inspect network-policy dropped
Use the inspect network-policy dropped command
to inspect the dropped network policy rules. A configuration drop
occurs when the complexity of the configuration requires more resources
than allowed by the resource limit.
The policy rule complexity
depends on multiple factors:
Number of Applications.
Number of Source IP Prefixes in the Source Prefix List.
Number of Destination IP Prefixes in the Destination Prefix
List.
Application overlap within Policy Sets and within a Policy
Set Stack.
Generally, rules requiring the most resources
(other than default rules) are dropped first to stay within the
resource limit.
Command
inspect network-policy dropped
Command Notes
| Role | Super, Read Only |
| Related Commands | — |
| Introduced in | Release 5.0.3 |
Example
inspect network-policy dropped
Network Policy Resource Usage:
Resource Limit : 1350000
Required Resources : 10
Adjusted Resource Use : 10
Non-Optimized Resource Use : 10
No dropped rules found.inspect network-policy dropped
Network Policy Resource Usage:
Resource Limit : 400
Required Resources : 423
Adjusted Resource Use : 400
Non-Optimized Resource Use : 423
Network Policy Rule : 15300304239150020 : newrelic-Policy
Policy Set : 15300304235910157 : MKC-OrigPolicySet1
Stack Index : 0
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1
Network Policy Rule : 15300304237690074 : scps-Policy
Policy Set : 15300304235910157 : MKC-OrigPolicySet1
Stack Index : 0
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1. . .
