System logs report error message "max registered-ip for the platform reached"

• A system log message is generated  "critical userid registe 0 max registered-ip for the platform reached (xxxx)" 
• This happens when the firewall reaches the maximum limit of registered IP-Tags.
• The IP-Tags may grow when provisioned with timeout as "never expire".

• Palo Alto Firewalls or Panorama
• Supported PANOS 
• IP Tags

• Firewall monitors for "register", "unregister", and "timeout" events from user-id.
• If a timeout value is found for a tag, the firewall automatically begins counting down to the timeout value.
• The firewall will unregister the tag once the timeout value completes.
• If the timeout value is 0, (ie the timeout value never expired) then the cache needs to be cleared manually or timeout needs to be configured (from 0 to 30 days).
• There is also another configuration settings under Built-in Actions > Log Forwarding Profile. if the Timeout value is not set on Log forwarding setting then it will be default 0 which translate to 'never expired'. 
  
  

1. Configure the timeout value under GUI: Objects > Log Forwarding > (Click on the Log Forwarding Profile) > select the name of the match list > Built In Actions > Set "Add tag " and "timeout" values

2. The other way is to use XML API to set the timeout values. Refer to Apply User ID mapping and populate dynamic address groups

snippet from the Doc :
"You can configure a timeout as part of the member element to automatically unregister IP address-to-tag mapping after a specified amount of time. By default, no timeout is specified meaning the mapping will not timeout and must be manually unregistered. Additionally, a timeout of zero (0) seconds does not timeout. You can specify a timeout between zero (0) seconds and 2,592,000 seconds (30 days)."