11-13-2020 04:22 AM
11-14-2020 08:54 PM
Assuming that you're talking about the platform capabilities limits that are in place on the PA-5020, this isn't something that you can simply raise. If you need to go above and beyond the capabilities provided by the PA-5020, you would need to upgrade your physical hardware.
11-15-2020 05:58 AM
But do you know what specific memory or hardware I have to update to increase the port limit? (services limit is 2000)
11-15-2020 03:12 PM
Service object limits were raised on the PA-5200 and PA-3200 series with PAN-OS 9.0 so you'd need to upgrade to a 5220 as long as the PA-5020 was working properly for everything else which would upgrade you to a 8,000 service object limit.
Personally, I would go through your configuration and see why you need to have 2000 service objects configured. Could you get rid of some of your services and switch to app-id policies where you could utilize application-default, or are you making really specific service objects that could be re-used if you renamed them to something more generic?
11-16-2020 03:54 AM
your answer is very interesting.
Sometimes they do not ask to enable public ports but we do not know very well which application they will use behind that port, but I could ask them,
So, for example, if one of my clients asks me to enable 5664 to use a web-service, could I not use a port and enable web service as an application?
thank you so much!
11-17-2020 09:30 AM
You could, but that wouldn't limit your service object count which would be the real target here. If you know anything about the traffic or how it gets identified you could potentially lower your service object count, which is what you really would need to do to continue using your existing PA-5020. If you have applications that don't necessarily need to use the service object, you could remove them and specify application-default so you can lower your service object count. You could also create custom application signatures, but that's more time consuming and you need to capture the traffic flow to build a proper signature.
If you can lower your service object count you could continue to use your PA-5020, since I'm guessing this is the only issue you are running into. If you can't lower your service object count, you need to upgrade your hardware.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!