Commit Failed with "Error: Security Policy '<name>' is exceeding maximum number of combinations supported for service ports(XXX) and applications(YYY)".
7949
Created On 02/18/22 01:34 AM - Last Modified 05/03/24 19:58 PM
Symptom
- Commit failed after creating or modifying a security policy.
- Error message is seen similar to the one shown below.
Error: Security Policy 'rule1' is exceeding maximum number of combinations supported for service ports(1000) and applications(66). To fix this, please convert this Security Policy into multiple policies by either splitting applications or service ports” Error: Failed to parse security policy (Module: device) Commit failed
Environment
- Palo Alto Firewall or Panorama.
- PAN-OS 8.0 and later.
- Security Policy.
Cause
- The maximum number of combinations supported is 65535 with single security policy.
- This limitation is service ports multiplied by applications.
- Commit will fail if this number is exceeded.
Resolution
- Reduce the number of "service ports" and "applications" to less than 65535 under single policy.
- If this cannot be done, Convert the Security Policy into multiple policies by either splitting applications or service ports to less than 65535.
Example: If one want to use 1000 service ports, the applications must be less than 65 in a single security Policy(1000* 65 = 65000).