Commit Failing With Error: "exceeds maximal number of app/service 128"

Commit Failing With Error: "exceeds maximal number of app/service 128"

5362
Created On 12/03/20 08:34 AM - Last Modified 07/22/23 03:41 AM


Symptom


  • Error message "exceeds maximal number of app/service" is seen during commit.
Error: rule [<Security Rule Name>] exceeds maximal number of app/service 128
Error: Failed to parse security policy
(Module: device)


 

Environment


  • Palo Alto Firewall
  • PAN-OS 9.1

Cause


  • The maximum number of allowed application and/or services for the Security Policy Rule was exceeded.
  • Maximum number of app/services is ONLY enforced if an object service in rule has "session timeout" set to "override"
Example of Service Object with Session Timeout Override enabled and default timers changed:
User-added image
Note: If application is set to any, it is counted as 1 app.

Resolution


  1. Disable session timeout override if applicable to your environment. Service without "Override" enabled is not subject to this limitation.
Or
  1. Allow the traffic in multiple security rules to overcome the limit of 128 app/service per rule.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBp1CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language