: Maximum Limits Based on Tier and Memory
Focus
Focus

Maximum Limits Based on Tier and Memory

Table of Contents

Maximum Limits Based on Tier and Memory

The following tables provide the maximum number for a particular object or resource that a single VM-Series firewall deployment can create, store, manage, or interact with based on allocated memory or tier. These limits apply to VM-Series firewalls using licenses funded with Software NGFW credits.
For memory scaling, increments of memory are grouped into four tiers that represent the configuration capacity of the VM-Series firewall. Regardless of the amount of memory you assign to a VM-Series firewall instance, the tier that amount of memory falls into determines the limit for non-sessions values, such as security rules, address objects, security profiles, etc.
The memory profile and the total number of vCPUs determine how many cores are automatically assigned to the management plane and the dataplane. Additionally, you have the option to customize the distribution of the dataplane cores.
If you are using Software NGFW credits for licensing, you can choose a memory profile that supports your requirements for one or more of the following resources:

Sessions

Tier 1
4.5 GB
5 GB
5.5 GB
6 GB
6.5 GB
7 GB
8 GB
Max sessions
(IPv4 or IPv6)
25,000
40,000
50,000
100,000
200,000
300,000
500,000
Max Default Dataplane vCPUs
1
1
1
1
2
2
2
Tier 2
9 GB
10 GB
12 GB
14 GB
16 GB
18 GB
20 GB
Max sessions
(IPv4 or IPv6)
600,000
800,000
1,000,000
1,200,000
1,800,000
2,000,000
2,800,000
Max Default Dataplane vCPUs
4
4
4
4
12
12
12
Tier 3
24 GB
28 GB
32 GB
36 GB
40 GB
44 GB
Max sessions
(IPv4 or IPv6)
3,600,000
4,400,000
5,200,000
6,000,000
6,800,000
6,800,000
Max Default Dataplane vCPUs
12
12
12
12
12
12
Tier 3 (continued)
48 GB
52 GB
56 GB
64 GB
Max sessions
(IPv4 or IPv6)
7,600,000
8,400,000
9,200,000
10,000,000
Max Default Dataplane vCPUs
12
12
24
47
Tier 4
121 - 128 GB
Max sessions
(IPv4 or IPv6)
14,000,000
Max Default Dataplane vCPUs
47

Policies

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Security rules
1,500
10,000
20,000
65,000
Security rule schedules
256
256
256
256
NAT rules
3,000
8,000
15,000
16,000
Decryption rules
1,000
1,000
2,000
5,000
App override rules
1,000
1,000
2,000
4,000
Tunnel content inspection rules
100
500
2,000
8,500
SD-WAN rules
100
300
300
1,000
Policy based forwarding rules
100
500
2,000
2,000
Captive portal rules
1,000
1,000
2,000
8,000
DoS protection rules
1,000
1,000
1,000
2,000

Security Zones

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Max security zones
40
200
200
17,000

Objects (addresses and services)

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Address objects
10,000
20,000
40,000
160,000
Address groups
1,000
2,500
4,000
80,000
Members per address group
2,500
2,500
2,500
2,500
Service objects
2,000
2,000
5,000
12,000
Service groups
500
250
500
6,000
Members per service group
500
500
500
2,500
FQDN address objects
2,000
2,000
2,000
6,144
Max DAG IP addresses*
(system wide capacity)
2,500
300,000
300,500
500,000
Tags per IP address
32
32
32
64
* Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

Security Profiles

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Security Profiles
375
750
750
750

App-ID

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Custom App-ID signatures
6,000
6,000
6,000
6,000
Shared custom App-IDs
512
512
512
512
Custom App-IDs
(virtual system specific)
6,416
6,416
6,416
6,416

User-ID

Feature
Tier 1
Tier 2
Tier 3
Tier 4
IP-User mappings (management plane)
524,288
524,288
524,288
524,288
IP-User mappings (data plane)
64,000
512,000
512,000
512,000
Active and unique groups used in policy (aggregate of LDAP groups, XML API Groups, and Dynamic User Group).*
1,000
10,000
10,000
10,000
Number of User-ID agents
100
100
100
100
Monitored servers for User-ID
100
100
100
100
Terminal server agents
400
2,000
2,500
2,500
Tags per User*
(PAN-OS 9.1 and later)
32
32
32
32
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

SSL Decryption

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Max SSL inbound certificates
1,000
1,000
1,000
4,000
SSL certificate cache
(forward proxy)
128
4,000
8,000
32,000
Max concurrent decryption sessions
6,400
50,000
100,000
2,000,000
SSL Port Mirror
Yes
Yes
Yes
Yes
SSL Decryption Broker
No
No
Yes
Yes
HSM Supported
Yes
Yes
Yes
Yes

URL Filtering

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Total entries for allow list, block list and custom categories
25,000
25,000
100,000
100,000
Max custom categories
2,849
2,849
2,849
2,849
Max custom categories (virtual system specific)
500
500
500
500
Dataplane cache size for URL filtering
90,000
90,000
250,000
250,000
Management plane dynamic cache size
100,000
100,000
600,000
900,000

EDL

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Max number of custom lists
30
30
30
30
Max number of IPs per system
50,000
50,000
50,000
150,000
Max number of DNS Domains per system
50,000
2,000,000
2,000,00
4,000,000
Max number of URL per system
50,000
100,000
100,000
250,000
Shortest check interval (min)
5
5
5
5

Interfaces

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Mgmt - out-of-band
NA
NA
NA
NA
Mgmt - 10/100/1000 high availability
NA
NA
NA
NA
Mgmt - 40Gbps high availability
NA
NA
NA
NA
Mgmt - 10Gbps high availability
NA
NA
NA
NA
Traffic - 10/100/1000
NA
NA
NA
NA
Traffic - 100/1000/10000
NA
NA
NA
NA
Traffic - 1Gbps SFP
NA
NA
NA
NA
Traffic - 10Gbps SFP+
NA
NA
NA
NA
Traffic - 40/100Gbps QSFP+/QSFP28
NA
NA
NA
NA
802.1q tags per device
4,094
4,094
4,094
4,094
802.1q tags per physical interface
4,094
4,094
4,094
4,094
Max interfaces (logical and physical)
2,048
4,096
4,096
4,096
Maximum aggregate interfaces
NA
NA
NA
NA
Maximum SD-WAN virtual interfaces
300
1,000
1,000
1,000

Virtual Routers

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Virtual routers
3
20
125
225

Virtual Wires

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Virtual wires
12
12
12
12

Virtual Systems

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Base virtual systems
1
1
1
1
Max virtual systems
Additional licenses are required for virtual system capacities above the base virtual system’s capacity
NA
NA
NA
NA

Routing

Feature
Tier 1
Tier 2
Tier 3
Tier 4
IPv4 forwarding table size*
(Entries shared across virtual routers)
5,000
32,000
100,000
To be added
IPv6 forwarding table size*
(Entries shared across virtual routers)
5,000
32,000
100,000
To be added
System total forwarding table size
5,000
32,000
100,000
To be added
Max route maps per virtual router
50
50
50
To be added
Max routing peers (protocol dependent)
500
1,000
1,000
To be added
Static entries - DNS proxy
1,024
1,024
1,024
To be added
Bidirectional Forwarding Detection (BFD) Sessions
128
1,024
1,024
To be added
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

L2 Forwarding

Feature
Tier 1
Tier 2
Tier 3
Tier 4
ARP table size per device
2,500
32,000
128,000
132,000
IPv6 neighbor table size
2,500
32,000
128,000
132,000
MAC table size per device
2,500
32,000
128,000
132,000
Max ARP entries per broadcast domain
2,500
32,000
128,000
132,000
Max MAC entries per broadcast domain
2,500
32,000
128,000
132,000

NAT

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Total NAT rule capacity
3,000
8,000
8,000
To be added
Max NAT rules (static)*
(Configuring static NAT rules to full capacity requires that no other NAT rule types are used.)
3,000
8,000
8,000
To be added
Max NAT rules (DIP)*
(Configuring DIP NAT rules to full capacity requires that no other NAT rule types are used.)
2,000
8,000
8,000
To be added
Max NAT rules (DIPP)
400
2,000
2,000
To be added
Max translated IPs (DIP)
128,000
160,000
160,000
To be added
Max translated IPs (DIPP)*
(DIPP translated IP capacity is proportional to the DIPP pool oversubscription value. The capacity shown here is based on an oversubscription value of 1x.)
400
2,000
2,000
To be added
Default DIPP pool oversubscription*
(Source IP and source port reuse across concurrent sessions)
2
8
8
To be added
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

Address Assignment

Feature
Tier 1
Tier 2
Tier 3
Tier 4
DHCP servers
3
20
125
To be added
DHCP relays*
(Maximum capacity represents total DHCP servers and DHCP relays combined)
500
500
500
To be added
Max number of assigned addresses
64,000
64,000
64,000
To be added
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

High Availability

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Devices supported
2
2
2
2
Max virtual addresses
128
32
128
To be added

QoS

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Number of QoS policies
500
2,000
4,000
To be added
Physical interfaces supporting QoS
6
12
12
12
Clear text nodes per physical interface
31
63
63
63
DSCP marking by policy
Yes
Yes
Yes
Yes
Subinterfaces supported
NA
NA
NA
NA

IPSec VPN

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Max IKE Peers
1,000
1,000
2,000
To be added
Site to site (with proxy id)
1,000
4,000
8,000
To be added
SD-WAN IPSec tunnels
1,000
1,000
2,000
To be added

GlobalProtect Client VPN

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Max tunnels (SSL, IPSec, and IKE with XAUTH)
500
6,000
12,000
To be added

GlobalProtect Clientless VPN

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Max SSL tunnels
100
1,200
2,500
25,000

Multicast

Feature
Tier 1
Tier 2
Tier 3
Tier 4
Replication (egress interfaces)
100
100
100
To be added
Routes
2,000
4,000
4,000
To be added

Recommended For You