Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1

khkim — Wed, 18 Mar 2026 02:41:58 GMT

After upgrading to PAN-OS 11.1.13-h1, we started seeing the following warning log:
Warning: Policy cache usage is greater than 80 percent of the capacity

We have multiple firewalls in our environment, but this issue is only occurring on devices that were upgraded to version 11.1.13-h1.

When checking with the following command:
> debug dataplane show cfg-memstat statistics
We see:
VSYS Config Allocator Usage: 51%
POLICY CACHE USAGE: 82%

Based on this behavior, we would like to know if this is a known issue or bug specific to PAN-OS 11.1.13-h1.

Re: Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1

kiwi — Wed, 18 Mar 2026 09:18:33 GMT

Hi @khkim ,

It’s difficult to pinpoint the exact cause without more logs, but I’ve personally seen this error triggered by two very specific scenarios:

I've seen these warnings on PA-440 platforms. The firewall was consistently triggering memory alerts because its configuration file size (30MB) exceeds 80% of the maximum recommended configuration size (35MB) for the PA-400 platform, indicating management plane stress rather than dataplane operational capacity issues.

In case of the PA-400 scenario there were several ways to reduce the configuration file size:

Doing a thorough audit of your firewall's configuration to identify and remove any unused or redundant elements. This is the most effective way to reduce the file size. Key areas to review include:

Objects: Unused Address, Service, and Application objects or groups.
Policies: Disabled or obsolete Security, NAT, and QoS policies.
Profiles: Old or unattached Security Profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).
Log Forwarding: Obsolete Log Forwarding Profiles or assignments.

The objective is to reduce the configuration size to a level comfortably below the 35 MB threshold. This stopped the alerts in the PA-400 scenario.

I’ve also seen this on VM-Series firewalls deployed on unsupported instance types (for example, an r5.xlarge on AWS). While these instances might "work" initially, they aren't officially supported and could exhibit unexpected performance drops or memory alerts under load.

You can verify your specific instance against the supported list here: VM-Series on AWS Models and Instances

I recommend opening a case with TAC for confirmation on what is causing the error in your case.

Kind regards,

topic Re: Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1 in General Topics

Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1

Re: Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1