End-of-Life (EoL)

IKE Peer and IPSec Tunnel Capacity Increases

The PA-7000 Series, PA-5000 Series, and PA-3000 Series firewalls now support more IKE peers and IPSec tunnels than in prior releases. The following table provides the capacities:
PA-7000-20GXM-NPC PA-7000-20GQXM-NPC
PA-7000-20G-NPC PA-7000-20GQ-NPC
PA-5000 Series
PA-3000 Series
IKE Peers
4,000*
2,000*
2,000
2,000
IPSec Tunnels
12,000*
8,000*
8,000
3,000
*The capacities shown for PA-7000 Series firewalls are per chassis, regardless of how many Network Processing Cards (NPCs) are installed in the chassis. If a PA-7000 Series firewall uses only PA-7000-20GXM-NPC or PA-7000-20GQXM-NPC cards in the chassis, the higher capacities apply; otherwise, the lower capacities for the chassis apply.
Use the CLI operational command
show vpn ipsec-sa summary
to view summary information about IPSec tunnels.
For better throughput and faster commit times, distribute the total number of IKE peers and IPSec tunnels among multiple interfaces.

Recommended For You