Maximum Limits Based on Memory

These limits apply to flexible licenses for VM-Series firewalls running PAN-OS 10.0.4 or later.
The following tables provide the maximum number for a particular object or resource that a single VM-Series firewall deployment can create, store, manage, or interact with on a firewall configured with 4.5, 5.5, 6.5, 9, 16, or 56 GB memory.
The memory profile and the total number of vCPUs determine how many cores are automatically assigned to the management plane and the dataplane.
If you are using SW NGFW licensing you can choose a memory profile that supports your requirements for one or more of the following resources:

Sessions

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max sessions (IPv4 or IPv6)
50,000
64,000
250,000
819,200
2,000,000
10,000,000

Policies

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Security rules
200
250
1,500
10,000
10,000
20,000
Security rule schedules
256
256
256
256
256
256
NAT rules
400
400
3,000
5,000
8,000
15,000
Decryption rules
100
100
1,000
1,000
1,000
2,000
App override rules
100
100
1,000
1,000
1,000
2,000
Tunnel content inspection rules
100
100
100
500
500
2,000
SD-WAN rules
NA
100
100
100
300
300
Policy based forwarding rules
100
100
100
500
500
2,000
Captive portal rules
10
10
1,000
1,000
1,000
2,000
DoS protection rules
100
100
1,000
1,000
1,000
1,000

Security Zones

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max security zones
15
15
40
40
200
200

Objects (addresses and services)

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Address objects
2,000
2,500
10,000
10,000
20,000
40,000
Address groups
100
125
1,000
1,000
2,500
4,000
Members per address group
2,500
2,500
2,500
2,500
2,500
2,500
Service objects
1,000
1,000
2,000
2,000
2,000
5,000
Service groups
250
250
500
500
250
500
Members per service group
500
500
500
500
500
500
FQDN address objects
2,000
2,000
2,000
2,000
2,000
2,000
Max DAG IP addresses*
(system wide capacity)
1,000
1,000
2,500
200,000
300,000
300,500
Tags per IP address
32
32
32
32
32
32
* Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

Security Profiles

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Security Profiles
38
38
375
375
750
750

App-ID

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Custom App-ID signatures
6,000
6,000
6,000
6,000
6,000
6,000
Shared custom App-IDs
512
512
512
512
512
512
Custom App-IDs
(virtual system specific)
3,208
1,000
6,416
1,000
6,416
6,416

User-ID

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
IP-User mappings (management plane)
524,288
524,288
524,288
524,288
524,288
524,288
IP-User mappings (data plane)
64,000
64,000
64,000
64,000
512,000
512,000
Active and unique groups used in policy (aggregate of LDAP groups, XML API Groups, and Dynamic User Group).*
1,000
1,000
1,000
1,000
10,000
10,000
Number of User-ID agents
100
100
100
100
100
100
Monitored servers for User-ID
100
100
100
100
100
100
Terminal server agents
400
400
400
400
2,000
2,500
Tags per User*
(PAN-OS 9.1 and later)
32
32
32
32
32
32
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

SSL Decryption

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max SSL inbound certificates
1,000
1,000
1,000
1,000
1,000
1,000
SSL certificate cache
(forward proxy)
128
128
128
2,000
4,000
8,000
Max concurrent decryption sessions
1,024
1,024
6,400
15,000
50,000
100,000
SSL Port Mirror
Yes
Yes
Yes
Yes
Yes
Yes
SSL Decryption Broker
No
No
No
Yes
No
Yes
HSM Supported
Yes
Yes
Yes
Yes
Yes
Yes

URL Filtering

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Total entries for allow list, block list and custom categories
25,000
25,000
25,000
25,000
25,000
100,000
Max custom categories
2,849
2,849
2,849
2,849
2,849
2,849
Max custom categories (virtual system specific)
500
500
500
500
500
500
Dataplane cache size for URL filtering
90,000
90,000
90,000
90,000
90,000
250,000
Management plane dynamic cache size
100,000
100,000
100,000
100,000
100,000
600,000

EDL

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max number of custom lists
30
30
30
30
30
30
Max number of IPs per system
50,000
50,000
50,000
50,000
50,000
50,000
Max number of DNS Domains per system
50,000
50,000
50,000
5000,000
2,000,000
2,000,00
Max number of URL per system
50,000
50,000
50,000
100,000
100,000
100,000
Shortest check interval (min)
5
5
5
5
5
5

Interfaces

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Mgmt - out-of-band
NA
NA
NA
NA
NA
NA
Mgmt - 10/100/1000 high availability
NA
NA
NA
NA
NA
NA
Mgmt - 40Gbps high availability
NA
NA
NA
NA
NA
NA
Mgmt - 10Gbps high availability
NA
NA
NA
NA
NA
NA
Traffic - 10/100/1000
NA
NA
NA
NA
NA
NA
Traffic - 100/1000/10000
NA
NA
NA
NA
NA
NA
Traffic - 1Gbps SFP
NA
NA
NA
NA
NA
NA
Traffic - 10Gbps SFP+
NA
NA
NA
NA
NA
NA
Traffic - 40/100Gbps QSFP+/QSFP28
NA
NA
NA
NA
NA
NA
802.1q tags per device
4,094
4,094
4,094
4,094
4,094
4,094
802.1q tags per physical interface
4,094
4,094
4,094
4,094
4,094
4,094
Max interfaces (logical and physical)
512
512
2,048
2,048
4,096
40,96
Maximum aggregate interfaces
NA
NA
NA
NA
NA
NA
Maximum SD-WAN virtual interfaces
NA
150
300
500
1,000
1,000

Virtual Routers

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Virtual routers
3
3
3
10
20
125

Virtual Wires

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Virtual wires
2
4
12
12
12
12

Virtual Systems

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Base virtual systems
1
1
1
1
1
1
Max virtual systems
Additional licenses are required for virtual system capacities above the base virtual system’s capacity
NA
NA
NA
NA
NA
NA

Routing

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
IPv4 forwarding table size*
(Entries shared across virtual routers)
1,000
2,500
5,000
10,000
32,000
100,000
IPv6 forwarding table size*
(Entries shared across virtual routers)
1,000
1,000
5,000
10,000
32,000
100,000
System total forwarding table size
1,000
1,000
5,000
10,000
32,000
100,000
32,000
50
50
50
50
50
50
Max routing peers (protocol dependent)
500
500
500
500
1,000
1,000
Static entries - DNS proxy
1,024
1,024
1,024
1,024
1,024
1,024
Bidirectional Forwarding Detection (BFD) Sessions
N/A
N/A
128
512
1,024
1,024
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

L2 Forwarding

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
ARP table size per device
1,500
1,500
2,500
10,000
32,000
128,000
IPv6 neighbor table size
500
500
2,500
10,000
32,000
128,000
MAC table size per device
1,500
1,500
2,500
5,000
32,000
128,000
Max ARP entries per broadcast domain
1,500
1,500
2,500
10,000
32,000
128,000
Max MAC entries per broadcast domain
1,500
1,500
2,500
5,000
32,000
128,000

NAT

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Total NAT rule capacity
160
400
3,000
5,000
8,000
8,000
Max NAT rules (static)*
(Configuring static NAT rules to full capacity requires that no other NAT rule types are used.)
160
400
3,000
5,000
8,000
8,000
Max NAT rules (DIP)*
(Configuring DIP NAT rules to full capacity requires that no other NAT rule types are used.)
160
400
2,000
3,000
8,000
8,000
Max NAT rules (DIPP)
160
200
400
800
2,000
2,000
Max translated IPs (DIP)
16,000
16,000
128,000
128,000
160,000
160,000
Max translated IPs (DIPP)*
(DIPP translated IP capacity is proportional to the DIPP pool oversubscription value. The capacity shown here is based on an oversubscription value of 1x.)
200
200
400
800
2,000
2,000
Default DIPP pool oversubscription*
(Source IP and source port reuse across concurrent sessions)
2
2
2
2
8
8
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

Address Assignment

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
DHCP servers
3
3
3
10
20
125
DHCP relays*
(Maximum capacity represents total DHCP servers and DHCP relays combined)
500
500
500
500
500
500
Max number of assigned addresses
64,000
64,000
64,000
64,000
64,000
64,000
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

High Availability

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Devices supported
2
2
2
2
2
2
Max virtual addresses
32
32
128
32
32
128

QoS

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Number of QoS policies
100
100
500
1,000
2,000
4,000
Physical interfaces supporting QoS
6
6
6
6
12
12
Clear text nodes per physical interface
31
31
31
63
63
63
DSCP marking by policy
Yes
Yes
Yes
Yes
Yes
Yes
Subinterfaces supported
NA
NA
NA
NA
NA
NA

IPSec VPN

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max IKE Peers
25
250
1,000
1,000
1,000
2,000
Site to site (with proxy id)
25
250
1,000
2,000
4,000
8,000
SD-WAN IPSec tunnels
NA
250
1,000
1,000
1,000
2,000

GlobalProtect Client VPN

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max tunnels (SSL, IPSec, and IKE with XAUTH)
25
250
500
2,000
6,000
12,000

GlobalProtect Clientless VPN

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Max SSL tunnels
40
40
100
400
1,200
2,500

Multicast

Feature
4.5 GB
5.5 GB
6.5 GB
9 GB
16 GB
56 GB
Replication (egress interfaces)
100
100
100
100
100
100
Routes
500
500
2,000
2,000
4,000
4,000

Recommended For You