Palo Alto Networks Knowledgebase: Commit Error: 'Number of dynamic-ip-and-port rules (x) exceeds vsys capacity'

Commit Error: 'Number of dynamic-ip-and-port rules (x) exceeds vsys capacity'

Created On 09/26/18 13:55 PM - Last Updated 09/26/18 14:00 PM


While attempting to commit changes, the following error message is displayed:


Error: Number of dynamic-ip-and-port rules (451) exceeds vsys capacity (450)
Error: Failed to parse nat policy
(Module: device)
Commit failed


Note: This error will occur when too many rules are in place, but the first number (451 in this example) will always be 1 above the limit regardless of how many actual rules are in the policy. This is because the error triggers as soon as the firewall exceeds the it's limit.



There is a maximum number of NAT rules that can be configured per virtual system (VSYS) and this error will occur if the number of NAT rules in the policy exceeds that number.


The solution is to consolidate NAT rules to lower the number of active rules in the policy to be installed.


See Also

For information on finding out the limit on NAT rules please see the following article:

How to view the Maximum limit of NAT rules


owner: swhyte

  • Print
  • Copy Link

Choose Language