Monitoring firewall services capacity

Shouky_Dan · June 3, 2018, 7:31am

Customer reported an issue related to exceeding the firewall services capacity.

Attempting a commit on a device group or Template from Panorama causes the following error:

Error: Number of services (xxxx) exceeds platform capacity (yyyy)
(Module: device)
Commit failed
Where xxxx exceeds yyyy.

The following shows the service limit.
What is the command to get the current service count?

show system state | match cfg.general.max-service
cfg.general.max-service: 2000
cfg.general.max-service-group: 250
cfg.general.max-service-per-group: 500
peer.cfg.general.max-service: 2000
peer.cfg.general.max-service-group: 250
peer.cfg.general.max-service-per-group: 500

Paul_Overton · June 4, 2018, 5:06pm

Shouky - the closest I’ve been able to come to getting the count is by running > show system state filter cfg.general.max* - and looking for the session, or outputs. However, this does not show anything that exceeds the max groups, but still only shows the max value allowed.

For example:

indeni@PA-5060> show system state filter cfg.general.max*

cfg.general.max-address: 80000
cfg.general.max-address-group: 4000
cfg.general.max-address-per-group: 2500
cfg.general.max-appid-pkts: 98304
cfg.general.max-appinfo2ip-entry: 65536
cfg.general.max-arp: 32000
cfg.general.max-auth-policy-rule: 4000
cfg.general.max-bfd-session: 0x400
cfg.general.max-blacklist: 100000
cfg.general.max-cert-cache-entries: 0x400
cfg.general.max-ctd-session: 4194304
cfg.general.max-debug-pool: ( 2179072, 7987200, 7987200, )
cfg.general.max-di-nat-policy-rule: 16000
cfg.general.max-di-nat-pool: 10000
cfg.general.max-dip-nat-addrs: 4000
cfg.general.max-dip-nat-policy-rule: 4000
cfg.general.max-dns-cache: 0x7a120
cfg.general.max-dos-policy-rule: 2000
cfg.general.max-fibinstance: 255
cfg.general.max-fibtrie-buf: 0x2000000
cfg.general.max-fptcp-segs: ( 65536, 131072, 131072, )
cfg.general.max-ha-aa-vaddresses: 2048
cfg.general.max-hip: 63
cfg.general.max-hsm-threads: 0x14
cfg.general.max-ifnet: 4096
cfg.general.max-ike-peers: 2000
cfg.general.max-ip6addrtbl: 65536
cfg.general.max-ipfrags: 28672
cfg.general.max-mac: 32000
cfg.general.max-mroute: 4000
cfg.general.max-nat-policy-rule: 16000
cfg.general.max-neigh: 32000
cfg.general.max-oride-policy-rule: 4000
cfg.general.max-pbf-policy-rule: 2000
cfg.general.max-policy-rule: 40000
cfg.general.max-profile: 750
cfg.general.max-proxy-mem: 0x6f4ad79
cfg.general.max-proxy-reverse_keys: 0x3e8
cfg.general.max-proxy-session: ( 24576, 32768, 32768, )
cfg.general.max-qos-policy-rule: 4000
cfg.general.max-qosbw: 16000
cfg.general.max-qosif: 12
cfg.general.max-qosnet: 64
cfg.general.max-regions: 1024
cfg.general.max-registered-ip-address: 0x186a0
cfg.general.max-return-address: 0x30
cfg.general.max-rexmt-segs: 8000
cfg.general.max-route: 64000
cfg.general.max-route4: 32000
cfg.general.max-route6: 32000
cfg.general.max-routing-peer: 500
cfg.general.max-schedule: 256
cfg.general.max-service: 4000
cfg.general.max-service-group: 250
cfg.general.max-service-per-group: 500
cfg.general.max-session: 4194304
cfg.general.max-shared-gateway: 8
cfg.general.max-si-nat-policy-rule: 16000
cfg.general.max-signature: 6000
cfg.general.max-ssh-proxy-session: 4096
cfg.general.max-ssl-policy-rule: 5000
cfg.general.max-ssl-portal: 131
cfg.general.max-ssl-sess-cache-size: 10000
cfg.general.max-ssl-sess-cache-size-mp: 250000
cfg.general.max-ssl-tunnel: 20000
cfg.general.max-sslvpn-ck-cache-size: 2000
cfg.general.max-sslvpn-ck-cache-size-mp: 4000
cfg.general.max-tcp-segs: 32768
cfg.general.max-threat-signature: 3000
cfg.general.max-tsagents: 1000
cfg.general.max-tunnel: 8000
cfg.general.max-uid-tsagents: 1000
cfg.general.max-url-pattern: 100000
cfg.general.max-user-group: 10000
cfg.general.max-vlan: 4096
cfg.general.max-vrouter: 225
cfg.general.max-vsys: 226
cfg.general.max-vwire: 12
cfg.general.max-whitelist: 100000
cfg.general.max-zone: 900

Brad_Spilde · June 6, 2018, 10:57pm

You would have to parse the configuration file and count the number of entries by type to come up with each number. It’s probably a little short sighted on their part that a count/max isn’t automatically created in something like a “show system info” or a new command like "show system limits’.

They obviously calculate what is available on a commit, why wait until then to check what your capacity limit is right?

Brad_Spilde · June 6, 2018, 10:59pm

There are some perl scripts out there for certain limits.
https://live.paloaltonetworks.com/t5/API-Articles/Unused-and-Duplicate-Address-Object-Script/ta-p/62377
https://live.paloaltonetworks.com/t5/API-Articles/Unused-and-Duplicate-Service-Script/ta-p/56799

Brad_Spilde · June 6, 2018, 11:02pm

Here is an article on how to resolve this specific issue.

Resolution
For Panorama or M-100 running OS 5.0 or later:
Under Panorama > Setup > Mangement > Panorama Settings, disable “Share Unused Address and Service Objects with Devices” to prevent the unnecessary sharing of unused service objects on the devices.
Note: If all the service objects created on the M-100 or Panorama is being utilized by all managed devices, then some service objects need to be aggregated

Paul_Overton · June 7, 2018, 2:19pm

Thanks, Brad! I thought the same thing. It is a bit esoteric since the error is a pop-up in Panorama GUI, and not logged anywhere. Looks like others have been wanting an easy way to get the count and a warning that they’re approaching a limit and will not be able to commit. Others are wanting a general number, just to be aware of: https://live.paloaltonetworks.com/t5/Configuration-Articles/What-is-the-Maximum-Number-of-Addresses-per-Address-Group-in/ta-p/55703 - I realize my link is about number of addresses, but starting in 2017 RichCross indicates that you won’t be able to commit if you’ve reached capacity. I also found during my research that when NAT rules reach capacity, they recommend consolidating NAT rules, not disabling the share feature: https://live.paloaltonetworks.com/t5/Management-Articles/Commit-Error-Number-of-dynamic-ip-and-port-rules-x-exceeds-vsys/ta-p/52095. I’ve created download links to some documentation that shows the limits for 5220’s and 7050’s, seems there quite a few that could cause a problem with committing changes. I’m starting to wonder if this is something Indeni can help PAN users with? 5220 SPECS - https://nofile.io/f/jqOtT5sJhe3/5220_specs.pdf & 7050 SPECS - https://nofile.io/f/aSQenTCWjDp/7050_specs.pdf

Brad_Spilde · June 8, 2018, 5:05pm

@Paul_Overton @Shouky_Dan

Everyone should contact their Sales Engineer and vote for FR ID: 5219!!