CN-Series
CN-Series Performance and Scaling
Table of Contents
CN-Series Performance and Scaling
Peformance and Scaling
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The scale numbers that the different components required to Secure Kubernetes Workloads with CN-Series Firewall are listed in the following
sections:
- Scale Supported on the CN-Series Components
- Scale Supported on the Kubernetes Plugin on Panorama
- CN-Series Key Performance Metrics
Scale Supported on the CN-Series Components
For information on CN-Series CPU, memory, and disk storage definitions, see CN-Series System Requirements for the Kubernetes Cluster.
The following table separates some data by CN-Series sizes—small, medium, and large.
These CN-Series sizes have the following memory values:
- CN-Series Small—Minimum 2.5G CN-NGFW and 3G CN-MGMT
- CN-Series Medium—Minimum 6G of CN-NGFW and 3G CN-MGMT
- CN-Series Large—Minimum 42G of CN-NGFW and 4G of CN-MGMT
| Attribute | CN-Series Scale (DaemonSet) | CN-Series Scale (K8s Service) | CN-Series Scale (K8s-CNF) |
|---|---|---|---|
| Maximum CN-MGMT pairs per K8s cluster |
4 CN-MGMT pairs in Active/Passive HA mode
|
4 CN-MGMT pairs in Active/Passive HA mode
|
4 CN-MGMT pairs in Active/Passive HA mode
|
| Maximum CN-NGFW pods per CN-MGMT pair |
30
|
30
|
30
|
| Kubernetes pods secured by CN-NGFW (per K8s node) |
30 (PAN-OS 10.1.8 or earlier version)
125 (PAN-OS 10.1.9 and above version with k8s 2.0.2
installed)
|
N/A
This deployment mode is agnostic of
the number of application pods on a K8s node. |
N/A
This deployment mode is agnostic of
the number of application pods on a K8s node. |
| Maximum Number of TCP/IP Sessions per CN-NGFW |
CN-Series Small: 20,000
CN-Series Medium: 819,200
CN-Series Large: 10,000,000
|
CN-Series Small: 250,000
CN-Series Medium: 819,200
CN-Series Large: 10,000,000
|
CN-Series Small: 250,000
CN-Series Medium: 819,200
CN-Series Large: 10,000,000
|
| Maximum Dynamic Address Groups IP addresses* per CN-MGMT pair |
CN-Series Small: 2500 (PAN-OS 10.0.6 and below)
10,000 (PAN-OS 10.0.7 and above)
|
CN-Series Small: 2500 (PAN-OS 10.0.6 and below)
10,000 (PAN-OS 10.0.7 and above)
CN-Series Medium: 200,000
CN-Series Large: 300,000
|
CN-Series Small: 2500 (PAN-OS 10.0.6 and below)
10,000 (PAN-OS 10.0.7 and above)
CN-Series Medium: 200,000
CN-Series Large: 300,000
|
| Tags per IP address* per CN-MGMT pair |
32
|
32
|
32
|
|
Maximum Security Zones
|
CN-Series Small: 2
CN-Series Medium: 40
CN-Series Large: 200
|
CN-Series Small: 2
CN-Series Medium: 40
CN-Series Large: 200
|
CN-Series Small: 2
CN-Series Medium: 40
CN-Series Large: 200
|
|
Security Profiles
|
CN-Series Small: 38
CN-Series Medium: 375
CN-Series Large: 750
|
CN-Series Small: 375
CN-Series Medium: 375
CN-Series Large: 750
|
CN-Series Small: 375
CN-Series Medium: 375
CN-Series Large: 750
|
|
Max Interfaces
|
For PAN-OS 10.1.8 or earlier version:
CN-Series Small: 30
CN-Series Medium: 30
CN-Series Large: 30
For PAN-OS 10.1.9 and above version with k8s 2.0.2
installed:
CN-Series Small: 250
CN-Series Medium: 250
CN-Series Large: 250
|
CN-Series Small: 2
CN-Series Medium: 2
CN-Series Large: 2
|
CN-Series Small: 60
CN-Series Medium: 60
CN-Series Large: 60
|
*See the Firewall comparison tool.
|
Policies
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Security Rules
|
1500
|
10,000
|
20,000
|
|
Security Rule Schedules
|
256
|
256
|
256
|
|
NAT Rules
NAT rules is supported on CNF
mode. |
N/A
|
N/A
|
N/A
|
|
Decryption Rules
|
1000
| 1000 | 2000 |
|
App Override Rules
|
1000
| 1000 | 2000 |
|
Tunnel Content Inspection Rules
|
100
|
500
|
2000
|
|
SD-WAN Rules
|
N/A
|
N/A
|
N/A
|
|
Policy-based Forwarding Rules
Policy-based Forwarding Rules are
supported on CNF mode. |
N/A
|
N/A
|
N/A
|
|
Captive Portal Rules
|
N/A
|
N/A
|
N/A
|
|
DoS Protection Rules
|
|
1000
|
1000
|
|
Objects (Addresses and Services)
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Address Objects
|
10,000
|
10,000
|
40,000
|
|
Address Groups
|
1000
|
1000
|
4000
|
|
Members per Address Group
|
2500
|
2500
|
2500
|
|
Service Objects
|
2000
|
2000
|
5000
|
|
Service Groups
|
500
|
500
|
500
|
|
Members per Service Groups
|
500
|
500
|
500
|
|
FQDN Address Objects
|
2000
|
2000
|
2000
|
|
Max Dynamic Address Group IP Addresses
|
2500
|
200,000
|
300,000
|
|
Tags per IP Address
|
32
|
32
|
32
|
|
App-ID
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Custom App-ID Signatures
|
6000
|
6000
|
6000
|
|
Shared Custom App-IDs
|
512
|
512
|
512
|
|
Custom App-IDs (virtual system specific)
|
6416
|
6416
|
6416
|
|
SSL Decryption
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Max SSL Inbound Certificates
|
1000
|
1000
|
1000
|
|
SSL Certificate Cache (Forward Proxy)
|
128
|
2000
|
8000
|
|
Max Concurrent Decryption Sessions
|
|
15,000
|
100,000
|
|
SSL Port Mirror
|
No
|
No
|
No
|
|
SSL Decryption Broker
|
No
|
No
|
No
|
|
HSM Supported
|
No
|
No
|
No
|
|
URL Filtering
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Total Entries for Allow List, Block List, and Custom
Categories
|
25,000
|
25,000
|
100,000
|
|
Max Custom Categories
|
|
2849
|
2849
|
|
Dataplane Cache Size for URL Filtering
|
|
90,000
|
250,000
|
|
Management Plane Dynamic Cache Size
|
100,000
|
100,000
|
600,000
|
|
EDL
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Max Number of Custom Lists
|
30
|
30
|
30
|
|
Max Number of IPs per System
|
50,000
|
50,000
|
50,000
|
|
Max Number of DNS Domains per System
|
50,000
|
500,000
|
2,000,000
|
|
Max Number of URLs per System
|
50,000
|
100,000
|
100,000
|
|
Shortest Check Interval (minutes)
|
5
|
5
|
5
|
|
Address Assignments
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
DHCP Servers
|
3
|
10
|
125
|
|
DHCP Relays
|
No
|
No
|
No
|
|
Max Number of Assigned Addresses
|
64,000
|
64,000
|
64,000
|
|
Interfaces
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Max Interfaces (Logical and Physical)
|
|
|
|
|
Management - Out-of-Bound
|
N/A
|
N/A
|
N/A
|
|
Management - 10/100/1000 High Availability
|
N/A
|
N/A
|
N/A
|
|
Management - 40G High Availability
|
N/A
|
N/A
|
N/A
|
|
Management - 10G High Availability
|
N/A
|
N/A
|
N/A
|
|
Traffic - 10/100/1000
|
N/A
|
N/A
|
N/A
|
|
Traffic - 100/1000/10000
|
N/A
|
N/A
|
N/A
|
|
Traffic - 1G SFP
|
N/A
|
N/A
|
N/A
|
|
Traffic - 10G SFP+
|
N/A
|
N/A
|
N/A
|
|
Traffic - 40/100G QSFP+/QSFP28
|
N/A
|
N/A
|
N/A
|
|
802.1q Tags per Device
|
N/A
|
N/A
|
N/A
|
|
802.1q Tags per Physical Interface
|
N/A
|
N/A
|
N/A
|
|
Max Aggregate Interfaces
|
N/A
|
N/A
|
N/A
|
|
Max SD-WAN Virtual Interfaces
|
N/A
|
N/A
|
N/A
|
|
NAT
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Total NAT Rules Capacity
|
N/A
|
N/A
|
N/A
|
|
Max NAT Rules (Static)
|
N/A
|
N/A
|
N/A
|
|
Max NAT Rules (DIP)
|
N/A
|
N/A
|
N/A
|
|
Max NAT Rules (DIPP)
|
N/A
|
N/A
|
N/A
|
|
Max Translated IPs (DIP)
|
N/A
|
N/A
|
N/A
|
|
Max Translated IPs (DIPP)
|
N/A
|
N/A
|
N/A
|
|
Default DIPP Pool Oversubscription
|
N/A
|
N/A
|
N/A
|
|
User-ID
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
IP-User Mappings (Management Plane)
|
N/A
|
N/A
|
N/A
|
|
IP-User Mappings (Dataplane)
|
N/A
|
N/A
|
N/A
|
|
Active and Unique Groups Used in Policy
|
N/A
|
N/A
|
N/A
|
|
Number of User-ID Agents
|
N/A
|
N/A
|
N/A
|
|
Monitored Servers for User-ID
|
N/A
|
N/A
|
N/A
|
|
Terminal Server Agents
|
N/A
|
N/A
|
N/A
|
|
Tags per User
|
N/A
|
N/A
|
N/A
|
|
Routing
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
IPv4 Forwarding Table Size
|
N/A
|
N/A
|
N/A
|
|
IPv6 Forwarding Table Size
|
N/A
|
N/A
|
N/A
|
|
System Total Forwarding Table Size
|
N/A
|
N/A
|
N/A
|
|
Max Routing Peers (Protocol Dependent)
|
N/A
|
N/A
|
N/A
|
|
Static Entries - DNS Proxy
|
N/A
|
N/A
|
N/A
|
|
Bidirection Forwarding Detection (BFD) Sessions
|
N/A
|
N/A
|
N/A
|
|
L2 Forwarding
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
ARP Table Size per Device
|
N/A
|
N/A
|
N/A
|
|
IPv6 Neighbor Table Size
|
N/A
|
N/A
|
N/A
|
|
MAC Table Size per Device
|
N/A
|
N/A
|
N/A
|
|
Max ARP Entries per Broadcast Domain
|
N/A
|
N/A
|
N/A
|
|
Max MAC Entries per Broadcast Domain
|
N/A
|
N/A
|
N/A
|
|
QoS
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Number of QoS Policies
|
N/A
|
N/A
|
N/A
|
|
Physical Interfaces Supporting QoS
|
N/A
|
N/A
|
N/A
|
|
Clear Text Nodes per Physical Interface
|
N/A
|
N/A
|
N/A
|
|
DSCP Marking by Policy
|
N/A
|
N/A
|
N/A
|
|
Subinterfaces Supported
|
N/A
|
N/A
|
N/A
|
|
IPSec VPN
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Max IKE Peers
|
N/A
|
N/A
|
N/A
|
|
Site-to-Site (with Proxy ID)
|
N/A
|
N/A
|
N/A
|
|
SD-WAN IPSec Tunnels
|
N/A
|
N/A
|
N/A
|
|
GlobalProtect
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
GlobalProtect Client VPN
Max Tunnels (SSL, IPSec, IKE with XAUTH)
|
N/A
|
N/A
|
N/A
|
|
GlobalProtect Clientless VPN
Max SSL Tunnels
|
N/A
|
N/A
|
N/A
|
|
Multicast
|
CN-Series Small
(Min 2.5G CN-NGFW and Min 3G CN-MGMT)
|
CN-Series Medium
(Min 6G CN-NGFW and Min 2G CN-MGMT)
|
CN-Series Large
(Min 42G CN-NGFW and Min 4G CN-MGMT)
|
|---|---|---|---|
|
Replication (Egress Interfaces)
|
N/A
|
N/A
|
N/A
|
|
Routes
|
N/A
|
N/A
|
N/A
|
Scale Supported on the Kubernetes Plugin on Panorama
| Attribute | Kubernetes Plugin Scale |
|---|---|
| Maximum Clusters on a K8s Panorama Plugin | 32 (across all supported environments such as native K8s, AKS, EKS, GKE) |
CN-Series Key Performance Metrics
|
CN-Series on AWS EKS
| ||||
|---|---|---|---|---|
| CPU Cores | CN-Series as a DaemonSet (MMAP) | CN-Series as a Kubernetes Service (MMAP) | CN-Series as a Kubernetes CNF (MMAP) | |
|
App-ID
|
1
|
750 Mbps
|
580 Mbps
|
580 Mbps
|
|
Content and Threat Detection
|
1
| 310 Mbps |
275 Mbps
|
275 Mbps
|
|
App-ID
|
2
|
1.45 Gbps
|
890 Mbps
|
890 Mbps
|
|
Content and Threat Detection
|
2
|
610 Mbps
|
530 Mbps
|
530 Mbps
|
|
App-ID
|
4
|
2.8 Gbps
|
1.45 Gbps
|
1.45 Gbps
|
|
Content and Threat Detection
|
4
|
1.19 Gbps
|
1.04 Gbps
|
1.04 Gbps
|
| CN-Series on Google Cloud GKE (XDP Enabled) | |||
|---|---|---|---|
| CPU Cores | CN-Series as a DaemonSet | CN-Series as a Kubernetes Service | |
|
App-ID
|
1
|
950 Mbps
|
750 Mbps
|
|
Content and Threat Detection
|
1
| 320 Mbps |
310 Mbps
|
|
App-ID
|
2
|
1.7 Gbps
|
900 Mbps
|
|
Content and Threat Detection
|
2
|
640 Mbps
|
575 Mbps
|
The testing for the information in the following table was conducted on Google
Kubernetes Engine (GKE) with traffic directed between nodes and between pods on
the same node in the same cluster
|
Feature/Attribute
|
CN-Series Small
|
CN-Series Medium
|
CN-Series Large
|
|---|---|---|---|
|
Firewall Throughput (App-ID Enabled) per vCPU of CN-NGFW
|
500 Mbps
|
500 Mbps
|
500 Mbps
|
|
Threat Prevention Throughput per vCPU of CN-NGFW
|
250 Mbps
|
250 Mbps
|
250 Mbps
|
|
Max Sessions
|
|
819,200
|
10,000,000
|
|
IPSec VPN Throughput per vCPU of CN-NGFW
|
N/A
|
N/A
|
N/A
|
| Connections per Second |
N/A
|
N/A
|
N/A
|