Commit fails with message: "Error: Total number of security profiles (x) exceeds platform capacity (y).”

Firewall commit or Panorama Device Group push fails with the following message:

Details:vsys1
    Error: Total number of security profiles (x) exceeds platform capacity (y)
(Module: device)
client device phase 1 failure
Commit failed

• PAN-OS 10.1 and above
• Any Palo Alto Networks Firewall

• Each firewall platform has a maximum limit of configured Security Profiles. 
• When the number is exceeded the commit fails with the above message.

Types of Profile that are included in the count:

• Security Profiles:
  • Antivirus
  • Anti-Spyware
  • Vulnerability Protection
  • URL Filtering
  • File Blocking
  • Wildfire Analysis
  • Data Filtering
• Other Profiles:
  • Decryption Profiles
  • HIP Profiles

Note: DoS Protection Security Profiles are not included in the count

• Locally configured Security Profiles:
  1. Reduce the number of Security Profiles configured on the Firewall.
  2. Commit the changes.
• Panorama pushed Security Profiles:
  1. Move Security Profiles in the Shared context to a Device Group to ensure they are not pushed to all firewalls.
  2. Place firewalls with a lower Security Profile capacity into a separate Device Group that pushes a reduced number of Profiles to those devices.
  3. Commit and Push the changes.

• When profiles are pushed from Panorama, disabling the "Share Unused Address and Service Objects with Devices" in Panorama does not apply to Security Profiles so cannot be used as a workaround.
• The maximum Security Profile limit for a given firewall can be checked from the CLI with the following command which returns the value in hexadecimal:

  > show system state filter cfg.general.max-profile
  
  cfg.general.max-profile: 0x4b