PA-220

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-220R

App-ID firewall throughput  560 Mbps
Threat prevention throughput  300 Mbps
Connections per second  4,200
Max sessions (IPv4 or IPv6)  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10006
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFP2
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-410

App-ID firewall throughput  1.3 Gbps
Threat prevention throughput  700 Mbps
Connections per second  13,000
Max sessions (IPv4 or IPv6)  64,000

Performance*

App-ID firewall throughput1.3 Gbps
Threat prevention throughput700 Mbps
IPSec VPN throughput0.93 Gbps
Connections per second13,000

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules10
DoS protection rules100

Security Zones

Max security zones25

Objects (addresses and services)

Address objects2,500
Address groups125
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address64

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*64

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)TBD
Max concurrent decryption sessions6,600
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filteringTBD
Management plane dynamic cache sizeTBD

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10007
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces3
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires512

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*5,000
IPv6 forwarding table size*2,500
System total forwarding table size5,000
32,000undefined
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies1,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-440

App-ID firewall throughput  2.4 Gbps
Threat prevention throughput  1.0 Gbps
Connections per second  39,000
Max sessions (IPv4 or IPv6)  200,000

Performance*

App-ID firewall throughput2.4 Gbps
Threat prevention throughput1.0 Gbps
IPSec VPN throughput1.6 Gbps
Connections per second39,000

Sessions

Max sessions (IPv4 or IPv6)200,000

Policies

Security rules2,000
Security rule schedules256
NAT rules3,000
Decryption rules300
App override rules300
Tunnel content inspection rules300
SD-WAN rules250
Policy based forwarding rules300
Captive portal rules300
DoS protection rules300

Security Zones

Max security zones50

Objects (addresses and services)

Address objects10,000
Address groups250
Members per address group2,500
Service objects1,500
Service groups500
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*50,000
Tags per IP address64

Security Profiles

Security profiles100

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents800
Tags per User*64

SSL Decryption

Max SSL inbound certificates75
SSL certificate cache (forward proxy)1,000
Max concurrent decryption sessions25,600
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires512

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*5,000
IPv6 forwarding table size*5,000
System total forwarding table size5,000
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes

L2 Forwarding

ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000

NAT

Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,000
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers5
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses48

QoS

Number of QoS policies1,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000

GlobalProtect Clientless VPN

Max SSL tunnels100

Multicast

Replication (egress interfaces)200
Routes1,000

Product Notes

End-of-saleNA

PA-450

App-ID firewall throughput  3.2 Gbps
Threat prevention throughput  1.7 Gbps
Connections per second  52,000
Max sessions (IPv4 or IPv6)  300,000

Performance*

App-ID firewall throughput3.2 Gbps
Threat prevention throughput1.7 Gbps
IPSec VPN throughput2.2 Gbps
Connections per second52,000

Sessions

Max sessions (IPv4 or IPv6)300,000

Policies

Security rules2,500
Security rule schedules256
NAT rules3,000
Decryption rules500
App override rules500
Tunnel content inspection rules500
SD-WAN rules250
Policy based forwarding rules500
Captive portal rules500
DoS protection rules500

Security Zones

Max security zones75

Objects (addresses and services)

Address objects15,000
Address groups500
Members per address group2,500
Service objects2,000
Service groups1,000
Members per service group1,000
FQDN address objects2,000
Max DAG IP addresses*100,000
Tags per IP address64

Security Profiles

Security profiles150

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*64

SSL Decryption

Max SSL inbound certificates100
SSL certificate cache (forward proxy)2,000
Max concurrent decryption sessions38,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840

Virtual Routers

Virtual routers5

Virtual Wires

Virtual wires1,024

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*7,500
IPv6 forwarding table size*7,500
System total forwarding table size7,500
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes

L2 Forwarding

ARP table size per device6,000
IPv6 neighbor table size6,000
MAC table size per device6,000
Max ARP entries per broadcast domain6,000
Max MAC entries per broadcast domain6,000

NAT

Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,500
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,500
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers5
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses48

QoS

Number of QoS policies2,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)1,500

GlobalProtect Clientless VPN

Max SSL tunnels200

Multicast

Replication (egress interfaces)300
Routes1,500

Product Notes

End-of-saleNA

PA-460

App-ID firewall throughput  4.7 Gbps
Threat prevention throughput  2.6 Gbps
Connections per second  74,000
Max sessions (IPv4 or IPv6)  400,000

Performance*

App-ID firewall throughput4.7 Gbps
Threat prevention throughput2.6 Gbps
IPSec VPN throughput3.1 Gbps
Connections per second74,000

Sessions

Max sessions (IPv4 or IPv6)400,000

Policies

Security rules2,500
Security rule schedules256
NAT rules3,000
Decryption rules500
App override rules500
Tunnel content inspection rules500
SD-WAN rules250
Policy based forwarding rules500
Captive portal rules500
DoS protection rules500

Security Zones

Max security zones100

Objects (addresses and services)

Address objects15,000
Address groups500
Members per address group2,500
Service objects2,000
Service groups1,000
Members per service group1,000
FQDN address objects2,000
Max DAG IP addresses*100,000
Tags per IP address64

Security Profiles

Security profiles150

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*64

SSL Decryption

Max SSL inbound certificates100
SSL certificate cache (forward proxy)2,000
Max concurrent decryption sessions51,000
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840

Virtual Routers

Virtual routers5

Virtual Wires

Virtual wires1,024

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*10,000
System total forwarding table size10,000
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes

L2 Forwarding

ARP table size per device6,000
IPv6 neighbor table size6,000
MAC table size per device6,000
Max ARP entries per broadcast domain6,000
Max MAC entries per broadcast domain6,000

NAT

Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,500
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,500
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers5
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses48

QoS

Number of QoS policies2,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)1,500

GlobalProtect Clientless VPN

Max SSL tunnels200

Multicast

Replication (egress interfaces)300
Routes1,500

Product Notes

End-of-saleNA

PA-820

App-ID firewall throughput  1.7 Gbps
Threat prevention throughput  900 Mbps
Connections per second  8,100
Max sessions (IPv4 or IPv6)  128,000

Performance*

App-ID firewall throughput1.7 Gbps
Threat prevention throughput900 Mbps
IPSec VPN throughput1.4 Gbps
Connections per second8,100

Sessions

Max sessions (IPv4 or IPv6)128,000

Policies

Security rules1,500
Security rule schedules256
NAT rules3,000
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones30

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles100

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*32

SSL Decryption

Max SSL inbound certificates75
SSL certificate cache (forward proxy)1,000
Max concurrent decryption sessions12,800
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability2
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10004
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFP8
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces6
Maximum SD-WAN virtual interfaces500

Virtual Routers

Virtual routers5

Virtual Wires

Virtual wires512

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*5,000
System total forwarding table size15,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000

NAT

Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)400
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*400
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers5
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses48

QoS

Number of QoS policies250
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported1,024

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)2,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000

GlobalProtect Clientless VPN

Max SSL tunnels200

Multicast

Replication (egress interfaces)200
Routes1,500

Product Notes

End-of-saleNA

PA-850

App-ID firewall throughput  2.1 Gbps
Threat prevention throughput  1.2 Gbps
Connections per second  13,000
Max sessions (IPv4 or IPv6)  192,000

Performance*

App-ID firewall throughput2.1 Gbps
Threat prevention throughput1.2 Gbps
IPSec VPN throughput1.7 Gbps
Connections per second13,000

Sessions

Max sessions (IPv4 or IPv6)192,000

Policies

Security rules1,500
Security rule schedules256
NAT rules3,000
Decryption rules150
App override rules100
Tunnel content inspection rules250
SD-WAN rules100
Policy based forwarding rules250
Captive portal rules500
DoS protection rules250

Security Zones

Max security zones40

Objects (addresses and services)

Address objects3,500
Address groups350
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*2,500
Tags per IP address32

Security Profiles

Security profiles150

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*32

SSL Decryption

Max SSL inbound certificates100
SSL certificate cache (forward proxy)2,000
Max concurrent decryption sessions19,200
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability2
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10004
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFP4/8
Traffic - 10Gbps SFP+0/4
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces6
Maximum SD-WAN virtual interfaces500

Virtual Routers

Virtual routers5

Virtual Wires

Virtual wires512

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*5,000
System total forwarding table size15,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000

NAT

Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)400
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*400
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers5
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses48

QoS

Number of QoS policies500
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported1,024

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)2,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000

GlobalProtect Clientless VPN

Max SSL tunnels200

Multicast

Replication (egress interfaces)200
Routes1,500

Product Notes

End-of-saleNA

PA-3220

App-ID firewall throughput  4.8 Gbps
Threat prevention throughput  2.6 Gbps
Connections per second  52,800
Max sessions (IPv4 or IPv6)  1,000,000

Performance*

App-ID firewall throughput4.8 Gbps
Threat prevention throughput2.6 Gbps
IPSec VPN throughput2.6 Gbps
Connections per second52,800

Sessions

Max sessions (IPv4 or IPv6)1,000,000

Policies

Security rules10,000
Security rule schedules256
NAT rules3,000
Decryption rules1,500
App override rules1,500
Tunnel content inspection rules1,000
SD-WAN rules300
Policy based forwarding rules1,000
Captive portal rules2,000
DoS protection rules2,000

Security Zones

Max security zones200

Objects (addresses and services)

Address objects30,000
Address groups15,000
Members per address group2,500
Service objects4,000
Service groups2,000
Members per service group2,500
FQDN address objects2,048
Max DAG IP addresses*200,000
Tags per IP address32

Security Profiles

Security profiles150

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,000
Tags per User*32

SSL Decryption

Max SSL inbound certificates150
SSL certificate cache (forward proxy)4,000
Max concurrent decryption sessions100,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability2
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availability1
Traffic - 10/100/100012
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFP0/8
Traffic - 10Gbps SFP+0/4
Traffic - 40/100Gbps QSFP+/QSFP28
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,000

Virtual Routers

Virtual routers10

Virtual Wires

Virtual wires2,048

Virtual Systems

Base virtual systems1
Max virtual systems*6

Routing

IPv4 forwarding table size*16,000
IPv6 forwarding table size*12,000
System total forwarding table size28,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions512

L2 Forwarding

ARP table size per device16,000
IPv6 neighbor table size16,000
MAC table size per device16,000
Max ARP entries per broadcast domain16,000
Max MAC entries per broadcast domain16,000

NAT

Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)2,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*2,000
Default DIPP pool oversubscription*4

Address Assignment

DHCP servers10
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses64

QoS

Number of QoS policies2,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported500

IPSec VPN

Max IKE Peers2,000
Site to site (with proxy id)4,000
SD-WAN IPSec tunnels2,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)1,024

GlobalProtect Clientless VPN

Max SSL tunnels200

Multicast

Replication (egress interfaces)1,000
Routes4,000

Product Notes

End-of-saleNA

PA-3250

App-ID firewall throughput  5.8 Gbps
Threat prevention throughput  3.1 Gbps
Connections per second  63,700
Max sessions (IPv4 or IPv6)  2,000,000

Performance*

App-ID firewall throughput5.8 Gbps
Threat prevention throughput3.1 Gbps
IPSec VPN throughput2.9 Gbps
Connections per second63,700

Sessions

Max sessions (IPv4 or IPv6)2,000,000

Policies

Security rules10,000
Security rule schedules256
NAT rules6,000
Decryption rules1,500
App override rules1,500
Tunnel content inspection rules1,000
SD-WAN rules300
Policy based forwarding rules1,000
Captive portal rules2,000
DoS protection rules2,000

Security Zones

Max security zones200

Objects (addresses and services)

Address objects30,000
Address groups15,000
Members per address group2,500
Service objects4,000
Service groups2,000
Members per service group2,500
FQDN address objects2,048
Max DAG IP addresses*200,000
Tags per IP address32

Security Profiles

Security profiles375

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,000
Tags per User*32

SSL Decryption

Max SSL inbound certificates300
SSL certificate cache (forward proxy)8,000
Max concurrent decryption sessions200,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability2
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availability1
Traffic - 10/100/100012
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFP0/8
Traffic - 10Gbps SFP+0/8
Traffic - 40/100Gbps QSFP+/QSFP280
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,000

Virtual Routers

Virtual routers10

Virtual Wires

Virtual wires2,048

Virtual Systems

Base virtual systems1
Max virtual systems*6

Routing

IPv4 forwarding table size*44,000
IPv6 forwarding table size*44,000
System total forwarding table size88,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions512

L2 Forwarding

ARP table size per device72,000
IPv6 neighbor table size72,000
MAC table size per device72,000
Max ARP entries per broadcast domain72,000
Max MAC entries per broadcast domain72,000

NAT

Total NAT rule capacity6,000
Max NAT rules (static)*6,000
Max NAT rules (DIP)*4,000
Max NAT rules (DIPP)4,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*4,000
Default DIPP pool oversubscription*4

Address Assignment

DHCP servers10
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses64

QoS

Number of QoS policies2,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported2,048

IPSec VPN

Max IKE Peers3,000
Site to site (with proxy id)6,000
SD-WAN IPSec tunnels3,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)2,048

GlobalProtect Clientless VPN

Max SSL tunnels400

Multicast

Replication (egress interfaces)1,000
Routes4,000

Product Notes

End-of-saleNA

PA-3260

App-ID firewall throughput  8.7 Gbps
Threat prevention throughput  4.7 Gbps
Connections per second  94,400
Max sessions (IPv4 or IPv6)  2,200,000

Performance*

App-ID firewall throughput8.7 Gbps
Threat prevention throughput4.7 Gbps
IPSec VPN throughput4.7 Gbps
Connections per second94,400

Sessions

Max sessions (IPv4 or IPv6)2,200,000

Policies

Security rules10,000
Security rule schedules256
NAT rules6,000
Decryption rules1,500
App override rules1,500
Tunnel content inspection rules1,000
SD-WAN rules300
Policy based forwarding rules1,000
Captive portal rules2,000
DoS protection rules2,000

Security Zones

Max security zones200

Objects (addresses and services)

Address objects30,000
Address groups15,000
Members per address group2,500
Service objects4,000
Service groups2,000
Members per service group2,500
FQDN address objects2,048
Max DAG IP addresses*200,000
Tags per IP address32

Security Profiles

Security profiles375

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,000
Tags per User*32

SSL Decryption

Max SSL inbound certificates500
SSL certificate cache (forward proxy)12,000
Max concurrent decryption sessions300,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availability2
Mgmt - 40Gbps high availabilityNA
Mgmt - 10Gbps high availability1
Traffic - 10/100/100012
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFP0/8
Traffic - 10Gbps SFP+0/8
Traffic - 40/100Gbps QSFP+/QSFP284x40
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,000

Virtual Routers

Virtual routers10

Virtual Wires

Virtual wires2,048

Virtual Systems

Base virtual systems1
Max virtual systems*6

Routing

IPv4 forwarding table size*44,000
IPv6 forwarding table size*44,000
System total forwarding table size88,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions512

L2 Forwarding

ARP table size per device72,000
IPv6 neighbor table size72,000
MAC table size per device72,000
Max ARP entries per broadcast domain72,000
Max MAC entries per broadcast domain72,000

NAT

Total NAT rule capacity6,000
Max NAT rules (static)*6,000
Max NAT rules (DIP)*4,000
Max NAT rules (DIPP)4,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*4,000
Default DIPP pool oversubscription*4

Address Assignment

DHCP servers10
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses64

QoS

Number of QoS policies2,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported2,048

IPSec VPN

Max IKE Peers3,000
Site to site (with proxy id)6,000
SD-WAN IPSec tunnels3,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)2,048

GlobalProtect Clientless VPN

Max SSL tunnels400

Multicast

Replication (egress interfaces)1,000
Routes4,000

Product Notes

End-of-saleNA

PA-5220

App-ID firewall throughput  17 Gbps
Threat prevention throughput  9.7 Gbps
Connections per second  166,000
Max sessions (IPv4 or IPv6)  4,000,000

Performance*

App-ID firewall throughput17 Gbps
Threat prevention throughput9.7 Gbps
IPSec VPN throughput9.7 Gbps
Connections per second166,000

Sessions

Max sessions (IPv4 or IPv6)4,000,000

Policies

Security rules30,000
Security rule schedules256
NAT rules6,000
Decryption rules3,500
App override rules3,500
Tunnel content inspection rules2,500
SD-WAN rules300
Policy based forwarding rules2,000
Captive portal rules8,000
DoS protection rules2,000

Security Zones

Max security zones4,000

Objects (addresses and services)

Address objects80,000
Address groups40,000
Members per address group2,500
Service objects8,000
Service groups4,000
Members per service group2,500
FQDN address objects6,144
Max DAG IP addresses*500,000
Tags per IP address32

Security Profiles

Security profiles750

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)512,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,500
Tags per User*32

SSL Decryption

Max SSL inbound certificates600
SSL certificate cache (forward proxy)16,000
Max concurrent decryption sessions400,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes

URL Filtering

Total entries for allow list, block list and custom categories100,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system4,000,000
Max number of URL per system250,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45 console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availability1
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/1000NA
Traffic - 100/1000/100004
Traffic - 1Gbps SFP0/16
Traffic - 10Gbps SFP+0/16
Traffic - 40/100Gbps QSFP+/QSFP284X40
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,500

Virtual Routers

Virtual routers20

Virtual Wires

Virtual wires2,048

Virtual Systems

Base virtual systems10
Max virtual systems*20

Routing

IPv4 forwarding table size*100,000
IPv6 forwarding table size*100,000
System total forwarding table size200,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions1,024

L2 Forwarding

ARP table size per device128,000
IPv6 neighbor table size128,000
MAC table size per device128,000
Max ARP entries per broadcast domain128,000
Max MAC entries per broadcast domain128,000

NAT

Total NAT rule capacity6,000
Max NAT rules (static)*6,000
Max NAT rules (DIP)*4,000
Max NAT rules (DIPP)4,000
Max translated IPs (DIP)64,000
Max translated IPs (DIPP)*4,000
Default DIPP pool oversubscription*8

Address Assignment

DHCP servers20
DHCP relays*2,048*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses4,096

QoS

Number of QoS policies4,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface63
DSCP marking by policyYes
Subinterfaces supported2,048

IPSec VPN

Max IKE Peers3,000
Site to site (with proxy id)10,000
SD-WAN IPSec tunnels3,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)15,000

GlobalProtect Clientless VPN

Max SSL tunnels2,500

Multicast

Replication (egress interfaces)1,000
Routes4,000

Product Notes

End-of-saleNA

PA-5250

App-ID firewall throughput  37 Gbps
Threat prevention throughput  23 Gbps
Connections per second  392,000
Max sessions (IPv4 or IPv6)  8,000,000

Performance*

App-ID firewall throughput37 Gbps
Threat prevention throughput23 Gbps
IPSec VPN throughput19 Gbps
Connections per second392,000

Sessions

Max sessions (IPv4 or IPv6)8,000,000

Policies

Security rules65,000
Security rule schedules256
NAT rules8,000
Decryption rules5,000
App override rules4,000
Tunnel content inspection rules8,500
SD-WAN rules500
Policy based forwarding rules2,000
Captive portal rules8,000
DoS protection rules2,000

Security Zones

Max security zones17,000

Objects (addresses and services)

Address objects160,000
Address groups80,000
Members per address group2,500
Service objects12,000
Service groups6,000
Members per service group2,500
FQDN address objects6,144
Max DAG IP addresses*500,000
Tags per IP address32

Security Profiles

Security profiles750

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)512,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,500
Tags per User*32

SSL Decryption

Max SSL inbound certificates1,200
SSL certificate cache (forward proxy)24,000
Max concurrent decryption sessions800,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes

URL Filtering

Total entries for allow list, block list and custom categories100,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000

EDL

Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system4,000,000
Max number of URL per system250,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45 console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availability1
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/1000NA
Traffic - 100/1000/100004
Traffic - 1Gbps SFP0/16
Traffic - 10Gbps SFP+0/16
Traffic - 40/100Gbps QSFP+/QSFP284x40/100
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,500

Virtual Routers

Virtual routers125

Virtual Wires

Virtual wires2,048

Virtual Systems

Base virtual systems25
Max virtual systems*125

Routing

IPv4 forwarding table size*100,000
IPv6 forwarding table size*100,000
System total forwarding table size200,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions1,024

L2 Forwarding

ARP table size per device128,000
IPv6 neighbor table size128,000
MAC table size per device128,000
Max ARP entries per broadcast domain128,000
Max MAC entries per broadcast domain128,000

NAT

Total NAT rule capacity8,000
Max NAT rules (static)*8,000
Max NAT rules (DIP)*8,000
Max NAT rules (DIPP)6,000
Max translated IPs (DIP)160,000
Max translated IPs (DIPP)*6,000
Default DIPP pool oversubscription*8

Address Assignment

DHCP servers125
DHCP relays*4,096*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses4,096

QoS

Number of QoS policies4,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface63
DSCP marking by policyYes
Subinterfaces supported2,048

IPSec VPN

Max IKE Peers4,000
Site to site (with proxy id)12,000
SD-WAN IPSec tunnels4,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)30,000

GlobalProtect Clientless VPN

Max SSL tunnels5,000

Multicast

Replication (egress interfaces)2,000
Routes4,000

Product Notes

End-of-saleNA

PA-5260

App-ID firewall throughput  60 Gbps
Threat prevention throughput  34 Gbps
Connections per second  580,000
Max sessions (IPv4 or IPv6)  32,000,000

Performance*

App-ID firewall throughput60 Gbps
Threat prevention throughput34 Gbps
IPSec VPN throughput28 Gbps
Connections per second580,000

Sessions

Max sessions (IPv4 or IPv6)32,000,000

Policies

Security rules65,000
Security rule schedules256
NAT rules16,000
Decryption rules5,000
App override rules4,000
Tunnel content inspection rules8,500
SD-WAN rules500
Policy based forwarding rules2,000
Captive portal rules8,000
DoS protection rules2,000

Security Zones

Max security zones17,000

Objects (addresses and services)

Address objects160,000
Address groups80,000
Members per address group2,500
Service objects12,000
Service groups6,000
Members per service group2,500
FQDN address objects6,144
Max DAG IP addresses*500,000
Tags per IP address32

Security Profiles

Security profiles750

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)512,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,500
Tags per User*32

SSL Decryption

Max SSL inbound certificates2,000
SSL certificate cache (forward proxy)32,000
Max concurrent decryption sessions3,200,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes

URL Filtering

Total entries for allow list, block list and custom categories100,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size900,000

EDL

Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system4,000,000
Max number of URL per system250,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45 console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availability1
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/1000NA
Traffic - 100/1000/100004
Traffic - 1Gbps SFP0/16
Traffic - 10Gbps SFP+0/16
Traffic - 40/100Gbps QSFP+/QSFP284x40/100
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)5,120
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,500

Virtual Routers

Virtual routers225

Virtual Wires

Virtual wires2,048

Virtual Systems

Base virtual systems25
Max virtual systems*225

Routing

IPv4 forwarding table size*100,000
IPv6 forwarding table size*100,000
System total forwarding table size200,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions1,024

L2 Forwarding

ARP table size per device128,000
IPv6 neighbor table size128,000
MAC table size per device128,000
Max ARP entries per broadcast domain128,000
Max MAC entries per broadcast domain128,000

NAT

Total NAT rule capacity16,000
Max NAT rules (static)*16,000
Max NAT rules (DIP)*16,000
Max NAT rules (DIPP)8,000
Max translated IPs (DIP)320,000
Max translated IPs (DIPP)*8,000
Default DIPP pool oversubscription*8

Address Assignment

DHCP servers225
DHCP relays*4,096*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses4,096

QoS

Number of QoS policies4,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface63
DSCP marking by policyYes
Subinterfaces supported2,048

IPSec VPN

Max IKE Peers5,000
Site to site (with proxy id)15,000
SD-WAN IPSec tunnels5,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)60,000

GlobalProtect Clientless VPN

Max SSL tunnels10,000

Multicast

Replication (egress interfaces)2,000
Routes4,000

Product Notes

End-of-saleNA