CN-Series Performance and Scaling

The scale numbers that the different components required to Secure Kubernetes Workloads with CN-Series are listed in the following sections:

Scale Supported on the CN-Series Components

Attribute
CN-Series Scale (DaemonSet)
CN-Series Scale (K8s Service)
Maximum CN-MGMT pairs per K8s cluster
4 CN-MGMT pairs in Active/Passive HA mode
4 CN-MGMT pairs in Active/Passive HA mode
Maximum CN-NGFW pods per CN-MGMT pair
30
30
Kubernetes pods secured by CN-NGFW (per K8s node)
30
N/A
This deployment mode is agnostic of the number of application pods on a K8s node.
Maximum Number of TCP/IP Sessions per CN-NGFW
CN-Series Small (2.5G CN-NGFW and 2G CN-MGMT): 20,000 sessions
  • CN-Series Small (2.5G CN-NGFW and 2G CN-MGMT): 250,000
  • CN-Series Medium (6G of CN-NGFW and 2G CN-MGMT): 819,200
  • CN-Series Large (42G of CN-NGFW and 4G of CN-MGMT:) 10,000,000
Maximum Dynamic Address Groups IP addresses* per CN-MGMT pair
  • 2500 (PAN-OS 10.0.6 and below)
  • 10,000 (PAN-OS 10.0.7 and above)
  • CN-Series Small: 2500 (PAN-OS 10.0.6 and below), 10,000 (PAN-OS 10.0.7 and above)
  • CN-Series Medium: 200,000
  • CN-Series Large: 300,000
Tags per IP address* per CN-MGMT pair
32
32
Maximum Security Zones
  • CN-Series Small: 2
  • CN-Series Medium: N/A
  • CN-Series Large: 200
  • CN-Series Small: 2
  • CN-Series Medium: 40
  • CN-Series Large: 200
Security Profiles
  • CN-Series Small: 38
  • CN-Series Medium: N/A
  • CN-Series Large: 750
  • CN-Series Small: 375
  • CN-Series Medium: 375
  • CN-Series Large: 750
Max Interfaces
  • CN-Series Small: 60
  • CN-Series Medium: 60
  • CN-Series Large: 60
  • CN-Series Small: 2
  • CN-Series Medium: 2
  • CN-Series Large: 2
Policies
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Security Rules
1500
10,000
20,000
Security Rule Schedules
256
256
256
NAT Rules
N/A
N/A
N/A
Decryption Rules
1000
1000
2000
App Override Rules
1000
1000
2000
Tunnel Content Inspection Rules
100
500
2000
SD-WAN Rules
N/A
N/A
N/A
Policy-based Forwarding Rules
N/A
N/A
N/A
Captive Portal Rules
N/A
N/A
N/A
DoS Protection Rules
  • 100 (DaemonSet)
  • 1000 (K8s Service)
1000
1000
Objects (Addresses and Services)
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Address Objects
10,000
10,000
40,000
Address Groups
1000
1000
4000
Members per Address Group
2500
2500
2500
Service Objects
2000
2000
5000
Service Groups
500
500
250
Members per Service Groups
500
500
500
FQDN Address Objects
2000
2000
2000
Max Dynamic Address Group IP Addresses
2500
200,000
300,000
Tags per IP Address
32
32
32
App-ID
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Custom App-ID Signatures
6000
6000
6000
Shared Custom App-IDs
512
512
512
Custom App-IDs (virtual system specific)
6416
6416
6416
SSL Decryption
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Max SSL Inbound Certificates
1000
1000
1000
SSL Certificate Cache (Forward Proxy)
128
2000
8000
Max Concurrent Decryption Sessions
  • 1024 (DaemonSet)
  • 6400 (K8s Service)
15,000
100,000
SSL Port Mirror
No
No
No
SSL Decryption Broker
No
No
No
HSM Supported
No
No
No
URL Filtering
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Total Entries for Allow List, Block List, and Custom Categories
25,000
25,000
100,000
Max Custom Categories
  • 500 (DaemonSet)
  • 2849 (K8s Service)
2849
2849
Dataplane Cache Size for URL Filtering
  • 5000 (DaemonSet)
  • 90,000 (K8s Service)
90,000
250,000
Management Plane Dynamic Cache Size
100,000
100,000
600,000
EDL
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Max Number of Custom Lists
30
30
30
Max Number of IPs per System
50,000
50,000
50,000
Max Number of DNS Domains per System
50,000
500,000
2,000,000
Max Number of URLs per System
50,000
100,000
100,000
Shortest Check Interval (minutes)
5
5
5
Address Assignments
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
DHCP Servers
3
10
125
DHCP Relays
No
No
No
Max Number of Assigned Addresses
64,000
64,000
64,000
Interfaces
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Max Interfaces (Logical and Physical)
  • 60 (DaemonSet)
  • 2 (K8s Service)
  • 60 (DaemonSet)
  • 2 (K8s Service)
  • 60 (DaemonSet)
  • 2 (K8s Service)
Management - Out-of-Bound
N/A
N/A
N/A
Management - 10/100/1000 High Availability
N/A
N/A
N/A
Management - 40G High Availability
N/A
N/A
N/A
Management - 10G High Availability
N/A
N/A
N/A
Traffic - 10/100/1000
N/A
N/A
N/A
Traffic - 100/1000/10000
N/A
N/A
N/A
Traffic - 1G SFP
N/A
N/A
N/A
Traffic - 10G SFP+
N/A
N/A
N/A
Traffic - 40/100G QSFP+/QSFP28
N/A
N/A
N/A
802.1q Tags per Device
N/A
N/A
N/A
802.1q Tags per Physical Interface
N/A
N/A
N/A
Max Aggregate Interfaces
N/A
N/A
N/A
Max SD-WAN Virtual Interfaces
N/A
N/A
N/A
NAT
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Total NAT Rules Capacity
N/A
N/A
N/A
Max NAT Rules (Static)
N/A
N/A
N/A
Max NAT Rules (DIP)
N/A
N/A
N/A
Max NAT Rules (DIPP)
N/A
N/A
N/A
Max Translated IPs (DIP)
N/A
N/A
N/A
Max Translated IPs (DIPP)
N/A
N/A
N/A
Default DIPP Pool Oversubscription
N/A
N/A
N/A
User-ID
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
IP-User Mappings (Management Plane)
N/A
N/A
N/A
IP-User Mappings (Dataplane)
N/A
N/A
N/A
Active and Unique Groups Used in Policy
N/A
N/A
N/A
Number of User-ID Agents
N/A
N/A
N/A
Monitored Servers for User-ID
N/A
N/A
N/A
Terminal Server Agents
N/A
N/A
N/A
Tags per User
N/A
N/A
N/A
Routing
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
IPv4 Forwarding Table Size
N/A
N/A
N/A
IPv6 Forwarding Table Size
N/A
N/A
N/A
System Total Forwarding Table Size
N/A
N/A
N/A
Max Routing Peers (Protocol Dependent)
N/A
N/A
N/A
Static Entries - DNS Proxy
N/A
N/A
N/A
Bidirection Forwarding Detection (BFD) Sessions
N/A
N/A
N/A
L2 Forwarding
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
ARP Table Size per Device
N/A
N/A
N/A
IPv6 Neighbor Table Size
N/A
N/A
N/A
MAC Table Size per Device
N/A
N/A
N/A
Max ARP Entries per Broadcast Domain
N/A
N/A
N/A
Max MAC Entries per Broadcast Domain
N/A
N/A
N/A
QoS
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Number of QoS Policies
N/A
N/A
N/A
Physical Interfaces Supporting QoS
N/A
N/A
N/A
Clear Text Nodes per Physical Interface
N/A
N/A
N/A
DSCP Marking by Policy
N/A
N/A
N/A
Subinterfaces Supported
N/A
N/A
N/A
IPSec VPN
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Max IKE Peers
N/A
N/A
N/A
Site-to-Site (with Proxy ID)
N/A
N/A
N/A
SD-WAN IPSec Tunnels
N/A
N/A
N/A
GlobalProtect
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
GlobalProtect Client VPN
Max Tunnels (SSL, IPSec, IKE with XAUTH)
N/A
N/A
N/A
GlobalProtect Clientless VPN
Max SSL Tunnels
N/A
N/A
N/A
Multicast
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Replication (Egress Interfaces)
N/A
N/A
N/A
Routes
N/A
N/A
N/A

Scale Supported on the Kubernetes Plugin on Panorama

Attribute
Kubernetes Plugin Scale
Maximum Clusters on a K8s Panorama Plugin
16 (across all supported environments such as native K8s, AKS, EKS, GKE)
Maximum pods per cluster in Kubernetes plugin
900 (30*30)
Maximum Services per K8s cluster (Internal + External)
40
Maximum IP addresses (Pods + Services) across clusters per device group in the Kubernetes plugin
32*30 + 40 * 16 = 1560 (MP supports 2500)

CN-Series Key Performance Metrics

The testing for the information in the following table was conducted on Google Kubernetes Engine (GKE) with traffic directed between nodes and between pods on the same node in the same cluster
Feature/Attribute
CN-Series Small
2G Mem CN-MGMT
2G Mem or 2.5G Mem CN-NGFW
CN-Series Medium
2G Mem CN-MGMT
6G Mem CN-NGFW
CN-Series Large
4G Mem CN-MGMT
42G Mem CN-NGFW
Firewall Throughput (App-ID Enabled) per vCPU of CN-NGFW
500 Mbps
500 Mbps
500 Mbps
Threat Prevention Throughput per vCPU of CN-NGFW
250 Mbps
250 Mbps
250 Mbps
Max Sessions
  • 20,000 (DaemonSet)
  • 250,000 (K8s Service)
819,200
10,000,000
IPSec VPN Throughput per vCPU of CN-NGFW
N/A
N/A
N/A
Connections per Second
N/A
N/A
N/A
CN-Series on AWS EKS
CPU Cores
Memory
CN-Series as a DaemonSet (MMAP)
CN-Series as a Kubernetes Service (MMAP)
App-ID
1
2.5G
750 Mbps
580 Mbps
Content and Threat Detection
1
2.5G
310 Mbps
275 Mbps
App-ID
2
2.5G
1.45 Gbps
890 Mbps
Content and Threat Detection
2
2.5G
610 Mbps
530 Mbps
App-ID
4
2.5G - MP
6G - DP
2.8 Gbps
1.45 Gbps
Content and Threat Detection
4
2.5G - MP
6G - DP
1.19 Gbps
1.04 Gbps
CN-Series on Google Cloud GKE (XDP Enabled)
CPU Cores
Memory
CN-Series as a DaemonSet
CN-Series as a Kubernetes Service
App-ID
1
2.5G
950 Mbps
750 Mbps
Content and Threat Detection
1
2.5G
320 Mbps
310 Mbps
App-ID
2
2.5G
1.7 Gbps
900 Mbps
Content and Threat Detection
2
2.5G
640 Mbps
575 Mbps

Recommended For You