Palo Alto Networks Knowledgebase: Commit Error: 'Number of dynamic-ip-and-port rules (x) exceeds vsys capacity'

Commit Error: 'Number of dynamic-ip-and-port rules (x) exceeds vsys capacity'

825
Created On 09/26/18 13:55 PM - Last Updated 09/26/18 14:00 PM
Policy
Resolution

Issue

While attempting to commit changes, the following error message is displayed:

 

Error: Number of dynamic-ip-and-port rules (451) exceeds vsys capacity (450)
Error: Failed to parse nat policy
(Module: device)
Commit failed

 

Note: This error will occur when too many rules are in place, but the first number (451 in this example) will always be 1 above the limit regardless of how many actual rules are in the policy. This is because the error triggers as soon as the firewall exceeds the it's limit.

 

Resolution

There is a maximum number of NAT rules that can be configured per virtual system (VSYS) and this error will occur if the number of NAT rules in the policy exceeds that number.

 

The solution is to consolidate NAT rules to lower the number of active rules in the policy to be installed.

 

See Also

For information on finding out the limit on NAT rules please see the following article:

How to view the Maximum limit of NAT rules

 

owner: swhyte



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0YCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language