Commit fails with error "Failed to parse pbf policy".

Commit fails with error "Failed to parse pbf policy".

1526
Created On 01/13/23 04:47 AM - Last Modified 12/30/25 03:51 AM


Symptom


  • Commit on the firewall is failing with error "Failed to parse pbf policy".
Error: Failed to parse pbf policy
(Module: device)
client device phase 1 failure
Commit failed.
  • ms.log (less mp-log ms.log) shows that Policy-Based Forwarding (PBF) count with symmetric return exceeds the limit of 8.
12:14:51.342 +0800 Error: pan_pbf_policy_from_obj(pan_config_parser.c:15538): The number of PBF return addresses cannot exceed 8
12:14:51.342 +0800 Error: pan_rulebase_from_obj(pan_config_parser.c:16056): Failed to parse pbf policy

Environment


  • NGFW
  • Supported PAN-OS
  • Commit

Cause


  • Platform limit for the Policy-Based Forwarding (PBF) return address exceeded.
  • This can be verified using the following command.

PA-820> show system state | match max-return-address
cfg.general.max-return-address: 0x8

 

  • The above limit is different for different platforms.
  • The number is the number of addresses matching the "Next Hop Address List" in the "Enforce Symmetric Return".

Resolution


  1. Reduce the number of "Enforce Symmetric Return" addresses in the Policy-Based Forwarding (PBF) rules.
  2. The picture shown below is for reference.

 

Symmetric return
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saQcCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language