Monitoring firewall services capacity


Customer reported an issue related to exceeding the firewall services capacity.

Attempting a commit on a device group or Template from Panorama causes the following error:

Error: Number of services (xxxx) exceeds platform capacity (yyyy)
(Module: device)
Commit failed
Where xxxx exceeds yyyy.

The following shows the service limit.
What is the command to get the current service count?

show system state | match cfg.general.max-service
cfg.general.max-service: 2000
cfg.general.max-service-group: 250
cfg.general.max-service-per-group: 500
peer.cfg.general.max-service: 2000
peer.cfg.general.max-service-group: 250
peer.cfg.general.max-service-per-group: 500


Shouky - the closest I’ve been able to come to getting the count is by running > show system state filter cfg.general.max* - and looking for the session, or outputs. However, this does not show anything that exceeds the max groups, but still only shows the max value allowed.

For example:

indeni@PA-5060> show system state filter cfg.general.max*

cfg.general.max-address: 80000
cfg.general.max-address-group: 4000
cfg.general.max-address-per-group: 2500
cfg.general.max-appid-pkts: 98304
cfg.general.max-appinfo2ip-entry: 65536
cfg.general.max-arp: 32000
cfg.general.max-auth-policy-rule: 4000
cfg.general.max-bfd-session: 0x400
cfg.general.max-blacklist: 100000
cfg.general.max-cert-cache-entries: 0x400
cfg.general.max-ctd-session: 4194304
cfg.general.max-debug-pool: ( 2179072, 7987200, 7987200, )
cfg.general.max-di-nat-policy-rule: 16000
cfg.general.max-di-nat-pool: 10000
cfg.general.max-dip-nat-addrs: 4000
cfg.general.max-dip-nat-policy-rule: 4000
cfg.general.max-dns-cache: 0x7a120
cfg.general.max-dos-policy-rule: 2000
cfg.general.max-fibinstance: 255
cfg.general.max-fibtrie-buf: 0x2000000
cfg.general.max-fptcp-segs: ( 65536, 131072, 131072, )
cfg.general.max-ha-aa-vaddresses: 2048
cfg.general.max-hip: 63
cfg.general.max-hsm-threads: 0x14
cfg.general.max-ifnet: 4096
cfg.general.max-ike-peers: 2000
cfg.general.max-ip6addrtbl: 65536
cfg.general.max-ipfrags: 28672
cfg.general.max-mac: 32000
cfg.general.max-mroute: 4000
cfg.general.max-nat-policy-rule: 16000
cfg.general.max-neigh: 32000
cfg.general.max-oride-policy-rule: 4000
cfg.general.max-pbf-policy-rule: 2000
cfg.general.max-policy-rule: 40000
cfg.general.max-profile: 750
cfg.general.max-proxy-mem: 0x6f4ad79
cfg.general.max-proxy-reverse_keys: 0x3e8
cfg.general.max-proxy-session: ( 24576, 32768, 32768, )
cfg.general.max-qos-policy-rule: 4000
cfg.general.max-qosbw: 16000
cfg.general.max-qosif: 12
cfg.general.max-qosnet: 64
cfg.general.max-regions: 1024
cfg.general.max-registered-ip-address: 0x186a0
cfg.general.max-return-address: 0x30
cfg.general.max-rexmt-segs: 8000
cfg.general.max-route: 64000
cfg.general.max-route4: 32000
cfg.general.max-route6: 32000
cfg.general.max-routing-peer: 500
cfg.general.max-schedule: 256
cfg.general.max-service: 4000
cfg.general.max-service-group: 250
cfg.general.max-service-per-group: 500
cfg.general.max-session: 4194304
cfg.general.max-shared-gateway: 8
cfg.general.max-si-nat-policy-rule: 16000
cfg.general.max-signature: 6000
cfg.general.max-ssh-proxy-session: 4096
cfg.general.max-ssl-policy-rule: 5000
cfg.general.max-ssl-portal: 131
cfg.general.max-ssl-sess-cache-size: 10000
cfg.general.max-ssl-sess-cache-size-mp: 250000
cfg.general.max-ssl-tunnel: 20000
cfg.general.max-sslvpn-ck-cache-size: 2000
cfg.general.max-sslvpn-ck-cache-size-mp: 4000
cfg.general.max-tcp-segs: 32768
cfg.general.max-threat-signature: 3000
cfg.general.max-tsagents: 1000
cfg.general.max-tunnel: 8000
cfg.general.max-uid-tsagents: 1000
cfg.general.max-url-pattern: 100000
cfg.general.max-user-group: 10000
cfg.general.max-vlan: 4096
cfg.general.max-vrouter: 225
cfg.general.max-vsys: 226
cfg.general.max-vwire: 12
cfg.general.max-whitelist: 100000
cfg.general.max-zone: 900


You would have to parse the configuration file and count the number of entries by type to come up with each number. It’s probably a little short sighted on their part that a count/max isn’t automatically created in something like a “show system info” or a new command like "show system limits’.

They obviously calculate what is available on a commit, why wait until then to check what your capacity limit is right?


There are some perl scripts out there for certain limits.


Here is an article on how to resolve this specific issue.

For Panorama or M-100 running OS 5.0 or later:
Under Panorama > Setup > Mangement > Panorama Settings, disable “Share Unused Address and Service Objects with Devices” to prevent the unnecessary sharing of unused service objects on the devices.
Note: If all the service objects created on the M-100 or Panorama is being utilized by all managed devices, then some service objects need to be aggregated


Thanks, Brad! I thought the same thing. It is a bit esoteric since the error is a pop-up in Panorama GUI, and not logged anywhere. Looks like others have been wanting an easy way to get the count and a warning that they’re approaching a limit and will not be able to commit. Others are wanting a general number, just to be aware of: - I realize my link is about number of addresses, but starting in 2017 RichCross indicates that you won’t be able to commit if you’ve reached capacity. I also found during my research that when NAT rules reach capacity, they recommend consolidating NAT rules, not disabling the share feature: I’ve created download links to some documentation that shows the limits for 5220’s and 7050’s, seems there quite a few that could cause a problem with committing changes. I’m starting to wonder if this is something Indeni can help PAN users with? 5220 SPECS - & 7050 SPECS -


@Paul_Overton @Shouky_Dan

Everyone should contact their Sales Engineer and vote for FR ID: 5219!!