LIMIT SERVICES (2000) IN PA 5020 ios 8.1.10

Reply
Highlighted
L1 Bithead

LIMIT SERVICES (2000) IN PA 5020 ios 8.1.10

HELLO EVERYB,

 

i there any way to increase de limit of servies? in our case er arrive to  2000 service (ports) in PA 5020 WITH IOS 8.1.10?

 

have i to increase at the hardware level? or sfoftware?

 

thank u so much

Tags (2)
Highlighted
Cyber Elite

@JESELITO,

Assuming that you're talking about the platform capabilities limits that are in place on the PA-5020, this isn't something that you can simply raise. If you need to go above and beyond the capabilities provided by the PA-5020, you would need to upgrade your physical hardware.

Highlighted
L1 Bithead

thank you!

 

But do you know what specific memory or hardware I have to update to increase the port limit? (services limit is 2000)

Highlighted
Cyber Elite

@JESELITO,

Service object limits were raised on the PA-5200 and PA-3200 series with PAN-OS 9.0 so you'd need to upgrade to a 5220 as long as the PA-5020 was working properly for everything else which would upgrade you to a 8,000 service object limit. 

 

Personally, I would go through your configuration and see why you need to have 2000 service objects configured. Could you get rid of some of your services and switch to app-id policies where you could utilize application-default, or are you making really specific service objects that could be re-used if you renamed them to something more generic? 

Highlighted
L1 Bithead

your answer is very interesting.

 

Sometimes they do not ask to enable public ports but we do not know very well which application they will use behind that port, but I could ask them,

 

So, for example, if one of my clients asks me to enable 5664 to use a web-service, could I not use a port and enable web service as an application?

 

thank you so much!

Highlighted
Cyber Elite

@JESELITO,

You could, but that wouldn't limit your service object count which would be the real target here. If you know anything about the traffic or how it gets identified you could potentially lower your service object count, which is what you really would need to do to continue using your existing PA-5020. If you have applications that don't necessarily need to use the service object, you could remove them and specify application-default so you can lower your service object count. You could also create custom application signatures, but that's more time consuming and you need to capture the traffic flow to build a proper signature. 

 

If you can lower your service object count you could continue to use your PA-5020, since I'm guessing this is the only issue you are running into. If you can't lower your service object count, you need to upgrade your hardware. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!