CN-Series Performance and Scaling
Table of Contents
CN-Series Performance and Scaling
The scale numbers that the different
components required to Secure Kubernetes Workloads with CN-Series are listed
in the following sections:
Scale Supported on the CN-Series Components
For information on CN-Series CPU, memory, and disk storage
definitions, see CN-Series System Requirements.
The following table separates some data by CN-Series sizes—small,
medium, and large. These CN-Series sizes have the following memory values:
- CN-Series Small—Minimum 2.5G CN-NGFW and 3G CN-MGMT
- CN-Series Medium—Minimum 6G of CN-NGFW and 3G CN-MGMT
- CN-Series Large—Minimum 42G of CN-NGFW and 4G of CN-MGMT
Attribute | CN-Series Scale (DaemonSet) | CN-Series Scale (K8s Service) | CN-Series Scale (K8s-CNF) |
|---|---|---|---|
Maximum CN-MGMT pairs per K8s cluster | 4 CN-MGMT pairs in Active/Passive HA mode | 4 CN-MGMT pairs in Active/Passive HA mode | 4 CN-MGMT pairs in Active/Passive HA mode |
Maximum CN-NGFW pods per CN-MGMT pair | 30 | 30 | 30 |
Kubernetes pods secured by CN-NGFW (per K8s node) | 30 (PAN-OS 10.1.8 or earlier version) 125 (PAN-OS 10.1.9 and above version with k8s 2.0.2
installed) | N/A This deployment mode is agnostic of
the number of application pods on a K8s node. | N/A This deployment mode is agnostic
of the number of application pods on a K8s node. |
Maximum Number of TCP/IP Sessions per CN-NGFW | CN-Series Small: 20,000 CN-Series
Medium: 819,200 CN-Series Large: 10,000,000 | CN-Series Small: 250,000 CN-Series
Medium: 819,200 CN-Series Large: 10,000,000 | CN-Series Small: 250,000 CN-Series
Medium: 819,200 CN-Series Large: 10,000,000 |
Maximum Dynamic Address Groups IP addresses*
per CN-MGMT pair | CN-Series Small: 2500 (PAN-OS 10.0.6 and
below) 10,000 (PAN-OS 10.0.7 and above) | CN-Series Small: 2500 (PAN-OS 10.0.6 and
below) 10,000 (PAN-OS 10.0.7 and above) CN-Series Medium: 200,000 CN-Series
Large: 300,000 | CN-Series Small: 2500 (PAN-OS 10.0.6 and below) 10,000
(PAN-OS 10.0.7 and above) CN-Series Medium: 200,000 CN-Series
Large: 300,000 |
Tags per IP address* per CN-MGMT pair | 32 | 32 | 32 |
Maximum Security Zones | CN-Series Small: 2 CN-Series Medium:
40 CN-Series Large: 200 | CN-Series Small: 2 CN-Series Medium:
40 CN-Series Large: 200 | CN-Series Small: 2 CN-Series Medium:
40 CN-Series Large: 200 |
Security Profiles | CN-Series Small: 38 CN-Series Medium: 375 CN-Series
Large: 750 | CN-Series Small: 375 CN-Series Medium: 375 CN-Series
Large: 750 | CN-Series Small: 375 CN-Series Medium: 375 CN-Series
Large: 750 |
Max Interfaces | For PAN-OS 10.1.8 or earlier version: CN-Series Small: 30 CN-Series Medium: 30 CN-Series Large: 30 For PAN-OS 10.1.9 and above version with k8s 2.0.2
installed: CN-Series Small: 250 CN-Series Medium: 250 CN-Series Large: 250 | CN-Series Small: 2 CN-Series Medium:
2 CN-Series Large: 2 | CN-Series Small: 60 CN-Series Medium:
60 CN-Series Large: 60 |
*See the Firewall comparison tool.
Policies | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Security Rules | 1500 | 10,000 | 20,000 |
Security Rule Schedules | 256 | 256 | 256 |
NAT Rules | N/A | N/A | N/A |
Decryption Rules | 1000 | 1000 | 2000 |
App Override Rules | 1000 | 1000 | 2000 |
Tunnel Content Inspection Rules | 100 | 500 | 2000 |
SD-WAN Rules | N/A | N/A | N/A |
Policy-based Forwarding Rules | N/A | N/A | N/A |
Captive Portal Rules | N/A | N/A | N/A |
DoS Protection Rules |
| 1000 | 1000 |
Objects (Addresses and Services) | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Address Objects | 10,000 | 10,000 | 40,000 |
Address Groups | 1000 | 1000 | 4000 |
Members per Address Group | 2500 | 2500 | 2500 |
Service Objects | 2000 | 2000 | 5000 |
Service Groups | 500 | 500 | 250 |
Members per Service Groups | 500 | 500 | 500 |
FQDN Address Objects | 2000 | 2000 | 2000 |
Max Dynamic Address Group IP Addresses | 2500 | 200,000 | 300,000 |
Tags per IP Address | 32 | 32 | 32 |
App-ID | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Custom App-ID Signatures | 6000 | 6000 | 6000 |
Shared Custom App-IDs | 512 | 512 | 512 |
Custom App-IDs (virtual system specific) | 6416 | 6416 | 6416 |
SSL Decryption | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Max SSL Inbound Certificates | 1000 | 1000 | 1000 |
SSL Certificate Cache (Forward Proxy) | 128 | 2000 | 8000 |
Max Concurrent Decryption Sessions |
| 15,000 | 100,000 |
SSL Port Mirror | No | No | No |
SSL Decryption Broker | No | No | No |
HSM Supported | No | No | No |
URL Filtering | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Total Entries for Allow List, Block List,
and Custom Categories | 25,000 | 25,000 | 100,000 |
Max Custom Categories |
| 2849 | 2849 |
Dataplane Cache Size for URL Filtering |
| 90,000 | 250,000 |
Management Plane Dynamic Cache Size | 100,000 | 100,000 | 600,000 |
EDL | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Max Number of Custom Lists | 30 | 30 | 30 |
Max Number of IPs per System | 50,000 | 50,000 | 50,000 |
Max Number of DNS Domains per System | 50,000 | 500,000 | 2,000,000 |
Max Number of URLs per System | 50,000 | 100,000 | 100,000 |
Shortest Check Interval (minutes) | 5 | 5 | 5 |
Address Assignments | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
DHCP Servers | 3 | 10 | 125 |
DHCP Relays | No | No | No |
Max Number of Assigned Addresses | 64,000 | 64,000 | 64,000 |
Interfaces | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Max Interfaces (Logical and Physical) |
|
|
|
Management - Out-of-Bound | N/A | N/A | N/A |
Management - 10/100/1000 High Availability | N/A | N/A | N/A |
Management - 40G High Availability | N/A | N/A | N/A |
Management - 10G High Availability | N/A | N/A | N/A |
Traffic - 10/100/1000 | N/A | N/A | N/A |
Traffic - 100/1000/10000 | N/A | N/A | N/A |
Traffic - 1G SFP | N/A | N/A | N/A |
Traffic - 10G SFP+ | N/A | N/A | N/A |
Traffic - 40/100G QSFP+/QSFP28 | N/A | N/A | N/A |
802.1q Tags per Device | N/A | N/A | N/A |
802.1q Tags per Physical Interface | N/A | N/A | N/A |
Max Aggregate Interfaces | N/A | N/A | N/A |
Max SD-WAN Virtual Interfaces | N/A | N/A | N/A |
NAT | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Total NAT Rules Capacity | N/A | N/A | N/A |
Max NAT Rules (Static) | N/A | N/A | N/A |
Max NAT Rules (DIP) | N/A | N/A | N/A |
Max NAT Rules (DIPP) | N/A | N/A | N/A |
Max Translated IPs (DIP) | N/A | N/A | N/A |
Max Translated IPs (DIPP) | N/A | N/A | N/A |
Default DIPP Pool Oversubscription | N/A | N/A | N/A |
User-ID | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
IP-User Mappings (Management Plane) | N/A | N/A | N/A |
IP-User Mappings (Dataplane) | N/A | N/A | N/A |
Active and Unique Groups Used in Policy | N/A | N/A | N/A |
Number of User-ID Agents | N/A | N/A | N/A |
Monitored Servers for User-ID | N/A | N/A | N/A |
Terminal Server Agents | N/A | N/A | N/A |
Tags per User | N/A | N/A | N/A |
Routing | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
IPv4 Forwarding Table Size | N/A | N/A | N/A |
IPv6 Forwarding Table Size | N/A | N/A | N/A |
System Total Forwarding Table Size | N/A | N/A | N/A |
Max Routing Peers (Protocol Dependent) | N/A | N/A | N/A |
Static Entries - DNS Proxy | N/A | N/A | N/A |
Bidirection Forwarding Detection (BFD) Sessions | N/A | N/A | N/A |
L2 Forwarding | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
ARP Table Size per Device | N/A | N/A | N/A |
IPv6 Neighbor Table Size | N/A | N/A | N/A |
MAC Table Size per Device | N/A | N/A | N/A |
Max ARP Entries per Broadcast Domain | N/A | N/A | N/A |
Max MAC Entries per Broadcast Domain | N/A | N/A | N/A |
QoS | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Number of QoS Policies | N/A | N/A | N/A |
Physical Interfaces Supporting QoS | N/A | N/A | N/A |
Clear Text Nodes per Physical Interface | N/A | N/A | N/A |
DSCP Marking by Policy | N/A | N/A | N/A |
Subinterfaces Supported | N/A | N/A | N/A |
IPSec VPN | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Max IKE Peers | N/A | N/A | N/A |
Site-to-Site (with Proxy ID) | N/A | N/A | N/A |
SD-WAN IPSec Tunnels | N/A | N/A | N/A |
GlobalProtect | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
GlobalProtect Client VPN Max
Tunnels (SSL, IPSec, IKE with XAUTH) | N/A | N/A | N/A |
GlobalProtect Clientless VPN Max
SSL Tunnels | N/A | N/A | N/A |
Multicast | CN-Series Small (Min 2.5G CN-NGFW and
Min 3G CN-MGMT) | CN-Series Medium (Min 6G CN-NGFW and
Min 2G CN-MGMT) | CN-Series Large (Min 42G CN-NGFW and
Min 4G CN-MGMT) |
|---|---|---|---|
Replication (Egress Interfaces) | N/A | N/A | N/A |
Routes | N/A | N/A | N/A |
Scale Supported on the Kubernetes Plugin on Panorama
Attribute | Kubernetes Plugin Scale |
|---|---|
Maximum Clusters on a K8s Panorama Plugin | 32 (across all supported environments such as
native K8s, AKS, EKS, GKE) |
CN-Series Key Performance Metrics
CN-Series on AWS EKS | ||||
|---|---|---|---|---|
CPU Cores | CN-Series as a DaemonSet (MMAP) | CN-Series as a Kubernetes Service (MMAP) | CN-Series as a Kubernetes CNF (MMAP) | |
App-ID | 1 | 750 Mbps | 580 Mbps | 580 Mbps |
Content and Threat Detection | 1 | 310 Mbps | 275 Mbps | 275 Mbps |
App-ID | 2 | 1.45 Gbps | 890 Mbps | 890 Mbps |
Content and Threat Detection | 2 | 610 Mbps | 530 Mbps | 530 Mbps |
App-ID | 4 | 2.8 Gbps | 1.45 Gbps | 1.45 Gbps |
Content and Threat Detection | 4 | 1.19 Gbps | 1.04 Gbps | 1.04 Gbps |
CN-Series on Google Cloud GKE
(XDP Enabled) | |||
|---|---|---|---|
CPU Cores | CN-Series as a DaemonSet | CN-Series as a Kubernetes Service | |
App-ID | 1 | 950 Mbps | 750 Mbps |
Content and Threat Detection | 1 | 320 Mbps | 310 Mbps |
App-ID | 2 | 1.7 Gbps | 900 Mbps |
Content and Threat Detection | 2 | 640 Mbps | 575 Mbps |
The testing for the information in the following table
was conducted on Google Kubernetes Engine (GKE) with traffic directed
between nodes and between pods on the same node in the same cluster
Feature/Attribute | CN-Series Small | CN-Series Medium | CN-Series Large |
|---|---|---|---|
Firewall Throughput (App-ID Enabled) per
vCPU of CN-NGFW | 500 Mbps | 500 Mbps | 500 Mbps |
Threat Prevention Throughput per vCPU of CN-NGFW | 250 Mbps | 250 Mbps | 250 Mbps |
Max Sessions |
| 819,200 | 10,000,000 |
IPSec VPN Throughput per vCPU of CN-NGFW | N/A | N/A | N/A |
Connections per Second | N/A | N/A | N/A |