While attempting to commit changes, the following error message is displayed:
Error: Number of dynamic-ip-and-port rules (451) exceeds vsys capacity (450) Error: Failed to parse nat policy (Module: device) Commit failed
Note: This error will occur when too many rules are in place, but the first number (451 in this example) will always be 1 above the limit regardless of how many actual rules are in the policy. This is because the error triggers as soon as the firewall exceeds the it's limit.
Resolution
There is a maximum number of NAT rules that can be configured per virtual system (VSYS) and this error will occur if the number of NAT rules in the policy exceeds that number.
The solution is to consolidate NAT rules to lower the number of active rules in the policy to be installed.
See Also
For information on finding out the limit on NAT rules please see the following article: