroups scope is populated but the rule still matches unintended traffic	User identity filtering requires active user mapping data from the identity source; without it, the rule behaves as if no user filter exists	Verify that the device is receiving and processing user identity information

inspect network-policy hits policy-rules

inspect performance-policy error-correction status

Prisma SD-WAN Docs

inspect network-policy lookup

Prisma SD-WAN Docs

inspect network-policy lookup

Command

Options

When to Use

Command Notes

Example

Output Fields

Troubleshooting

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources