LIMIT SERVICES (2000) IN PA 5020 ios 8.1.10

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LIMIT SERVICES (2000) IN PA 5020 ios 8.1.10

L1 Bithead

HELLO EVERYB,

 

i there any way to increase de limit of servies? in our case er arrive to  2000 service (ports) in PA 5020 WITH IOS 8.1.10?

 

have i to increase at the hardware level? or sfoftware?

 

thank u so much

5 REPLIES 5

Cyber Elite
Cyber Elite

@JESELITO,

Assuming that you're talking about the platform capabilities limits that are in place on the PA-5020, this isn't something that you can simply raise. If you need to go above and beyond the capabilities provided by the PA-5020, you would need to upgrade your physical hardware.

thank you!

 

But do you know what specific memory or hardware I have to update to increase the port limit? (services limit is 2000)

@JESELITO,

Service object limits were raised on the PA-5200 and PA-3200 series with PAN-OS 9.0 so you'd need to upgrade to a 5220 as long as the PA-5020 was working properly for everything else which would upgrade you to a 8,000 service object limit. 

 

Personally, I would go through your configuration and see why you need to have 2000 service objects configured. Could you get rid of some of your services and switch to app-id policies where you could utilize application-default, or are you making really specific service objects that could be re-used if you renamed them to something more generic? 

your answer is very interesting.

 

Sometimes they do not ask to enable public ports but we do not know very well which application they will use behind that port, but I could ask them,

 

So, for example, if one of my clients asks me to enable 5664 to use a web-service, could I not use a port and enable web service as an application?

 

thank you so much!

@JESELITO,

You could, but that wouldn't limit your service object count which would be the real target here. If you know anything about the traffic or how it gets identified you could potentially lower your service object count, which is what you really would need to do to continue using your existing PA-5020. If you have applications that don't necessarily need to use the service object, you could remove them and specify application-default so you can lower your service object count. You could also create custom application signatures, but that's more time consuming and you need to capture the traffic flow to build a proper signature. 

 

If you can lower your service object count you could continue to use your PA-5020, since I'm guessing this is the only issue you are running into. If you can't lower your service object count, you need to upgrade your hardware. 

  • 2865 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!