Compare Firewall Products

PA-400 Series:

	PA-410	PA-415	PA-415-5G

Performance ⁱ
App-ID firewall throughput	1.4 Gbps	1.5 Gbps	1.5 Gbps
Threat prevention throughput	0.8 Gbps	0.8 Gbps	0.8 Gbps
IPsec VPN throughput	650 Mbps	650 Mbps	650 Mbps
Connections per second	11,000	11,000	11,400
Sessions
Max sessions (IPv4 or IPv6)	64,000	64,000	64,000
Policies
Security rules	500	500	500
Security rule schedules	256	256	256
NAT rules	400	400	400
Decryption rules	100	100	100
App override rules	100	100	100
Tunnel content inspection rules	100	100	100
SD-WAN rules	100	100	100
Policy based forwarding rules	100	100	100
Captive portal rules	10	10	10
DoS protection rules	100	100	100
Security Zones
Max security zones	25	25	25
Objects (addresses and services)
Address objects	2,500	2,500	2,500
Address groups	125	125	125
Members per address group	2,500	2,500	2,500
Service objects	1,000	1,000	1,000
Service groups	250	250	250
Members per service group	500	500	500
FQDN address objects	2,000	2,000	2,000
Max DAG IP addressesii	1,000	1,000	1,000
Tags per IP address	32	32	32
Security Profiles
Security profiles	75	75	75
App-ID
Custom App-ID signatures	6,000	6,000	6,000
Shared custom App-IDs	512	512	512
Custom App-IDs (virtual system specific)	6,416	6,416	6,416
User-ID
IP-User mappings (management plane)	512,000	512,000	512,000
IP-User mappings (data plane)	128,000	128,000	128,000
Active and unique groups used in policyⁱⁱⁱ	1,000	1,000	1,000
Number of User-ID agents	100	100	100
Monitored servers for User-ID	100	100	100
Terminal server agents	400	400	400
Tags per User^iv	32	32	32
SSL Decryption
Max SSL inbound certificates	25	25	25
SSL certificate cache (forward proxy)	TBD	TBD	TBD
Max concurrent decryption sessions	6,600	6,600	6,600
Decryption Port Mirror	Yes	Yes	Yes
Network Packet Broker	No	No	No
HSM Supported	No	No	No
URL Filtering
Total entries for allow list, block list and custom categories	25,000	25,000	25,000
Max custom categories	2,849	2,849	2,849
Max custom categories (virtual system specific)	500	500	500
Dataplane cache size for URL filtering	TBD	TBD	TBD
Management plane dynamic cache size	TBD	TBD	TBD
EDL
Max number of custom lists	30	30	30
Max number of IPs per system	50,000	50,000	50,000
Max number of DNS Domains per system	50,000	50,000	50,000
Max number of URL per system	50,000	50,000	50,000
Shortest check interval (min)	5	5	5
Interfaces
Mgmt - out-of-band	10/100/1000, RJ45/Micro USB console	SFP/RJ45 combo, RJ45/Micro USB console	SFP/RJ45 combo, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability	NA	NA	NA
Mgmt - 40Gbps high availability	NA	NA	NA
Mgmt - 10Gbps high availability	NA	NA	NA
Traffic - 10/100/1000	7	8	8
Traffic - 10M/100M/1G/2.5G/5G	NA	NA	NA
Traffic - 100/1000/10000	NA	NA	NA
Traffic - 1Gbps SFP	NA	1 (SFP/RJ45 Combo)	1 (SFP/RJ45 Combo)
Traffic - 10Gbps SFP+	NA	NA	NA
Traffic - 25Gbps SFP28	NA	NA	NA
Traffic - 40/100Gbps QSFP+/QSFP28	NA	NA	NA
802.1q tags per device	4,094	4,094	4,094
802.1q tags per physical interface	4,094	4,094	4,094
Max interfaces (logical and physical)	1,024	1,024	1,024
Maximum aggregate interfaces	3	3	3
Maximum SD-WAN virtual interfaces	300	300	300
Power Over Ethernet
PoE Enabled Interfaces	NA	4	4
PoE Interface Speed	NA	1G	1G
Total Power Budget	NA	91 Watts	91 Watts
Max Power per single port	NA	60 Watts	60 Watts
Cellular Interface
5G	NA	NA	1
Virtual Routers
Virtual routers	3	3	3
Virtual Wires
Virtual wires	512	512	512
Virtual Systems
Base virtual systems	1	1	1
Max virtual systems^v	1	1	1
Routing
IPv4 forwarding table size^vi	5,000	5,000	5,000
IPv6 forwarding table size^vi	2,500	2,500	2,500
System total forwarding table size	5,000	5,000	5,000
Max route maps per virtual router	N/A	N/A	N/A
Max routing peers (protocol dependent)	500	500	500
Static entries - DNS proxy	1,024	1,024	1,024
Bidirectional Forwarding Detection (BFD) Sessions	Yes	Yes	Yes
L2 Forwarding
ARP table size per device	1,500	1,500	1,500
IPv6 neighbor table size	1,500	1,500	1,500
MAC table size per device	1,500	1,500	1,500
Max ARP entries per broadcast domain	1,500	1,500	1,500
Max MAC entries per broadcast domain	1,500	1,500	1,500
NAT
Total NAT rule capacity	400	400	400
Max NAT rules (static)^vii	400	400	400
Max NAT rules (DIP)^viii	400	400	400
Max NAT rules (DIPP)	200	200	200
Max translated IPs (DIP)	16,000	16,000	16,000
Max translated IPs (DIPP)^ix	200	200	200
Default DIPP pool oversubscription^x	2	2	2
Address Assignment
DHCP servers	3	3	3
DHCP relays^xi	500^xiii	500^xiii	500
Max number of assigned addresses	64,000	64,000	64,000
High Availability
Devices supported	2	2	2
Max virtual addresses	32	32	32
QoS
Number of QoS policies	1,000	1,000	1,000
Physical interfaces supporting QoS	8	8	8
Clear text nodes per physical interface	31	31	31
DSCP marking by policy	Yes	Yes	Yes
Subinterfaces supported	System Limit	System Limit	System Limit
IPSec VPN
Max IKE Peers	1,000	1,000	1,000
Site to site (with proxy id)	1,000	1,000	1,000
SD-WAN IPSec tunnels	1,000	1,000	1,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)	250	250	250
GlobalProtect Clientless VPN
Max SSL tunnels	20	20	20
Multicast
Replication (egress interfaces)	100	100	100
Routes	500	500	500

PA-1400 & PA 3400 Series:

	PA-3410	PA-3420	PA-3430	PA-3440	PA-1410

Performance ⁱ
App-ID firewall throughput	14.0 Gbps	19.0 Gbps	29.0 Gbps	35.0 Gbps	8.5 Gbps
Threat prevention throughput	7.5 Gbps	10.0 Gbps	15.0 Gbps	20.0 Gbps	4.5 Gbps
IPsec VPN throughput	6.6 Gbps	9.9 Gbps	12.0 Gbps	14.5 Gbps	4.1 Gbps
Connections per second	145,000	205,000	240,000	268,000	100,000
Sessions
Max sessions (IPv4 or IPv6)	1,400,000	2,200,000	2,500,000	3,000,000	945,000
Policies
Security rules	10,000	10,000	10,000	10,000	5000^xii
Security rule schedules	256	256	256	256	256
NAT rules	3,000	3,000	3,000	3,000	3,000
Decryption rules	750	750	1,500	1,500	750
App override rules	750	750	1,500	1,500	750
Tunnel content inspection rules	400	400	500	500	750
SD-WAN rules	750	750	1,500	1,500	400
Policy based forwarding rules	750	750	1,500	1,500	750
Captive portal rules	750	750	1,500	1,500	750
DoS protection rules	750	750	1,500	1,500	750
Security Zones
Max security zones	200	200	200	200	150^xii
Objects (addresses and services)
Address objects	30,000	30,000	30,000	30,000	20,000
Address groups	15,000	15,000	15,000	15,000	2,000
Members per address group	2,500	2,500	2,500	2,500	2,500
Service objects	3,000	3,000	4,000	4,000	3,000
Service groups	1,500	1,500	2,000	2,000	1,500
Members per service group	1,500	1,500	2,500	2,500	1,500
FQDN address objects	2,048	2,048	2,048	2,048	2,048
Max DAG IP addressesⁱⁱ	150,000	150,000	200,000	200,000	150,000
Tags per IP address	32	32	32	32	32
Security Profiles
Security Profiles	150	150	150	150	150
App-ID
Custom App-ID signatures	6,000	6,000	6,000	6,000	6,000
Shared custom App-IDs	512	512	512	512	512
Custom App-IDs (virtual system specific)	6,416	6,416	6,416	6,416	6,416
User-ID
IP-User mappings (management plane)	512,000	512,000	512,000	512,000	512,000
IP-User mappings (data plane)	128,000	128,000	128,000	128,000	128,000
Active and unique groups used in policyⁱⁱⁱ	10,000	10,000	10,000	10,000	1,000
Number of User-ID agents	100	100	100	100	100
Monitored servers for User-ID	100	100	100	100	100
Terminal server agents	1,000	1,000	2,0500	2,000	1,000
Tags per User^iv	32	32	32	32	32
SSL Decryption
Max SSL inbound certificates	125	125	150	150	125
SSL certificate cache (forward proxy)	10,240	10,240	13,312	15,360	2,000
Max concurrent decryption sessions	140,000	200,000	250,000	300,000	51,200
Decryption Port Mirror	Yes	Yes	Yes	Yes	Yes
Network Packet Broker	Yes	Yes	Yes	Yes	No
HSM Supported	Yes	Yes	Yes	Yes	Yes
URL Filtering
Total entries for allow list, block list and custom categories	25,000	25,000	25,000	25,000	25,000
Max custom categories	2,849	2,849	2,849	2,849	2,849
Max custom categories (virtual system specific)	500	500	500	500	500
Dataplane cache size for URL filtering	250,000	250,000	200,000	200,000	200,000
Management plane dynamic cache size	600,000	600,000	600,000	900,000	900,000
EDL
Max number of custom lists	30	30	30	30	30
Max number of IPs per system	50,000	50,000	50,000	50,000	50,000
Max number of DNS Domains per system	1M	1M	1M	1M	100,000
Max number of URL per system	100,000	100,000	100,000	100,000	100,000
Shortest check interval (min)	5	5	5	5	5
Interfaces
Mgmt - out-of-band	10/100/1000, RJ45 console	10/100/1000, RJ45 console	10/100/1000, RJ45 console	10/100/1000, RJ45 console	10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability	NA	NA	NA	NA	2
Mgmt - 40Gbps high availability	NA	NA	NA	NA	NA
Mgmt - 10Gbps high availability	1	1	1	1	1
Traffic - 10/100/1000	NA	NA	NA	NA	8
Traffic - 10M/100M/1G/2.5G/5G	NA	NA	NA	NA	4
Traffic - 100/1000/10000	12	12	12	12	NA
Traffic - 1Gbps SFP	0/10	0/10	0/10	0/10	6
Traffic - 10Gbps SFP+	0/10	0/10	0/10	0/10	4
Traffic - 25Gbps SFP28	4	4	4	4	NA
Traffic - 40/100Gbps QSFP+/QSFP28	N/A	N/A	2	2	N/A
802.1q tags per device	4,094	4,094	4,094	4,094	4,094
802.1q tags per physical interface	4,094	4,094	4,094	4,094	4,094
Max interfaces (logical and physical)	3,600	3,600	4,500	4,500	1,024
Maximum aggregate interfaces	8	8	8	8	10
Maximum SD-WAN virtual interfaces	1,200	1,200	1,500	1,500	1,000
Power Over Ethernet
PoE Enabled Interfaces	NA	NA	NA	NA	4
PoE Interface Speed	NA	NA	NA	NA	1/2.5/5G
Total Power Budget	NA	NA	NA	NA	151 Watts
Max Power per single port	NA	NA	NA	NA	90 Watts
Cellular Interface
5G	NA	NA	NA	NA	NA
Virtual Routers
Virtual Routers	11	11	11	11	10
Virtual Wires
Virtual Wires	2,048	2,048	2,048	2,048	1,024
Virtual Systems
Base virtual systems	1	1	1	1	1
Max virtual systems^v	11	11	11	11	6
Routing
IPv4 forwarding table size^vi	10,000	16,000	24,000	24,000	10,000
IPv6 forwarding table size^vi	10,000	16,000	24,000	24,000	5,000
System total forwarding table size	20,000	32,000	48,000	48,000	10,000
Max route maps per virtual router	50	50	50	50	50
Max routing peers (protocol dependent)	1,000	1,000	1,000	1,000	1,000
Static entries - DNS proxy	1,024	1,024	1,024	1,024	1,024
Bidirectional Forwarding Detection (BFD) Sessions	512	512	512	512	512
L2 Forwarding
ARP table size per device	12,000	12,000	16,000	16,000	3,000
IPv6 neighbor table size	12,000	12,000	16,000	16,000	3,000
MAC table size per device	12,000	12,000	16,000	16,000	3,000
Max ARP entries per broadcast domain	12,000	12,000	16,000	16,000	3,000
Max MAC entries per broadcast domain	12,000	12,000	16,000	16,000	3,000
NAT
Total NAT rule capacity	3,000	3,000	3,000	3,000	3,000
Max NAT rules (static)^vii	3,000	3,000	3,000	3,000	3,000
Max NAT rules (DIP)^viii	2,000	2,000	2,000	2,000	2,000
Max NAT rules (DIPP)	1,800	1,800	2,000	2,000	1,500
Max translated IPs (DIP)	128,000	128,000	128,000	128,000	128,000
Max translated IPs (DIPP)^ix	1,800	1,800	2,000	2,000	1,500
Default DIPP pool oversubscription^x	2	2	4	4	2
Address Assignment
DHCP servers	5	5	10	10	5
DHCP relays^xi	500	500	500	500	500^xiii
Max number of assigned addresses	64,000	64,000	64,000	64,000	64,000
High Availability
Devices supported	6	6	6	6	2
Max virtual addresses	128	128	128	128	48
QoS
Number of QoS policies	1,000	1,000	2,000	2,000	2,000
Physical interfaces supporting QoS	12	12	12	12	12
Clear text nodes per physical interface	31	31	31	31	31
DSCP marking by policy	Yes	Yes	Yes	Yes	Yes
Subinterfaces supported	500	500	500	500	500
IPSec VPN
Max IKE Peers	3,000	3,000	4,000	4,000	2,800
Site to site (with proxy id)	5,000	5,000	8,000	8,000	2,800
SD-WAN IPSec tunnels	3,000	3,000	4,000	4,000	2,800
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)	1,800	1,800	2,000	2,000	1,500
GlobalProtect Clientless VPN
Max SSL tunnels	200	200	200	200	200
Multicast
Replication (egress interfaces)	500	500	1,000	1,000	500
Routes	2,000	2,000	4,000	4,000	2,000

PA 5400 Series:

	PA-5410	PA-5420	PA-5430	PA-5440	PA-5445

Performance ⁱ
App-ID firewall throughput	52 Gbps	70 Gbps	82 Gbps	90 Gbps	90 Gbps
Threat prevention throughput	35.0 Gbps	50.0 Gbps	60 Gbps	70 Gbps	76 Gbps
IPsec VPN throughput	20 Gbps	28 Gbps	42 Gbps	58 Gbps	64 Gbps
Connections per second	270,000	370,000	380,000	390,000	449,000
Sessions
Max sessions (IPv4 or IPv6)	5,000,000	7,000,000	9,000,000	20,000,000	48,000,000
Policies
Security rules	30,000	45,000	65,000	65,000	65,000
Security rule schedules	256	256	256	256	256
NAT rules	6,000	6,000	6,000	6,000	6,000
Decryption rules	3,500	5,000	5,000	5,000	5,000
App override rules	3,500	4,000	4,000	4,000	4,000
Tunnel content inspection rules	2,500	6,000	8,500	8,500	8,500
SD-WAN rules	800	800	800	1,000	1,000
Policy based forwarding rules	2,000	2,000	2,000	2,000	2,000
Captive portal rules	8,000	8,000	8,000	8,000	8,000
DoS protection rules	2,000	2,000	2,000	2,000	2,000
Security Zones
Max security zones	4,000	6,000	17,000	17,000	17,000
Objects (addresses and services)
Address objects	80,000	120,000	160,000	160,000	160,000
Address groups	40,000	60,000	80,000	80,000	80,000
Members per address group	2,500	2,500	2,500	2,500	2,500
Service objects	8,000	10,000	12,000	12,000	12,000
Service groups	4,000	6,000	6,000	6,000	6,000
Members per service group	2,500	2,500	2,500	2,500	2,500
FQDN address objects	6,144	6,144	6,144	6,144	6,144
Max DAG IP addressesⁱⁱ	500,000	500,000	500,000	500,000	500,000
Tags per IP address	32	32	32	32	32
Security Profiles
Security Profiles	750	750	750	750	750
App-ID
Custom App-ID signatures	6,000	6,000	6,000	6,000	6,000
Shared custom App-IDs	512	512	512	512	512
Custom App-IDs (virtual system specific)	6,416	6,416	6,416	6,416	6,416
User-ID
IP-User mappings (management plane)	512,000	512,000	512,000	512,000	512,000
IP-User mappings (data plane)	512,000	512,000	512,000	512,000	512,000
Active and unique groups used in policyⁱⁱⁱ	10,000	10,000	10,000	10,000	10,000
Number of User-ID agents	100	100	100	100	100
Monitored servers for User-ID	100	100	100	100	100
Terminal server agents	2,500	2,500	2,500	2,500	2,500
Tags per User^iv	32	32	32	32	32
SSL Decryption
Max SSL inbound certificates	600	900	1,200	2,000	2,000
SSL certificate cache (forward proxy)	16,000	20,000	24,000	24,000	24,000
Max concurrent decryption sessions	360,000	500,000	720,000	1,200,000	3,200,000
Decryption Port Mirror	Yes	Yes	Yes	Yes	Yes
Network Packet Broker	Yes	Yes	Yes	Yes	Yes
HSM Supported	Yes	Yes	Yes	Yes	Yes
URL Filtering
Total entries for allow list, block list and custom categories	100,000	100,000	100,000	100,000	100,000
Max custom categories	2,849	2,849	2,849	2,849	2,849
Max custom categories (virtual system specific)	500	500	500	500	500
Dataplane cache size for URL filtering	250,000	250,000	250,000	250,000	250,000
Management plane dynamic cache size	600,000	600,000	600,000	900,000	900,000
EDL
Max number of custom lists	30	30	30	30	30
Max number of IPs per system	150,000	150,000	150,000	150,000	150,000
Max number of DNS Domains per system	4M	4M	4M	4M	4M
Max number of URL per system	250,000	250,000	250,000	250,000	250,000
Shortest check interval (min)	5	5	5	5	5
Interfaces
Mgmt - out-of-band	SFP/SFP+, RJ45 console	SFP/SFP+, RJ45 console	SFP/SFP+, RJ45 console	SFP/SFP+, RJ45 console	SFP/SFP+, RJ45 console
Mgmt - 40Gbps high availability	1	1	1	1	1
Traffic - 100/1000/10000	8	8	8	8	8
Traffic - 1Gbps SFP	0/12	0/12	0/12	0/12	0/12
Traffic - 10Gbps SFP+	0/12	0/12	0/12	0/12	0/12
Traffic - 25Gbps SFP28	4	4	4	4	4
Traffic - 40/100Gbps QSFP+/QSFP28	4	4	4	4	4
802.1q tags per device	4,094	4,094	4,094	4,094	4,094
802.1q tags per physical interface	4,094	4,094	4,094	4,094	4,094
Max interfaces (logical and physical)	4,800	6,000	6,000	6,000	6,000
Maximum aggregate interfaces	14	14	14	14	14
Maximum SD-WAN virtual interfaces	1,600	2,000	2,000	2,400	2,400
Power Over Ethernet
PoE Enabled Interfaces	NA	NA	NA	NA	NA
PoE Interface Speed	NA	NA	NA	NA	NA
Total Power Budget	NA	NA	NA	NA	NA
Max Power per single port	NA	NA	NA	NA	NA
Cellular Interface
5G	NA	NA	NA	NA	NA
Virtual Routers
Virtual Routers	20	50	125	225	225
Virtual Wires
Virtual Wires	2,048	2,048	2,048	2,048	2,048
Virtual Systems
Base virtual systems	10	15	25	25	25
Max virtual systems^v	20	65	125	225	225
Routing
IPv4 forwarding table size^vi	100,000	100,000	100,000	100,000	228,000
IPv6 forwarding table size^vi	100,000	100,000	100,000	100,000	228,000
System total forwarding table size	200,000	200,000	200,000	200,000	456,000
Max route maps per virtual router	50	50	50	50	N/A
Max routing peers (protocol dependent)	1,000	1,000	1,000	1,000	1,000
Static entries - DNS proxy	1,024	1,024	1,024	1,024	1,024
Bidirectional Forwarding Detection (BFD) Sessions	1,024	1,024	1,024	1,024	1,024
L2 Forwarding
ARP table size per device	128,000	128,000	128,000	128,000	128,000
IPv6 neighbor table size	128,000	128,000	128,000	128,000	128,000
MAC table size per device	128,000	128,000	128,000	128,000	128,000
Max ARP entries per broadcast domain	128,000	128,000	128,000	128,000	128,000
Max MAC entries per broadcast domain	128,000	128,000	128,000	128,000	128,000
NAT
Total NAT rule capacity	6,000	6,000	6,000	6,000	6,000
Max NAT rules (static)^vii	6,000	6,000	6,000	6,000	6,000
Max NAT rules (DIP)^viii	4,000	6,000	8,000	8,000	8,000
Max NAT rules (DIPP)	4,000	6,000	6,000	6,000	6,000
Max translated IPs (DIP)	128,000	256,000	320,000	320,000	320,000
Max translated IPs (DIPP)^ix	4,000	6,000	8,000	8,000	8,000
Default DIPP pool oversubscription^x	8	8	8	8	8
Address Assignment
DHCP servers	20	75	125	125	125
DHCP relays^xi	4,096	4,096	4,096	4,096	4,096
Max number of assigned addresses	64,000	64,000	64,000	64,000	64,000
High Availability
Devices supported	8	8	8	8	8
Max virtual addresses	4,096	4,096	4,096	4,096	4,096
QoS
Number of QoS policies	4,000	4,000	4,000	4,000	4,000
Physical interfaces supporting QoS	12	12	12	12	12
Clear text nodes per physical interface	63	63	63	63	63
DSCP marking by policy	Yes	Yes	Yes	Yes	Yes
Subinterfaces supported	2,048	2,048	2,048	2,048	2,048
IPSec VPN
Max IKE Peers	4,000	5,000	5,000	8,000	8,000
Site to site (with proxy id)	10,000	12,000	12,000	24,000	24,000
SD-WAN IPSec tunnels	4,000	5,000	5,000	8,000	8,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)	15,000	22,000	30,000	60,000	60,000
GlobalProtect Clientless VPN
Max SSL tunnels	2,500	3,500	5,000	10,000	10,000
Multicast
Replication (egress interfaces)	1,000	1,000	1,000	2,000	2,000
Routes	4,000	4,000	4,000	4,000	4,000

PA 7000 Series:

	PA-7080	PA-7050

Performance ⁱ
App-ID firewall throughput	590 Gbps	343 Gbps
Threat prevention throughput	305 Gbps	184 Gbps
IPSec VPN throughput	310 Gbps	190 Gbps
Connections per second	6,000,000	4,000,000
Sessions
Max sessions (IPv4 or IPv6)	416,000,000	245,000,000
Policies
Security rules	65,000	65,000
Security rule schedules	256	256
NAT rules	16,000	16,000
Decryption rules	5,000	5,000
App override rules	4,000	4,000
Tunnel content inspection rules	8,500	8,500
SD-WAN rules	700	700
Policy based forwarding rules	2,000	2,000
Captive portal rules	8,000	8,000
DoS protection rules	2,000	2,000
Security Zones
Max security zones	17,000	17,000
Objects (addresses and services)
Address objects	160,000	160,000
Address groups	80,000	80,000
Members per address group	2,500	2,500
Service objects	12,000	12,000
Service groups	6,000	6,000
Members per service group	2,500	2,500
FQDN address objects	6,144	6,144
Max DAG IP addressesⁱⁱ	100000/500000^xiv	100000/500000^xiv
Tags per IP address	32	32
Security Profiles
Security profiles	750	750
App-ID
Custom App-ID signatures	6,000	6,000
Shared custom App-IDs	512	512
Custom App-IDs (virtual system specific)	6,416	6,416
User-ID
IP-User mappings (management plane)	512,000	512,000
IP-User mappings (data plane)	512,000	512,000
Active and unique groups used in policyⁱⁱⁱ	10,000	10,000
Number of User-ID agents	100	100
Monitored servers for User-ID	100	100
Terminal server agents	2,000/2,500^xiv	2,000/2,500^xiv
Tags per User^iv	32	32
SSL Decryption
Max SSL inbound certificates	4,000	4,000
SSL certificate cache (forward proxy)	8,192/32,000^xv	8,192/32,000^xv
Max concurrent decryption sessions	1,310,720/32M^xvi	786,432/19.2M^xvi
Decryption Port Mirror	Yes	Yes
Network Packet Broker	Yes	Yes
HSM Supported	Yes	Yes
URL Filtering
Total entries for allow list, block list and custom categories	100,000	100,000
Max custom categories	2,849	2,849
Max custom categories (virtual system specific)	500	500
Dataplane cache size for URL filtering	250,000	250,000
Management plane dynamic cache size	900,000	900,000
EDL
Max number of custom lists	30	30
Max number of IPs per system	150,000	150,000
Max number of DNS Domains per system	4,000,000	4,000,000
Max number of URL per system	250,000	250,000
Shortest check interval (min)	5	5
Interfaces
Mgmt - out-of-band	10/100/1000, RJ45 console	10/100/1000, RJ45 console
Mgmt - 10/100/1000 high availability	2	2
Mgmt - 40Gbps high availability	2	2
Mgmt - 10Gbps high availability	NA	NA
Traffic - 10/100/1000	120	72
Traffic - 10M/100M/1G/2.5G/5G*	NA	NA
Traffic - 100/1000/10000	NA	NA
Traffic - 1Gbps SFP	80	48
Traffic - 10Gbps SFP+	120	72
Traffic - 25Gbps SFP28	NA	NA
Traffic - 40/100Gbps QSFP+/QSFP28	20	12
802.1q tags per device	4,094	4,094
802.1q tags per physical interface	4,094	4,094
Max interfaces (logical and physical)	4,096/5,120^xiv	4,096/5,120^xiv
Maximum aggregate interfaces	32	32
Maximum SD-WAN virtual interfaces	2,000	2,000
Power Over Ethernet
PoE Enabled Interfaces	NA	NA
PoE Interface Speed	NA	NA
Total Power Budget	NA	NA
Max Power per single port	NA	NA
Cellular Interface
5G	NA	NA
Virtual Routers
Virtual routers	225	225
Virtual Wires
Virtual wires	2,048/2,560^xiv	2,048/2,560^xiv
Virtual Systems
Base virtual systems	25	25
Max virtual systems^v	225	225
Routing
IPv4 forwarding table size^vi	32,768/228,000^xiv	32,768/228,000^xiv
IPv6 forwarding table size^vi	32,768/228,000^xiv	32,768/228,000^xiv
System total forwarding table size	65,536/456,000^xiv	65,536/456,000^xiv
Max route maps per virtual router	50	50
Max routing peers (protocol dependent)	500/1,000^xiv	500/1,000^xiv
Static entries - DNS proxy	1,024	1,024
Bidirectional Forwarding Detection (BFD) Sessions	1,024	1,024
L2 Forwarding
ARP table size per device	32,000/132,000^xiv	32,000/132,000^xiv
IPv6 neighbor table size	32,000/132,000^xiv	32,000/132,000^xiv
MAC table size per device	32,000/132,000^xiv	32,000/132,000^xiv
Max ARP entries per broadcast domain	32,000/132,000^xiv	32,000/132,000^xiv
Max MAC entries per broadcast domain	32,000/132,000^xiv	32,000/132,000^xiv
NAT
Total NAT rule capacity	16,000	16,000
Max NAT rules (static)^vii	16,000	16,000
Max NAT rules (DIP)^viii	16,000	16,000
Max NAT rules (DIPP)	4,000	4,000
Max translated IPs (DIP)	320,000	320,000
Max translated IPs (DIPP)^ix	4,000	4,000
Default DIPP pool oversubscription^x	8	8
Address Assignment
DHCP servers	225	225
DHCP relays^xi	4,096^xiii	4,096^xiii
Max number of assigned addresses	64,000	64,000
High Availability
Devices supported	2	2
Max virtual addresses	1,024	1,024
QoS
Number of QoS policies	8,000	8,000
Physical interfaces supporting QoS	32	32
Clear text nodes per physical interface	63	63
DSCP marking by policy	Yes	Yes
Subinterfaces supported	2,048	2,048
IPSec VPN
Max IKE Peers	4,000	4,000
Site to site (with proxy id)	8000/12000^xvii	8,000/12000^xvii
SD-WAN IPSec tunnels	4,000^xvii	4,000^xvii
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)	40000/60000^xiv	40000/60000^xiv
GlobalProtect Clientless VPN
Max SSL tunnels	10000/25000^xiv	10000/25000^xiv
Multicast
Replication (egress interfaces)	100/2000^xvii	100/2000^xvii
Routes	4,000	4,000

Key Features:

Next-Generation Firewall	Supported Across All Models
Deep visibility and granular control for thousands of applications; ability to create custom applications; ability to manage unknown traffic based on policy
User identification and control: VPNs, WLAN controllers, captive portal, proxies, Active Directory, eDirectory, Exchange, Terminal Services, syslog parsing, XML API
Granular SSL decryption and inspection (inbound and outbound); per-policy SSH control (inbound and outbound)
Networking: dynamic routing (RIP, OSPF, BGP, multiprotocol BGP), DHCP, DNS, NAT, route redistribution, ECMP, LLDP, BFD, tunnel content inspection
QoS: policy-based traffic shaping (priority, guaranteed, maximum) per application, per user, per tunnel, based on DSCP classification
Virtual systems: logical, separately managed firewall instances within a single physical firewall, with each virtual system’s traffic kept separate
Zone-based network segmentation and zone protection; DoS protection against flooding of new sessions
Threat Prevention (subscription required)
In-line malware prevention automatically enforced through payload-based signatures, updated daily
Vulnerability-based protections against exploits and evasive techniques on network and application layers, including port scans, buffer overflows, packet fragmentation, and obfuscation
Command-and-control (C2) activity stopped from exfiltrating data or delivering secondary malware payloads; infected hosts identified through DNS sinkholing
URL Filtering (subscription required)
Automatic prevention of web-based attacks, including phishing links in emails, phishing sites, HTTP-based C2, and pages that carry exploit kits
Ability to stop in-process credential phishing
Custom URL categories, alerts, and notification pages
WildFire malware prevention (subscription required)
Detection of zero-day malware and exploits with layered, complementary analysis techniques
Automated prevention in as few as five minutes across networks, endpoints, and clouds
Community-based data for protection, including more than 30,000 subscribers
AutoFocus threat intelligence (subscription required)
Contextualization and classification of attacks, including malware family, adversary, and campaign, to speed triage and response efforts
Rich, globally correlated threat analysis sourced from WildFire
Third-party threat intelligence for automated prevention
DNS Security (subscription required)
Automatically prevent tens of millions of malicious domains identified with realtime analysis and continuously growing global threat intelligence
Quickly detect C2 or data theft employing DNS tunneling with machine learning-powered analysis
Automate dynamic response to find infected machines and quickly respond in policy
File and data filtering
Bidirectional control over the unauthorized transfer of file types and Social Security numbers, credit card numbers, and custom data patterns
GlobalProtect network security for endpoints (subscription required)
Remote access VPN (SSL, IPsec, clientless); mobile threat prevention and policy enforcement based on apps, users, content, device, and device state
BYOD: app-level VPN for user privacy
Panorama network security management (subscription required for managing multiple firewalls
Intuitive policy control with applications, users, threats, advanced malware prevention, URLs, file types, and data patterns all in the same policy
Actionable insight into traffic and threats with Application Command Center (ACC); fully customizable reporting
Aggregated logging and event correlation
Consistent scalable management of up to 30,000 hardware and all VM-Series firewalls; role-based access control; logical and hierarchical device groups; and templates
GUI, CLI, XML-based REST API

Note:
i. 1. Firewall throughput measured with App-ID and User-ID features enabled utilizing AppMix transactions.
2. Threat prevention throughput measured with App-ID, User-ID, IPS, antivirus and anti-spyware features enabled utilizing AppMix transactions.
3. New sessions per second measured with 1 byte HTTP transactions. Additionally, for VM models, please refer to hypervisor, cloud specific data sheet for associated performance.
ii. System wide capacity
iii. Aggregate of LDAP groups, XML API Groups and Dynamic User Groups
iv. Only valid for PAN-OS 9.1 and above
v. Additional licenses are required for virtual system capacities above the base virtual systems capacity
vi. Entries shared across virtual routers
vii. Configuring static NAT rules to full capacity requires that no other NAT rule types are used.
viii. Configuring DIP NAT rules to full capacity requires that no other NAT rule types are used.
ix. DIPP translated IP capacity is proportional to the DIPP pool oversubscription value. The capacity shown here is based on an oversubscription value of 1x.
x. Source IP and source port reuse across concurrent sessions
xi. Maximum capacity represents total DHCP servers and DHCP relays combined
xii. Requires PAN-OS 11.0.2 or above
xiii. Total includes number of DHCP servers and DHCP relays
xiv. Capacity based on SMC model capacity
xv. Maximum cache entries supported with high capacity NPC cards
xvi. Maximum sessions supported with high capacity NPC cards
xvii. Standard memory NPC / XM or 100G NPC