PA-220

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-220R

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-410

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-440

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-450

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-460

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-820

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-850

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-3220

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-3250

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-3260

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-5220

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-5250

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA

PA-5260

App-ID firewall throughput:  560 Mbps
Threat prevention throughput:  300 Mbps
Connections per second:  4,200
Max sessions (IPv4 or IPv6):  64,000

Performance*

App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200

Sessions

Max sessions (IPv4 or IPv6)64,000

Policies

Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100

Security Zones

Max security zones15

Objects (addresses and services)

Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32

Security Profiles

Security profiles75

App-ID

Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416

User-ID

IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32

SSL Decryption

Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo

URL Filtering

Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000

EDL

Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5

Interfaces

Mgmt - out-of-band10/100/1000, RJ45/Micro USB console
Mgmt - 10/100/1000 high availabilityNA
Mgmt - 40Gbps high availabilityundefined
Mgmt - 10Gbps high availabilityNA
Traffic - 10/100/10008
Traffic - 100/1000/10000NA
Traffic - 1Gbps SFPNA
Traffic - 10Gbps SFP+NA
Traffic - 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300

Virtual Routers

Virtual routers3

Virtual Wires

Virtual wires256

Virtual Systems

Base virtual systems1
Max virtual systems*NA

Routing

IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries - DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA

L2 Forwarding

ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500

NAT

Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2

Address Assignment

DHCP servers3
DHCP relays*500*
Max number of assigned addresses64,000

High Availability

Devices supported2
Max virtual addresses32

QoS

Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit

IPSec VPN

Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000

GlobalProtect Client VPN

Max tunnels (SSL, IPSec, and IKE with XAUTH)250

GlobalProtect Clientless VPN

Max SSL tunnels20

Multicast

Replication (egress interfaces)100
Routes500

Product Notes

End-of-saleNA