CN-Series Performance and Scaling

The scale numbers that the different components required to Secure Kubernetes Workloads with CN-Series are listed in the following sections:

Scale Supported on the CN-Series Components

For information on CN-Series CPU, memory, and disk storage definitions, see CN-Series System Requirements.
The following table separates some data by CN-Series sizes—small, medium, and large. These CN-Series sizes have the following memory values:
  • CN-Series Small
    —Minimum 2.5G CN-NGFW and 3G CN-MGMT
  • CN-Series Medium
    —Minimum 6G of CN-NGFW and 2G CN-MGMT
  • CN-Series Large
    —Minimum 42G of CN-NGFW and 4G of CN-MGMT
Attribute
CN-Series Scale (DaemonSet)
CN-Series Scale (K8s Service)
CN-Series Scale (K8s-CNF)
Maximum CN-MGMT pairs per K8s cluster
4 CN-MGMT pairs in Active/Passive HA mode
4 CN-MGMT pairs in Active/Passive HA mode
4 CN-MGMT pairs in Active/Passive HA mode
Maximum CN-NGFW pods per CN-MGMT pair
30
30
30
Kubernetes pods secured by CN-NGFW (per K8s node)
30
N/A
This deployment mode is agnostic of the number of application pods on a K8s node.
N/A
This deployment mode is agnostic of the number of application pods on a K8s node.
Maximum Number of TCP/IP Sessions per CN-NGFW
CN-Series Small: 20,000
CN-Series Medium: 819,200
CN-Series Large: 10,000,000
CN-Series Small: 250,000
CN-Series Medium: 819,200
CN-Series Large: 10,000,000
CN-Series Small: 250,000
CN-Series Medium: 819,200
CN-Series Large: 10,000,000
Maximum Dynamic Address Groups IP addresses* per CN-MGMT pair
CN-Series Small: 2500 (PAN-OS 10.0.6 and below)
10,000 (PAN-OS 10.0.7 and above)
CN-Series Small: 2500 (PAN-OS 10.0.6 and below)
10,000 (PAN-OS 10.0.7 and above)
CN-Series Medium: 200,000
CN-Series Large: 300,000
CN-Series Small: 2500 (PAN-OS 10.0.6 and below)
10,000 (PAN-OS 10.0.7 and above)
CN-Series Medium: 200,000
CN-Series Large: 300,000
Tags per IP address* per CN-MGMT pair
32
32
32
Maximum Security Zones
CN-Series Small: 2
CN-Series Medium: 40
CN-Series Large: 200
CN-Series Small: 2
CN-Series Medium: 40
CN-Series Large: 200
CN-Series Small: 2
CN-Series Medium: 40
CN-Series Large: 200
Security Profiles
CN-Series Small: 38
CN-Series Medium: 375
CN-Series Large: 750
CN-Series Small: 375
CN-Series Medium: 375
CN-Series Large: 750
CN-Series Small: 375
CN-Series Medium: 375
CN-Series Large: 750
Max Interfaces
CN-Series Small: 60
CN-Series Medium: 60
CN-Series Large: 60
CN-Series Small: 2
CN-Series Medium: 2
CN-Series Large: 2
CN-Series Small: 60
CN-Series Medium: 60
CN-Series Large: 60
Policies
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Security Rules
1500
10,000
20,000
Security Rule Schedules
256
256
256
NAT Rules
N/A
N/A
N/A
Decryption Rules
1000
1000
2000
App Override Rules
1000
1000
2000
Tunnel Content Inspection Rules
100
500
2000
SD-WAN Rules
N/A
N/A
N/A
Policy-based Forwarding Rules
N/A
N/A
N/A
Captive Portal Rules
N/A
N/A
N/A
DoS Protection Rules
  • 100 (DaemonSet)
  • 1000 (K8s Service)
1000
1000
Objects (Addresses and Services)
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Address Objects
10,000
10,000
40,000
Address Groups
1000
1000
4000
Members per Address Group
2500
2500
2500
Service Objects
2000
2000
5000
Service Groups
500
500
250
Members per Service Groups
500
500
500
FQDN Address Objects
2000
2000
2000
Max Dynamic Address Group IP Addresses
2500
200,000
300,000
Tags per IP Address
32
32
32
App-ID
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Custom App-ID Signatures
6000
6000
6000
Shared Custom App-IDs
512
512
512
Custom App-IDs (virtual system specific)
6416
6416
6416
SSL Decryption
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Max SSL Inbound Certificates
1000
1000
1000
SSL Certificate Cache (Forward Proxy)
128
2000
8000
Max Concurrent Decryption Sessions
  • 1024 (DaemonSet)
  • 6400 (K8s Service)
15,000
100,000
SSL Port Mirror
No
No
No
SSL Decryption Broker
No
No
No
HSM Supported
No
No
No
URL Filtering
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Total Entries for Allow List, Block List, and Custom Categories
25,000
25,000
100,000
Max Custom Categories
  • 500 (DaemonSet)
  • 2849 (K8s Service)
2849
2849
Dataplane Cache Size for URL Filtering
  • 5000 (DaemonSet)
  • 90,000 (K8s Service)
90,000
250,000
Management Plane Dynamic Cache Size
100,000
100,000
600,000
EDL
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Max Number of Custom Lists
30
30
30
Max Number of IPs per System
50,000
50,000
50,000
Max Number of DNS Domains per System
50,000
500,000
2,000,000
Max Number of URLs per System
50,000
100,000
100,000
Shortest Check Interval (minutes)
5
5
5
Address Assignments
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
DHCP Servers
3
10
125
DHCP Relays
No
No
No
Max Number of Assigned Addresses
64,000
64,000
64,000
Interfaces
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Max Interfaces (Logical and Physical)
  • 60 (DaemonSet)
  • 2 (K8s Service)
  • 2 (K8s-CNF)
  • 60 (DaemonSet)
  • 2 (K8s Service)
  • 2 (K8s-CNF)
  • 60 (DaemonSet)
  • 2 (K8s Service)
  • 2 (K8s-CNF)
Management - Out-of-Bound
N/A
N/A
N/A
Management - 10/100/1000 High Availability
N/A
N/A
N/A
Management - 40G High Availability
N/A
N/A
N/A
Management - 10G High Availability
N/A
N/A
N/A
Traffic - 10/100/1000
N/A
N/A
N/A
Traffic - 100/1000/10000
N/A
N/A
N/A
Traffic - 1G SFP
N/A
N/A
N/A
Traffic - 10G SFP+
N/A
N/A
N/A
Traffic - 40/100G QSFP+/QSFP28
N/A
N/A
N/A
802.1q Tags per Device
N/A
N/A
N/A
802.1q Tags per Physical Interface
N/A
N/A
N/A
Max Aggregate Interfaces
N/A
N/A
N/A
Max SD-WAN Virtual Interfaces
N/A
N/A
N/A
NAT
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Total NAT Rules Capacity
N/A
N/A
N/A
Max NAT Rules (Static)
N/A
N/A
N/A
Max NAT Rules (DIP)
N/A
N/A
N/A
Max NAT Rules (DIPP)
N/A
N/A
N/A
Max Translated IPs (DIP)
N/A
N/A
N/A
Max Translated IPs (DIPP)
N/A
N/A
N/A
Default DIPP Pool Oversubscription
N/A
N/A
N/A
User-ID
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
IP-User Mappings (Management Plane)
N/A
N/A
N/A
IP-User Mappings (Dataplane)
N/A
N/A
N/A
Active and Unique Groups Used in Policy
N/A
N/A
N/A
Number of User-ID Agents
N/A
N/A
N/A
Monitored Servers for User-ID
N/A
N/A
N/A
Terminal Server Agents
N/A
N/A
N/A
Tags per User
N/A
N/A
N/A
Routing
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
IPv4 Forwarding Table Size
N/A
N/A
N/A
IPv6 Forwarding Table Size
N/A
N/A
N/A
System Total Forwarding Table Size
N/A
N/A
N/A
Max Routing Peers (Protocol Dependent)
N/A
N/A
N/A
Static Entries - DNS Proxy
N/A
N/A
N/A
Bidirection Forwarding Detection (BFD) Sessions
N/A
N/A
N/A
L2 Forwarding
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
ARP Table Size per Device
N/A
N/A
N/A
IPv6 Neighbor Table Size
N/A
N/A
N/A
MAC Table Size per Device
N/A
N/A
N/A
Max ARP Entries per Broadcast Domain
N/A
N/A
N/A
Max MAC Entries per Broadcast Domain
N/A
N/A
N/A
QoS
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Number of QoS Policies
N/A
N/A
N/A
Physical Interfaces Supporting QoS
N/A
N/A
N/A
Clear Text Nodes per Physical Interface
N/A
N/A
N/A
DSCP Marking by Policy
N/A
N/A
N/A
Subinterfaces Supported
N/A
N/A
N/A
IPSec VPN
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Max IKE Peers
N/A
N/A
N/A
Site-to-Site (with Proxy ID)
N/A
N/A
N/A
SD-WAN IPSec Tunnels
N/A
N/A
N/A
GlobalProtect
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
GlobalProtect Client VPN
Max Tunnels (SSL, IPSec, IKE with XAUTH)
N/A
N/A
N/A
GlobalProtect Clientless VPN
Max SSL Tunnels
N/A
N/A
N/A
Multicast
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
Replication (Egress Interfaces)
N/A
N/A
N/A
Routes
N/A
N/A
N/A

Scale Supported on the Kubernetes Plugin on Panorama

Attribute
Kubernetes Plugin Scale
Maximum Clusters on a K8s Panorama Plugin
16 (across all supported environments such as native K8s, AKS, EKS, GKE)
Maximum pods per cluster in Kubernetes plugin
900 (30*30)
Maximum Services per K8s cluster (Internal + External)
40
Maximum IP addresses (Pods + Services) across clusters per device group in the Kubernetes plugin
32*30 + 40 * 16 = 1560 (MP supports 2500)

CN-Series Key Performance Metrics

CN-Series on AWS EKS
CPU Cores
CN-Series as a DaemonSet (MMAP)
CN-Series as a Kubernetes Service (MMAP)
CN-Series as a Kubernetes CNF (MMAP)
App-ID
1
750 Mbps
580 Mbps
580 Mbps
Content and Threat Detection
1
310 Mbps
275 Mbps
275 Mbps
App-ID
2
1.45 Gbps
890 Mbps
890 Mbps
Content and Threat Detection
2
610 Mbps
530 Mbps
530 Mbps
App-ID
4
2.8 Gbps
1.45 Gbps
1.45 Gbps
Content and Threat Detection
4
1.19 Gbps
1.04 Gbps
1.04 Gbps
CN-Series on Google Cloud GKE (XDP Enabled)
CPU Cores
CN-Series as a DaemonSet
CN-Series as a Kubernetes Service
App-ID
1
950 Mbps
750 Mbps
Content and Threat Detection
1
320 Mbps
310 Mbps
App-ID
2
1.7 Gbps
900 Mbps
Content and Threat Detection
2
640 Mbps
575 Mbps
The testing for the information in the following table was conducted on Google Kubernetes Engine (GKE) with traffic directed between nodes and between pods on the same node in the same cluster
Feature/Attribute
CN-Series Small
CN-Series Medium
CN-Series Large
Firewall Throughput (App-ID Enabled) per vCPU of CN-NGFW
500 Mbps
500 Mbps
500 Mbps
Threat Prevention Throughput per vCPU of CN-NGFW
250 Mbps
250 Mbps
250 Mbps
Max Sessions
  • 20,000 (DaemonSet)
  • 250,000 (K8s Service)
  • 250,000 (K8s-CNF)
819,200
10,000,000
IPSec VPN Throughput per vCPU of CN-NGFW
N/A
N/A
N/A
Connections per Second
N/A
N/A
N/A

Recommended For You