Commit Failing With Error: "exceeds maximal number of app/service 128"
5362
Created On 12/03/20 08:34 AM - Last Modified 07/22/23 03:41 AM
Symptom
- Error message "exceeds maximal number of app/service" is seen during commit.
Error: rule [<Security Rule Name>] exceeds maximal number of app/service 128
Error: Failed to parse security policy
(Module: device)
Environment
- Palo Alto Firewall
- PAN-OS 9.1
Cause
- The maximum number of allowed application and/or services for the Security Policy Rule was exceeded.
- Maximum number of app/services is ONLY enforced if an object service in rule has "session timeout" set to "override"
Example of Service Object with Session Timeout Override enabled and default timers changed:
Note: If application is set to any, it is counted as 1 app.
Resolution
- Disable session timeout override if applicable to your environment. Service without "Override" enabled is not subject to this limitation.
Or
- Allow the traffic in multiple security rules to overcome the limit of 128 app/service per rule.