: Maximum Limits Based on Tier and Memory
Focus
Focus

Maximum Limits Based on Tier and Memory

Table of Contents

Maximum Limits Based on Tier and Memory

The following tables provide the maximum number for a particular object or resource that a single VM-Series firewall deployment can create, store, manage, or interact with based on allocated memory or tier. These limits apply to VM-Series firewalls using licenses funded with Software NGFW credits.
For memory scaling, increments of memory are grouped into four tiers that represent the configuration capacity of the VM-Series firewall. Regardless of the amount of memory you assign to a VM-Series firewall instance, the tier that amount of memory falls into determines the limit for non-sessions values, such as security rules, address objects, security profiles, etc.
The memory profile and the total number of vCPUs determine how many cores are automatically assigned to the management plane and the dataplane. Additionally, you have the option to customize the distribution of the dataplane cores.
If you are using Software NGFW credits for licensing, you can choose a memory profile that supports your requirements for one or more of the following resources:

Sessions

Tier 14.5 GB5 GB5.5 GB6 GB6.5 GB7 GB8 GB
Max sessions
(IPv4 or IPv6)
25,000
40,000
50,000
100,000
200,000
300,000
500,000
Max Default Dataplane vCPUs
1
1
1
1
2
2
2
Tier 29 GB10 GB12 GB14 GB16 GB18 GB20 GB
Max sessions
(IPv4 or IPv6)
600,000
800,000
1,000,000
1,200,000
1,800,000
2,000,000
2,800,000
Max Default Dataplane vCPUs
4
4
4
4
12
12
12
Tier 324 GB28 GB32 GB36 GB40 GB44 GB
Max sessions
(IPv4 or IPv6)
3,600,000
4,400,000
5,200,000
6,000,000
6,800,000
6,800,000
Max Default Dataplane vCPUs
12
12
12
12
12
12
Tier 3 (continued)48 GB52 GB56 GB64 GB
Max sessions
(IPv4 or IPv6)
7,600,000
8,400,000
9,200,000
10,000,000
Max Default Dataplane vCPUs
12
12
24
47
Tier 4121 - 128 GB
Max sessions
(IPv4 or IPv6)
14,000,000
Max Default Dataplane vCPUs
47

Policies

FeatureTier 1Tier 2Tier 3Tier 4
Security rules1,50010,00020,000
65,000
Security rule schedules
256
256
256
256
NAT rules
3,000
8,00015,000
16,000
Decryption rules
1,000
1,000
2,000
5,000
App override rules
1,000
1,000
2,000
4,000
Tunnel content inspection rules
100
500
2,000
8,500
SD-WAN rules
100
300
300
1,000
Policy based forwarding rules
100
500
2,000
2,000
Captive portal rules
1,000
1,000
2,000
8,000
DoS protection rules
1,000
1,000
1,000
2,000

Security Zones

FeatureTier 1Tier 2Tier 3Tier 4
Max security zones
40200200
17,000

Objects (addresses and services)

FeatureTier 1Tier 2Tier 3Tier 4
Address objects
10,000
20,000
40,000
160,000
Address groups
1,000
2,500
4,000
80,000
Members per address group
2,500
2,500
2,500
2,500
Service objects
2,000
2,000
5,000
12,000
Service groups
500
250
500
6,000
Members per service group
500
500
500
2,500
FQDN address objects
2,000
2,000
2,000
6,144
Max DAG IP addresses*
(system wide capacity)
2,500
300,000
300,500
500,000
Tags per IP address
32
32
32
64
* Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

Security Profiles

FeatureTier 1Tier 2Tier 3Tier 4
Security Profiles
375750
750
750

App-ID

FeatureTier 1Tier 2Tier 3Tier 4
Custom App-ID signatures
6,000
6,000
6,000
6,000
Shared custom App-IDs
512
512
512
512
Custom App-IDs
(virtual system specific)
6,416
6,416
6,416
6,416

User-ID

FeatureTier 1Tier 2Tier 3Tier 4
IP-User mappings (management plane)
524,288
524,288
524,288
524,288
IP-User mappings (data plane)
64,000
512,000
512,000
512,000
Active and unique groups used in policy (aggregate of LDAP groups, XML API Groups, and Dynamic User Group).*
1,000
10,000
10,000
10,000
Number of User-ID agents
100
100
100
100
Monitored servers for User-ID
100
100
100
100
Terminal server agents
400
2,000
2,500
2,500
Tags per User*
(PAN-OS 9.1 and later)
32
32
32
32
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

SSL Decryption

FeatureTier 1Tier 2Tier 3Tier 4
Max SSL inbound certificates
1,000
1,000
1,000
4,000
SSL certificate cache
(forward proxy)
128
4,000
8,000
32,000
Max concurrent decryption sessions
6,40050,000100,000
2,000,000
SSL Port Mirror
Yes
Yes
Yes
Yes
SSL Decryption Broker
No
No
Yes
Yes
HSM Supported
Yes
Yes
Yes
Yes

URL Filtering

FeatureTier 1Tier 2Tier 3Tier 4
Total entries for allow list, block list and custom categories
25,000
25,000
100,000
100,000
Max custom categories
2,849
2,849
2,849
2,849
Max custom categories (virtual system specific)
500
500
500
500
Dataplane cache size for URL filtering
90,000
90,000
250,000
250,000
Management plane dynamic cache size
100,000
100,000
600,000
900,000

EDL

FeatureTier 1Tier 2Tier 3Tier 4
Max number of custom lists
30
30
30
30
Max number of IPs per system
50,000
50,000
50,000
150,000
Max number of DNS Domains per system
50,000
2,000,0002,000,00
4,000,000
Max number of URL per system
50,000
100,000
100,000
250,000
Shortest check interval (min)
5
5
5
5

Interfaces

FeatureTier 1Tier 2Tier 3Tier 4
Mgmt - out-of-band
NA
NA
NA
NA
Mgmt - 10/100/1000 high availability
NA
NA
NA
NA
Mgmt - 40Gbps high availability
NA
NA
NA
NA
Mgmt - 10Gbps high availability
NA
NA
NA
NA
Traffic - 10/100/1000
NA
NA
NA
NA
Traffic - 100/1000/10000
NA
NA
NA
NA
Traffic - 1Gbps SFP
NA
NA
NA
NA
Traffic - 10Gbps SFP+
NA
NA
NA
NA
Traffic - 40/100Gbps QSFP+/QSFP28
NA
NA
NA
NA
802.1q tags per device
4,094
4,094
4,094
4,094
802.1q tags per physical interface
4,094
4,094
4,094
4,094
Max interfaces (logical and physical)
2,048
4,096
4,0964,096
Maximum aggregate interfaces
NA
NA
NA
NA
Maximum SD-WAN virtual interfaces
300
1,000
1,000
1,000

Virtual Routers

FeatureTier 1Tier 2Tier 3Tier 4
Virtual routers
320
125
225

Virtual Wires

FeatureTier 1Tier 2Tier 3Tier 4
Virtual wires1212
12
12

Virtual Systems

FeatureTier 1Tier 2Tier 3Tier 4
Base virtual systems
1
1
1
1
Max virtual systems
Additional licenses are required for virtual system capacities above the base virtual system’s capacity
NA
NA
NA
NA

Routing

FeatureTier 1Tier 2Tier 3Tier 4
IPv4 forwarding table size*
(Entries shared across virtual routers)
5,000
32,000
100,000
To be added
IPv6 forwarding table size*
(Entries shared across virtual routers)
5,000
32,000
100,000
To be added
System total forwarding table size
5,00032,000
100,000
To be added
Max route maps per virtual router
50
50
50
To be added
Max routing peers (protocol dependent)
500
1,000
1,000
To be added
Static entries - DNS proxy
1,024
1,024
1,024
To be added
Bidirectional Forwarding Detection (BFD) Sessions
128
1,024
1,024
To be added
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

L2 Forwarding

FeatureTier 1Tier 2Tier 3Tier 4
ARP table size per device
2,500
32,000
128,000
132,000
IPv6 neighbor table size
2,500
32,000
128,000
132,000
MAC table size per device
2,500
32,000
128,000
132,000
Max ARP entries per broadcast domain
2,500
32,000
128,000
132,000
Max MAC entries per broadcast domain
2,500
32,000
128,000
132,000

NAT

FeatureTier 1Tier 2Tier 3Tier 4
Total NAT rule capacity
3,000
8,000
8,000
To be added
Max NAT rules (static)*
(Configuring static NAT rules to full capacity requires that no other NAT rule types are used.)
3,000
8,000
8,000
To be added
Max NAT rules (DIP)*
(Configuring DIP NAT rules to full capacity requires that no other NAT rule types are used.)
2,000
8,000
8,000
To be added
Max NAT rules (DIPP)
400
2,000
2,000
To be added
Max translated IPs (DIP)
128,000
160,000
160,000
To be added
Max translated IPs (DIPP)*
(DIPP translated IP capacity is proportional to the DIPP pool oversubscription value. The capacity shown here is based on an oversubscription value of 1x.)
400
2,000
2,000
To be added
Default DIPP pool oversubscription*
(Source IP and source port reuse across concurrent sessions)
2
88
To be added
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

Address Assignment

FeatureTier 1Tier 2Tier 3Tier 4
DHCP servers
3
20
125
To be added
DHCP relays*
(Maximum capacity represents total DHCP servers and DHCP relays combined)
500
500
500
To be added
Max number of assigned addresses64,00064,00064,000
To be added
*Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.

High Availability

FeatureTier 1Tier 2Tier 3Tier 4
Devices supported
2
2
2
2
Max virtual addresses
128
32
128
To be added

QoS

FeatureTier 1Tier 2Tier 3Tier 4
Number of QoS policies
500
2,000
4,000
To be added
Physical interfaces supporting QoS
6
1212
12
Clear text nodes per physical interface
31
6363
63
DSCP marking by policy
Yes
Yes
Yes
Yes
Subinterfaces supported
NA
NA
NA
NA

IPSec VPN

FeatureTier 1Tier 2Tier 3Tier 4
Max IKE Peers
1,000
1,000
2,000
To be added
Site to site (with proxy id)
1,000
4,000
8,000
To be added
SD-WAN IPSec tunnels
1,000
1,000
2,000
To be added

GlobalProtect Client VPN

FeatureTier 1Tier 2Tier 3Tier 4
Max tunnels (SSL, IPSec, and IKE with XAUTH)
5006,000
12,000
To be added

GlobalProtect Clientless VPN

FeatureTier 1Tier 2Tier 3Tier 4
Max SSL tunnels
1001,200
2,500
25,000

Multicast

FeatureTier 1Tier 2Tier 3Tier 4
Replication (egress interfaces)
100
100
100
To be added
Routes
2,000
4,000
4,000
To be added