According to the New Features Guide in 7.1 PAN-OS the User Group Capacity was increased to a max of 3,200 groups IF you are following their note below:
Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 groups but, by default, leaving the lists empty enables policy rules to reference up to a maximum of 3,200 groups.
So I have gone into these settings and removed all Custom Group lists and didn't have any Group Include List created.
| Select Device > User Identification > Group Mapping Settings and click Add.Enter a unique Name to identify the group mapping configuration.Configure the Server Profile settings:Select the LDAP Server Profile you just created. Select Enabled (default). |
Click OK.
I started receiving this alert after upgrading to PAN-OS 8.0.4 and even with all lists cleared out I am still seeing this alert every 10 minutes on a PA-200. I thought, well I'm going to be upgrading those to PA-220's anyway but after researching, the limit is the same on those and even the PA-3020's I have. I am not getting alerts from the PA-3020's after upgrading those to PAN-OS 8.0.4.
Anyone else experienced this? Opening a ticket next week but with a lack of any search results on this error I wanted to get one posted for the next guy upgrading a PA-200 to 8.0.x. in a 'group heavy' environment.
