Increasing the max-address-per-group property

L0 Member

Increasing the max-address-per-group property


I am using the migration tool v3.1 to migrate my Checkpoint's Firewall configuration to our newly installed PA NG FW.

I am getting an error at the "Send API" page for passing the maximum number of members at address-group object :


static constraints failed : Maximum number of address per group exceeded for this platform


I found at the Live Community an article describing how to get the limit number - which in my case is 2500 :


cfg.general.max-address-per-group: 2500


But unfortunatly I have 2600 object at the checkpoint object..

Can I change the maximum number of members per address group value ?


The machine model is PA-5220 with PAN-OS 8.1 

Thanks in advanced.


Tags (2)
L1 Bithead

Re: Increasing the max-address-per-group property

 Hi ofirm1,

You can't change that value I am affraid at least by yourslef, it is possible however that in critical cases Palo alto TAC engineer can do it for you by accessing root shell, but most likely they will advise you to review your policy, having over 2,5k objects on your 5k firewall it is not a good idea keep in mind that with time that number will increase.

As far as I know it can casue problems with memory usage, depending on PanOS version, another thing is if that value gets changed when you do upgrade or reset PANOS it will back to default setting. 







Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!