How to reduce the number of Security Policies configured on the Firewall

• To Check the maximum capacity of the Firewall in the number of Security Policies.
• To Check the current number of configured Security Policies on the Firewall.
• To Determine which Security Policies that can be deleted.
• To Reduce the Security Policies of a locally managed Firewall.
• To Reduce the Security Policies of a Panorama-managed Firewall.

• Palo Alto Firewalls (FW)
• Supported PAN-OS
• Security Policies

1. Check the maximum capacity of Security Policies for your Firewall.
   1. Use Firewall CLI:

show system state filter cfg.general.max* | match max-policy-rule

2. Use the Product Selection  web page click Show More under your platform name to find the maximum Security rules.
3. For VM-Series Firewall see Maximum Limits Based on Tier and Memory.

2. Check the current number of Security Policies from GUI: Policies > Security

3. To determine which Security Policies can be deleted, use the following accordingly:

1. If AIOps-Premium monitors the Firewall and Panorama, you can optimize your security policy using Policy Analyzer . Take a look at the Types of Anomalies that Policy Analyzer Detects
2. For non-AIOps-Premium monitored firewalls, use How to Identify Unused Policies on a Palo Alto Networks Device .

4. For locally managed Firewall:
   1. Delete the unused Security Policies configured under GUI: Policies > Security
5. For Panorama managed Firewall:
   1. Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
   2. Reduce the number of Security Policies configured under Device Groups > Policies > Security.
6. If the number of Security Policies cannot be reduced below the capacity limit after following the recommendations above, consider upgrading your FW to a higher capacity platform.