This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy Cache Usage Warning After Upgrade to PAN-OS 11.1.13-h1

khkim
L0 Member

‎03-17-2026 07:41 PM

After upgrading to PAN-OS 11.1.13-h1, we started seeing the following warning log:
Warning: Policy cache usage is greater than 80 percent of the capacity

 

We have multiple firewalls in our environment, but this issue is only occurring on devices that were upgraded to version 11.1.13-h1.

 

When checking with the following command:
> debug dataplane show cfg-memstat statistics
We see:
VSYS Config Allocator Usage: 51%
POLICY CACHE USAGE: 82%

 

Based on this behavior, we would like to know if this is a known issue or bug specific to PAN-OS 11.1.13-h1.

0 Likes Likes
1 REPLY 1

kiwi
Community Team Member

‎03-18-2026 02:18 AM

Hi @khkim ,

 

It’s difficult to pinpoint the exact cause without more logs, but I’ve personally seen this error triggered by two very specific scenarios:

 

I've seen these warnings on PA-440 platforms. The firewall was consistently triggering memory alerts because its configuration file size (30MB) exceeds 80% of the maximum recommended configuration size (35MB) for the PA-400 platform, indicating management plane stress rather than dataplane operational capacity issues. 

 

In case of the PA-400 scenario there were several ways to reduce the configuration file size:

Doing a thorough audit of your firewall's configuration to identify and remove any unused or redundant elements. This is the most effective way to reduce the file size. Key areas to review include:

  1. Objects: Unused Address, Service, and Application objects or groups.
  2. Policies: Disabled or obsolete Security, NAT, and QoS policies.
  3. Profiles: Old or unattached Security Profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).
  4. Log Forwarding: Obsolete Log Forwarding Profiles or assignments.

The objective is to reduce the configuration size to a level comfortably below the 35 MB threshold. This stopped the alerts in the PA-400 scenario.

 

I’ve also seen this on VM-Series firewalls deployed on unsupported instance types (for example, an r5.xlarge on AWS). While these instances might "work" initially, they aren't officially supported and could exhibit unexpected performance drops or memory alerts under load.

 

You can verify your specific instance against the supported list here: VM-Series on AWS Models and Instances

 

I recommend opening a case with TAC for confirmation on what is causing the error in your case.

 

Kind regards,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 470 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks