11.2 and Later
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- IPv6 Support on Public Cloud
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
-
- Licensing and Prerequisites for Virtual Systems Support on VM-Series
- System Requirements for Virtual Systems Support on VM-Series
- Enable Multiple Virtual Systems Support on VM-Series Firewall
- Enable Multiple Virtual Systems Support on VM-Series in Panorama Console
- Enable Multiple Virtual Systems Support Using Bootstrap Method
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
-
- Activate Credits
- Create a Deployment Profile
- Activate the Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
- Configure Link Aggregation Control Protocol
-
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use AWS Secrets Manager to Store VM-Series Certificates
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
- Intelligent Traffic Offload
- Software Cut-through Based Offload
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use Azure Key Vault to Store VM-Series Certificates
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
- Enable Session Resiliency on VM-Series for GCP
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
11.2 and Later
Sessions
| Tier 1 | 4.5 GB | 5 GB | 5.5 GB | 6 GB | 6.5 GB | 7 GB | 8 GB |
|---|---|---|---|---|---|---|---|
|
Max sessions
(IPv4 or IPv6)
|
20,000
|
40,000
|
50,000
|
100,000
|
200,000
|
250,000
|
300,000
|
|
Max Default Dataplane vCPUs
|
1
|
1
|
1
|
1
|
2
|
2
|
2
|
| Tier 2 | 9 GB | 10 GB | 12 GB | 14 GB | 16 GB | 18 GB | 20 GB |
|---|---|---|---|---|---|---|---|
|
Max sessions
(IPv4 or IPv6)
|
400,000
|
500,000
|
800,000
|
1,100,000
|
1,100,000
|
1,200,000
|
1,800,000
|
|
Max Default Dataplane vCPUs
|
4
|
4
|
4
|
4
|
12
|
12
|
12
|
| Tier 3 | 24 GB | 28 GB | 32 GB | 36 GB | 40 GB | 44 GB |
|---|---|---|---|---|---|---|
|
Max sessions
(IPv4 or IPv6)
|
2,500,000
|
2,800,000
|
3,500,000
|
4,500,000
|
5,500,000
|
6,750,000
|
|
Max Default Dataplane vCPUs
|
12
|
12
|
12
|
12
|
12
|
12
|
| Tier 3 (continued) | 48 GB | 52 GB | 56 GB | 64 GB |
|---|---|---|---|---|
|
Max sessions
(IPv4 or IPv6)
|
7,000,000
|
8,150,000
|
8,500,000
|
8,250,000
|
|
Max Default Dataplane vCPUs
|
12
|
12
|
24
|
47
|
| Tier 4 | 121 - 128 GB |
|---|---|
|
Max sessions
(IPv4 or IPv6)
|
10,000,000
|
|
Max Default Dataplane vCPUs
|
47
|
Policies
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Security rules | 1,500 | 10,000 | 20,000 |
65,000
|
|
Security rule schedules
| 256 |
256
|
256
|
256
|
|
NAT rules
|
3,000
| 8,000 | 15,000 |
16,000
|
|
Decryption rules
|
1,000
| 1,000 |
2,000
|
5,000
|
|
App override rules
|
1,000
| 1,000 |
2,000
|
4,000
|
|
Tunnel content inspection rules
| 100 |
500
|
2,000
|
8,500
|
|
SD-WAN rules
| 100 |
300
|
300
|
1,000
|
|
Policy based forwarding rules
|
100
|
500
|
2,000
|
2,000
|
|
Captive portal rules
|
1,000
| 1,000 |
2,000
|
8,000
|
|
DoS protection rules
|
1,000
| 1,000 |
1,000
|
2,000
|
Security Zones
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Max security zones
| 40 | 200 | 200 |
17,000
|
Objects (addresses and services)
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Address objects
|
10,000
|
20,000
|
40,000
|
160,000
|
|
Address groups
|
1,000
|
2,500
|
4,000
|
80,000
|
|
Members per address group
|
2,500
|
2,500
|
2,500
|
2,500
|
|
Service objects
|
2,000
|
2,000
|
5,000
|
12,000
|
|
Service groups
| 500 |
250
|
500
|
6,000
|
|
Members per service group
|
500
|
500
|
500
|
2,500
|
|
FQDN address objects
|
2,000
|
2,000
|
2,000
|
6,144
|
|
Max DAG IP addresses*
(system wide capacity)
|
2,500
|
300,000
|
300,500
|
500,000
|
|
Tags per IP address
|
32
|
32
|
32
|
64
|
* Firewall throughput measured with App-ID and User-ID features enabled utilizing
AppMix transactions.
Security Profiles
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Security Profiles
| 375 | 750 |
750
|
750
|
App-ID
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Custom App-ID signatures
| 6,000 |
6,000
|
6,000
|
6,000
|
|
Shared custom App-IDs
|
512
|
512
|
512
|
512
|
|
Custom App-IDs
(virtual system specific)
|
6,416
|
6,416
|
6,416
|
6,416
|
User-ID
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
IP-User mappings (management plane)
|
524,288
|
524,288
|
524,288
|
524,288
|
|
IP-User mappings (data plane)
|
64,000
|
512,000
|
512,000
|
512,000
|
|
Active and unique groups used in policy (aggregate of LDAP
groups, XML API Groups, and Dynamic User Group).*
|
1,000
|
10,000
|
10,000
|
10,000
|
|
Number of User-ID agents
|
100
|
100
|
100
|
100
|
|
Monitored servers for User-ID
|
100
|
100
|
100
|
100
|
|
Terminal server agents
|
400
|
2,000
|
2,500
|
2,500
|
|
Tags per User*
(PAN-OS 9.1 and later)
|
32
|
32
|
32
|
32
|
*Firewall throughput measured with App-ID and User-ID features enabled utilizing
AppMix transactions.
SSL Decryption
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Max SSL inbound certificates
|
1,000
|
1,000
|
1,000
|
4,000
|
|
SSL certificate cache
(forward proxy)
| 128 |
4,000
|
8,000
|
32,000
|
|
Max concurrent decryption sessions
| 6,400 | 50,000 | 100,000 |
2,000,000
|
|
SSL Port Mirror
| Yes |
Yes
|
Yes
|
Yes
|
|
SSL Decryption Broker
| No |
No
|
Yes
|
Yes
|
|
HSM Supported
| Yes |
Yes
|
Yes
|
Yes
|
URL Filtering
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Total entries for allow list, block list and custom
categories
|
25,000
|
25,000
|
100,000
|
100,000
|
|
Max custom categories
|
2,849
|
2,849
|
2,849
|
2,849
|
|
Max custom categories (virtual system specific)
|
500
|
500
|
500
|
500
|
|
Dataplane cache size for URL filtering
|
90,000
|
90,000
|
250,000
|
250,000
|
|
Management plane dynamic cache size
|
100,000
|
100,000
|
600,000
|
900,000
|
EDL
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Max number of custom lists
|
30
|
30
|
30
|
30
|
|
Max number of IPs per system
|
50,000
|
50,000
|
50,000
|
150,000
|
|
Max number of DNS Domains per system
|
50,000
| 2,000,000 | 2,000,00 |
4,000,000
|
|
Max number of URL per system
|
50,000
|
100,000
|
100,000
|
250,000
|
|
Shortest check interval (min)
|
5
|
5
|
5
|
5
|
Interfaces
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Mgmt - out-of-band
|
NA
|
NA
|
NA
|
NA
|
|
Mgmt - 10/100/1000 high availability
|
NA
|
NA
|
NA
|
NA
|
|
Mgmt - 40Gbps high availability
|
NA
|
NA
|
NA
|
NA
|
|
Mgmt - 10Gbps high availability
|
NA
|
NA
|
NA
|
NA
|
|
Traffic - 10/100/1000
|
NA
|
NA
|
NA
|
NA
|
|
Traffic - 100/1000/10000
|
NA
|
NA
|
NA
|
NA
|
|
Traffic - 1Gbps SFP
|
NA
|
NA
|
NA
|
NA
|
|
Traffic - 10Gbps SFP+
|
NA
|
NA
|
NA
|
NA
|
|
Traffic - 40/100Gbps QSFP+/QSFP28
|
NA
|
NA
|
NA
|
NA
|
|
802.1q tags per device
|
4,094
| 4,094 |
4,094
|
4,094
|
|
802.1q tags per physical interface
|
4,094
|
4,094
|
4,094
|
4,094
|
|
Max interfaces (logical and physical)
| 2,048 |
4,096
| 4,096 | 4,096 |
|
Maximum aggregate interfaces
|
NA
|
NA
|
NA
|
NA
|
|
Maximum SD-WAN virtual interfaces
| 300 |
1,000
|
1,000
|
1,000
|
Virtual Routers
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Virtual routers
| 3 | 20 |
125
|
225
|
Virtual Wires
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Virtual wires | 12 | 12 |
12
|
12
|
Virtual Systems
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Base virtual systems
|
1
|
1
|
1
|
1
|
|
Max virtual systems
Additional licenses are required for virtual system capacities
above the base virtual system’s capacity
|
NA
|
NA
|
NA
|
NA
|
Routing
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
IPv4 forwarding table size*
(Entries shared across virtual routers)
| 5,000 |
32,000
|
100,000
|
To be added
|
|
IPv6 forwarding table size*
(Entries shared across virtual routers)
| 5,000 |
32,000
|
100,000
|
To be added
|
|
System total forwarding table size
| 5,000 | 32,000 |
100,000
|
To be added
|
|
Max route maps per virtual router
| 50 |
50
|
50
|
To be added
|
|
Max routing peers (protocol dependent)
| 500 |
1,000
|
1,000
|
To be added
|
|
Static entries - DNS proxy
| 1,024 |
1,024
|
1,024
|
To be added
|
|
Bidirectional Forwarding Detection (BFD) Sessions
| 128 |
1,024
|
1,024
|
To be added
|
*Firewall throughput measured with App-ID and User-ID features enabled utilizing
AppMix transactions.
L2 Forwarding
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
ARP table size per device
|
2,500
|
32,000
|
128,000
|
132,000
|
|
IPv6 neighbor table size
| 2,500 |
32,000
| 128,000 |
132,000
|
|
MAC table size per device
| 2,500 |
32,000
| 128,000 |
132,000
|
|
Max ARP entries per broadcast domain
| 2,500 |
32,000
| 128,000 |
132,000
|
|
Max MAC entries per broadcast domain
| 2,500 |
32,000
| 128,000 |
132,000
|
NAT
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Total NAT rule capacity
| 3,000 |
8,000
|
8,000
|
To be added
|
|
Max NAT rules (static)*
(Configuring static NAT rules to full capacity requires that no
other NAT rule types are used.)
| 3,000 |
8,000
|
8,000
|
To be added
|
|
Max NAT rules (DIP)*
(Configuring DIP NAT rules to full capacity requires that no
other NAT rule types are used.)
| 2,000 |
8,000
|
8,000
|
To be added
|
|
Max NAT rules (DIPP)
| 400 |
2,000
|
2,000
|
To be added
|
|
Max translated IPs (DIP)
|
128,000
|
160,000
|
160,000
|
To be added
|
|
Max translated IPs (DIPP)*
(DIPP translated IP capacity is proportional to the DIPP pool
oversubscription value. The capacity shown here is based on an
oversubscription value of 1x.)
| 400 |
2,000
|
2,000
|
To be added
|
|
Default DIPP pool oversubscription*
(Source IP and source port reuse across concurrent sessions)
|
2
| 8 | 8 |
To be added
|
*Firewall throughput measured with App-ID and User-ID features enabled utilizing
AppMix transactions.
Address Assignment
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
DHCP servers
| 3 |
20
| 125 |
To be added
|
|
DHCP relays*
(Maximum capacity represents total DHCP servers and DHCP relays
combined)
|
500
|
500
|
500
|
To be added
|
| Max number of assigned addresses | 64,000 | 64,000 | 64,000 |
To be added
|
*Firewall throughput measured with App-ID and User-ID features enabled utilizing
AppMix transactions.
High Availability
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Devices supported
|
2
|
2
|
2
|
2
|
|
Max virtual addresses
| 128 |
32
|
128
|
To be added
|
QoS
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Number of QoS policies
|
500
|
2,000
|
4,000
|
To be added
|
|
Physical interfaces supporting QoS
|
6
| 12 | 12 |
12
|
|
Clear text nodes per physical interface
|
31
| 63 | 63 |
63
|
|
DSCP marking by policy
|
Yes
|
Yes
|
Yes
|
Yes
|
|
Subinterfaces supported
|
NA
|
NA
|
NA
|
NA
|
IPSec VPN
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Max IKE Peers
|
1,000
|
1,000
|
2,000
|
To be added
|
|
Site to site (with proxy id)
|
1,000
|
4,000
|
8,000
|
To be added
|
|
SD-WAN IPSec tunnels
|
1,000
|
1,000
|
2,000
|
To be added
|
GlobalProtect Client VPN
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Max tunnels (SSL, IPSec, and IKE with XAUTH)
| 500 | 6,000 |
12,000
|
To be added
|
GlobalProtect Clientless VPN
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Max SSL tunnels
| 100 | 1,200 |
2,500
|
25,000
|
Multicast
| Feature | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
|
Replication (egress interfaces)
| 100 |
100
|
100
|
To be added
|
|
Routes
|
2,000
|
4,000
|
4,000
|
To be added
|