Commit fails with message "Error: Max. user groups used in policy XXXXX exceeds capacity (10000)"

Commit fails with message "Error: Max. user groups used in policy XXXXX exceeds capacity (10000)"

7910
Created On 07/01/24 08:45 AM - Last Modified 07/23/24 20:08 PM


Symptom


  • Commit is failed with the error message like "Error: Max. user groups used in policy XXXXX exceeds capacity (10000)”.
admin@PA-5250# commit

Commit job 5 is in progress. Use Ctrl+C to return to command prompt
....10%........45%..........55%.....................................
Error: Max. user groups used in policy 10341 exceeds capacity (10000)
(Module: device)
client device phase 1 failure
Commit failed
[edit]

Environment


  • Panorama or Palo Alto Firewalls
  • Supported PAN-OS
  • User Groups

Cause


  • The number of users and user groups in security policies are exceeded the user groups capacity for the platform.
  • The user groups capacity for the platform can be verified with the command "show system state | match cfg.general.max-user-group"
  • For the devices with 10000 users it responds with the number and for the 1000 users no value is displayed. Refer below.
admin@PA-VM> show system state | match cfg.general.max-user-group
cfg.general.max-user-group: 10000
admin@PA-VM> 

admin@PA-VM> show system state | match cfg.general.max-user-group
admin@PA-VM>               >> no value displayed for 1000 users
  • The user groups capacity is limited to the number of users and user groups in security policies not only the number of user groups. Each user or user group used in the security policy counted as one user group.

Resolution


  1. Reduce the number of users and user groups in security policies under the user groups capacity of the platform.
  2. Group users and add them to security policies to greatly reduce the number of users. Refer : Map Users to Groups.

Additional Information


  • Supported number of groups across different platforms :  "Active and unique groups used in policy" in the User ID table means the users or user groups capacity. 
  • Current number of users and user groups in security policy can be calculated using "show user group-policy-dp all" command. 
admin@PA-VM> show user group-policy-dp all
Total 2 groups/users used in policy in vsys 1
ID: 3
SECURITY       : 4
ID: 1
SECURITY       : 4
ID: ANY
SECURITY       : 1     2     3     5     6     7
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000ToutCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language