Error: Number of addresses, dynamic groups, external-ip-lists etc. exceeds platform capacity
48409
Created On 04/16/19 11:16 AM - Last Modified 12/20/22 19:25 PM
Symptom
When commit push is done to firewalls the commit can fail on the firewall with the below Error.
Or
Auto-commit fails after upgrading PAN-OS from 7.1.x to 8.0.x with the below error.
Error: Number of addresses, dynamic groups, external-ip-lists, external-predefined-ip-lists and predefined ip-block-lists (xxxx) exceeds platform capacity (yyyy) (Module: device) Commit failed Failed to commit policy to device
Where xxxx exceeds yyyy:
Environment
Panorama
PAN-OS
Firewall version 8.0.0 and above
Cause
Each firewall platform has its own hard limit on the number of address objects that can be configured.
Prior to PAN-OS 8.0, validations were not being enforced with local objects and Panorama pushed object capacity limitations.
Resolution
Solutions to this issue depends on how the firewall is managed.
Solution 1:
If the Firewall is locally managed, reduce the number of objects based on the limit. Check the device's object limit by using the command below:
admin@PA-FW> show system state | match cfg.general.max-address
Solution 2:
If the firewall is managed by the Panorama and all the objects are shared or disabled, uncheck Share Unused Address and Service Objects with Devices in the Panorama settings to push the objects which are in use.
If that still does not help, then reduce the number of objects based on the limit of the firewall in the Device Group.
Additional Information
For additional information
PANORAMA COMMIT ERROR: NUMBER OF SERVICES (X) EXCEEDS PLATFORM CAPACITY (Y)
What is the Maximum Number of Addresses per Address Group in Panorama?
How to Limit the Number of Shared Objects Panorama Pushes to the Managed Device
Manage Unused Shared Objects