Technical Tip: Adding more than 10172 addresses in a local-in policy does not work as expected

When adding a large number of addresses in a local-in policy, there is an implicit limit not visible to the user which can cause unexpected behavior.

When adding more than 10172 addresses, the IPs that are added after this limit will not be applied to the local-in policy.
This can cause some confusion when using a local-in policy to block traffic as IPs in that deny policy will be allowed.
Here is an example of a policy having this issue (many IP addresses configured in each group):

It is possible to tell if hitting this limit by running 'diag firewall iprope list 100001' and there is ‘flag3 (40): truncated’ in the output.

To resolve this, split the single local-in policy into multiple. Here is what the config looks like after doing this:

While running the same command, there is no longer any 'flag3 (40): truncated’ and the number of IP addresses pushed to the policy is greater than 10172 (6051 + 1510 + 4399 = 11960).