IKE Peer and IPSec Tunnel Capacity Increases

The PA-7000 Series, PA-5000 Series, and PA-3000 Series firewalls now support more IKE peers and IPSec tunnels than in prior releases. The following table provides the capacities:
PA-7000-20GXM-NPC PA-7000-20GQXM-NPC
PA-7000-20G-NPC PA-7000-20GQ-NPC
PA-5000 Series
PA-3000 Series
IKE Peers
4,000*
2,000*
2,000
2,000
IPSec Tunnels
12,000*
8,000*
8,000
3,000
*The capacities shown for PA-7000 Series firewalls are per chassis, regardless of how many Network Processing Cards (NPCs) are installed in the chassis. If a PA-7000 Series firewall uses only PA-7000-20GXM-NPC or PA-7000-20GQXM-NPC cards in the chassis, the higher capacities apply; otherwise, the lower capacities for the chassis apply.
Use the CLI operational command
show vpn ipsec-sa summary
to view summary information about IPSec tunnels.
For better throughput and faster commit times, distribute the total number of IKE peers and IPSec tunnels among multiple interfaces.

Related Documentation