>
    Strata Copilot
    inspect priority-policy dropped
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Use CLI Commands
    4. Inspect Commands
    5. inspect priority-policy dropped
    Download PDF
    Prisma SD-WAN

    inspect priority-policy dropped

    Table of Contents

    inspect priority-policy dropped

    Use the inspect priority-policy dropped command to identify priority policy rules the device dropped because the configuration's resource requirements exceed the system resource limit.
    Use the inspect priority-policy dropped command to diagnose resource exhaustion in your priority policy configuration. When the total resource cost of all configured rules exceeds the system resource limit, the device generally drops the most resource-intensive rules first to stay within the limit. The device does not enforce dropped rules; traffic that would have matched them may receive incorrect QoS prioritization. This command shows the current resource usage summary, which rules the device dropped, and the per-rule resource cost. Use this information to simplify or reorganize your policy and bring resource usage within the allowed limit.
    The resource cost of a rule is determined by the following factors:
    • Number of applications matched by the rule.
    • Number of source IP prefixes in the source prefix list.
    • Number of destination IP prefixes in the destination prefix list.

    Command

    inspect priority-policy dropped

    Options

    None

    When to Use

    • When traffic is not receiving the expected QoS priority, to confirm whether the device silently dropped the applicable rule.
    • After expanding a priority policy with many new application or prefix combinations, as part of post-change verification.
    • When replacing a device with a lower-capacity model, to confirm the existing policy fits within the new device's resource limit before going live.

    Command Notes

    RoleSuper, Read Only
    Related CommandsNone
    Introduced inRelease 5.0.1

    Example

    When all rules are within the resource limit, the command reports no dropped rules:
    inspect priority-policy dropped
Priority Policy Resource Usage:
Resource Limit : 1350000
Required Resources : 409
Adjusted Resource Use : 409
Non-Optimized Resource Use : 409
No dropped rules found.
    When the resource limit is exceeded, the command lists each dropped rule:
    inspect priority-policy dropped
Priority Policy Resource Usage:
Resource Limit : 400
Required Resources : 409
Adjusted Resource Use : 400
Non-Optimized Resource Use : 409
Priority Policy Rule : 15302035782090225 : MKC-Policy
Policy Set : 15302033124150094 : MKC-PolicySet3
Stack Index : 0
Application Count : 2
Source Prefix Count : 2
Source Prefix : 15209663164520010 : EnterpriseGlobalPrefix
Destination Prefix Count : 1
Destination Prefix : 15287319348610122 : GlobalPrefix10
Resource Count : 4
Priority Policy Rule : 15300315132120195 : xmpp-server-Policy
Policy Set : 15300315130730009 : MKC-OrigPolicySet1
Stack Index : 1
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1
...

    Output Fields

    • Resource Limit: The maximum number of resources the device can allocate across all priority policy rules.
    • Required Resources: The total resources the device needs to enforce all configured rules without optimization.
    • Adjusted Resource Use: The actual resources the device uses after applying optimization. If this equals the resource limit, the device has dropped rules.
    • Non-Optimized Resource Use: The resources the device would need without optimization.
    • Priority Policy Rule: The numeric ID and name of the dropped rule.
    • Policy Set: The ID and name of the policy set the dropped rule belongs to.
    • Stack Index: The position of the dropped rule within the policy set stack.
    • Application Count: The number of applications the dropped rule matches.
    • Source Prefix Count / Source Prefix: The number of source prefixes and the prefix list ID and name, or none if the rule has no source prefix.
    • Destination Prefix Count / Destination Prefix: The number of destination prefixes and the prefix list ID and name, or none if the rule has no destination prefix.
    • Resource Count: The resource cost of this specific rule.

    Troubleshooting

    ConditionPossible CauseAction
    High-priority business rules are being dropped instead of low-priority onesThe device generally drops the highest-cost rules regardless of business priority or rule orderingReduce the resource cost of critical rules by using smaller prefix lists or narrower application scope; consider splitting the policy set
    Required Resources is only slightly above Resource LimitA recent policy change pushed resource usage just over the limitIdentify the most recently added high-cost rules using the Resource Count field and simplify them to bring Required Resources below the limit

    © 2026 Palo Alto Networks, Inc. All rights reserved.