Paloalto

PA-220R (Ruggedized appliance secures industrial, mining and defense networks in a range of harsh environments)
App-ID firewall throughput 560 Mbps
Threat prevention throughput 300 Mbps
Connections per second 4,200
Max sessions (IPv4 or IPv6) 64,000
Hardware Specifications (6) SFP/RJ45
Performance
App-ID firewall throughput560 Mbps
Threat prevention throughput300 Mbps
IPSec VPN throughput570 Mbps
Connections per second4,200
Sessions
Max sessions (IPv4 or IPv6)64,000
Policies
Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100
Security Zones
Max security zones15
Objects (addresses and services)
Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32
Security Profiles
Security profiles75
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*32
SSL Decryption
Max SSL inbound certificates25
SSL certificate cache (forward proxy)128
Max concurrent decryption sessions6,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size100,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityundefined
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10006
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFP2
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces300
Virtual Routers
Virtual routers3
Virtual Wires
Virtual wires256
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*10,000
IPv6 forwarding table size*2,500
System total forwarding table size10,000
32,00050
Max routing peers (protocol dependent)500
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA
L2 Forwarding
ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500
NAT
Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers3
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses32
QoS
Number of QoS policies100
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)250
GlobalProtect Clientless VPN
Max SSL tunnels20
Multicast
Replication (egress interfaces)100
Routes500
Product Notes
End-of-saleNA

PA-410
App-ID firewall throughput 1.3 Gbps
Threat prevention throughput 700 Mbps
Connections per second 13,000
Max sessions (IPv4 or IPv6) 64,000
Hardware Specifications: 7 ports 10/100/1000 RJ45
Hardware Specifications: 7 ports 10/100/1000 RJ45
Performance
App-ID firewall throughput1.3 Gbps
Threat prevention throughput700 Mbps
IPSec VPN throughput0.93 Gbps
Connections per second13,000
Sessions
Max sessions (IPv4 or IPv6)64,000
Policies
Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules10
DoS protection rules100
Security Zones
Max security zones25
Objects (addresses and services)
Address objects2,500
Address groups125
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address64
Security Profiles
Security profiles75
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*64
SSL Decryption
Max SSL inbound certificates25
SSL certificate cache (forward proxy)TBD
Max concurrent decryption sessions6,600
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filteringTBD
Management plane dynamic cache sizeTBD
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10007
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFPNA
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces3
Maximum SD-WAN virtual interfaces300
Virtual Routers
Virtual routers3
Virtual Wires
Virtual wires512
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*5,000
IPv6 forwarding table size*2,500
System total forwarding table size5,000
32,000undefined
Max routing peers (protocol dependent)500
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes
L2 Forwarding
ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500
NAT
Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers3
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses32
QoS
Number of QoS policies1,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)250
GlobalProtect Clientless VPN
Max SSL tunnels20
Multicast
Replication (egress interfaces)100
Routes500
Product Notes
End-of-saleNA

PA-415
App-ID firewall throughput 1.6 Gbps
Threat prevention throughput 700 Mbps
Connections per second 13,000
Max sessions (IPv4 or IPv6) 64,000
Hardware Specifications (1) SFP/RJ45 combo y 8 ports 10/100/1000 RJ45
Performance
App-ID firewall throughput1.6 Gbps
Threat prevention throughput700 Mbps
IPSec VPN throughput0.93 Gbps
Connections per second13,000
Sessions
Max sessions (IPv4 or IPv6)64,000
Policies
Security rules500
Security rule schedules256
NAT rules400
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules10
DoS protection rules100
Security Zones
Max security zones25
Objects (addresses and services)
Address objects2,500
Address groups125
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address64
Security Profiles
Security profiles75
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents400
Tags per User*64
SSL Decryption
Max SSL inbound certificates25
SSL certificate cache (forward proxy)TBD
Max concurrent decryption sessions6,600
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filteringTBD
Management plane dynamic cache sizeTBD
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system50,000
Max number of URL per system50,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10007
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFPNA
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces3
Maximum SD-WAN virtual interfaces300
Virtual Routers
Virtual routers3
Virtual Wires
Virtual wires512
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*5,000
IPv6 forwarding table size*2,500
System total forwarding table size5,000
32,000undefined
Max routing peers (protocol dependent)500
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes
L2 Forwarding
ARP table size per device1,500
IPv6 neighbor table size1,500
MAC table size per device1,500
Max ARP entries per broadcast domain1,500
Max MAC entries per broadcast domain1,500
NAT
Total NAT rule capacity400
Max NAT rules (static)*400
Max NAT rules (DIP)*400
Max NAT rules (DIPP)200
Max translated IPs (DIP)16,000
Max translated IPs (DIPP)*200
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers3
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses32
QoS
Number of QoS policies1,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers1,000
Site to site (with proxy id)1,000
SD-WAN IPSec tunnels1,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)250
GlobalProtect Clientless VPN
Max SSL tunnels20
Multicast
Replication (egress interfaces)100
Routes500
Product Notes
End-of-saleNA

PA-440
App-ID firewall throughput 2.4 Gbps
Threat prevention throughput 1.0 Gbps
Connections per second 39,000
Max sessions (IPv4 or IPv6) 200,000
Hardware Specifications (1) SFP/RJ45 combo y 8 ports 10/100/1000 RJ45
Performance
App-ID firewall throughput2.4 Gbps
Threat prevention throughput1.0 Gbps
IPSec VPN throughput1.6 Gbps
Connections per second39,000
Sessions
Max sessions (IPv4 or IPv6)200,000
Policies
Security rules2,000
Security rule schedules256
NAT rules3,000
Decryption rules300
App override rules300
Tunnel content inspection rules300
SD-WAN rules250
Policy based forwarding rules300
Captive portal rules300
DoS protection rules300
Security Zones
Max security zones50
Objects (addresses and services)
Address objects10,000
Address groups250
Members per address group2,500
Service objects1,500
Service groups500
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*50,000
Tags per IP address64
Security Profiles
Security profiles100
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents800
Tags per User*64
SSL Decryption
Max SSL inbound certificates75
SSL certificate cache (forward proxy)1,000
Max concurrent decryption sessions25,600
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10008
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFPNA
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840
Virtual Routers
Virtual routers3
Virtual Wires
Virtual wires512
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*5,000
IPv6 forwarding table size*5,000
System total forwarding table size5,000
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes
L2 Forwarding
ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,000
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers5
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses48
QoS
Number of QoS policies1,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000
GlobalProtect Clientless VPN
Max SSL tunnels100
Multicast
Replication (egress interfaces)200
Routes1,000
Product Notes
End-of-saleNA

PA-445
App-ID firewall throughput 2.9/2.2 Gbps
Threat prevention throughput 1.0 Gbps
Connections per second 39,000
Max sessions (IPv4 or IPv6) 200,000
Hardware Specifications (1) SFP/RJ45 combo y 8 ports 10/100/1000 RJ45
Performance
App-ID firewall throughput2.4 Gbps
Threat prevention throughput1.0 Gbps
IPSec VPN throughput1.6 Gbps
Connections per second39,000
Sessions
Max sessions (IPv4 or IPv6)200,000
Policies
Security rules2,000
Security rule schedules256
NAT rules3,000
Decryption rules300
App override rules300
Tunnel content inspection rules300
SD-WAN rules250
Policy based forwarding rules300
Captive portal rules300
DoS protection rules300
Security Zones
Max security zones50
Objects (addresses and services)
Address objects10,000
Address groups250
Members per address group2,500
Service objects1,500
Service groups500
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*50,000
Tags per IP address64
Security Profiles
Security profiles100
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents800
Tags per User*64
SSL Decryption
Max SSL inbound certificates75
SSL certificate cache (forward proxy)1,000
Max concurrent decryption sessions25,600
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10008
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFPNA
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840
Virtual Routers
Virtual routers3
Virtual Wires
Virtual wires512
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*5,000
IPv6 forwarding table size*5,000
System total forwarding table size5,000
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes
L2 Forwarding
ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,000
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers5
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses48
QoS
Number of QoS policies1,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000
GlobalProtect Clientless VPN
Max SSL tunnels100
Multicast
Replication (egress interfaces)200
Routes1,000
Product Notes
End-of-saleNA

PA-450
App-ID firewall throughput 3.2 Gbps
Threat prevention throughput 1.7 Gbps
Connections per second 52,000
Max sessions (IPv4 or IPv6) 300,000
Hardware Specifications (1) SFP/RJ45 combo y 8 ports 10/100/1000 RJ45
Performance
App-ID firewall throughput3.2 Gbps
Threat prevention throughput1.7 Gbps
IPSec VPN throughput2.2 Gbps
Connections per second52,000
Sessions
Max sessions (IPv4 or IPv6)300,000
Policies
Security rules2,500
Security rule schedules256
NAT rules3,000
Decryption rules500
App override rules500
Tunnel content inspection rules500
SD-WAN rules250
Policy based forwarding rules500
Captive portal rules500
DoS protection rules500
Security Zones
Max security zones75
Objects (addresses and services)
Address objects15,000
Address groups500
Members per address group2,500
Service objects2,000
Service groups1,000
Members per service group1,000
FQDN address objects2,000
Max DAG IP addresses*100,000
Tags per IP address64
Security Profiles
Security profiles150
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*64
SSL Decryption
Max SSL inbound certificates100
SSL certificate cache (forward proxy)2,000
Max concurrent decryption sessions38,400
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10008
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFPNA
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840
Virtual Routers
Virtual routers5
Virtual Wires
Virtual wires1,024
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*7,500
IPv6 forwarding table size*7,500
System total forwarding table size7,500
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes
L2 Forwarding
ARP table size per device6,000
IPv6 neighbor table size6,000
MAC table size per device6,000
Max ARP entries per broadcast domain6,000
Max MAC entries per broadcast domain6,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,500
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,500
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers5
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses48
QoS
Number of QoS policies2,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,500
GlobalProtect Clientless VPN
Max SSL tunnels200
Multicast
Replication (egress interfaces)300
Routes1,500
Product Notes
End-of-saleNA

PA-460
App-ID firewall throughput 4.7 Gbps
Threat prevention throughput 2.6 Gbps
Connections per second 74,000
Max sessions (IPv4 or IPv6) 400,000
Hardware Specifications (1) SFP/RJ45 combo y 8 ports 10/100/1000 RJ45
Performance
App-ID firewall throughput4.7 Gbps
Threat prevention throughput2.6 Gbps
IPSec VPN throughput3.1 Gbps
Connections per second74,000
Sessions
Max sessions (IPv4 or IPv6)400,000
Policies
Security rules2,500
Security rule schedules256
NAT rules3,000
Decryption rules500
App override rules500
Tunnel content inspection rules500
SD-WAN rules250
Policy based forwarding rules500
Captive portal rules500
DoS protection rules500
Security Zones
Max security zones100
Objects (addresses and services)
Address objects15,000
Address groups500
Members per address group2,500
Service objects2,000
Service groups1,000
Members per service group1,000
FQDN address objects2,000
Max DAG IP addresses*100,000
Tags per IP address64
Security Profiles
Security profiles150
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)512,000
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*64
SSL Decryption
Max SSL inbound certificates100
SSL certificate cache (forward proxy)2,000
Max concurrent decryption sessions51,000
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering150,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10008
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFPNA
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)3,000
Maximum aggregate interfaces4
Maximum SD-WAN virtual interfaces840
Virtual Routers
Virtual routers5
Virtual Wires
Virtual wires1,024
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*10,000
IPv6 forwarding table size*10,000
System total forwarding table size10,000
32,000undefined
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsYes
L2 Forwarding
ARP table size per device6,000
IPv6 neighbor table size6,000
MAC table size per device6,000
Max ARP entries per broadcast domain6,000
Max MAC entries per broadcast domain6,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)1,500
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*1,500
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers5
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses48
QoS
Number of QoS policies2,000
Physical interfaces supporting QoS8
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supportedSystem Limit
IPSec VPN
Max IKE Peers2,800
Site to site (with proxy id)2,800
SD-WAN IPSec tunnels2,800
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,500
GlobalProtect Clientless VPN
Max SSL tunnels200
Multicast
Replication (egress interfaces)300
Routes1,500
Product Notes
End-of-saleNA

PA-820
App-ID firewall throughput 1.7 Gbps
Threat prevention throughput 900 Mbps
Connections per second 8,100
Max sessions (IPv4 or IPv6) 128,000
Hardware Specifications: 4 ports 10/100/1000 RJ45,
8 ports SFP Gigabit
Performance
App-ID firewall throughput1.7 Gbps
Threat prevention throughput900 Mbps
IPSec VPN throughput1.4 Gbps
Connections per second8,100
Sessions
Max sessions (IPv4 or IPv6)128,000
Policies
Security rules1,500
Security rule schedules256
NAT rules3,000
Decryption rules100
App override rules100
Tunnel content inspection rules100
SD-WAN rules100
Policy based forwarding rules100
Captive portal rules500
DoS protection rules100
Security Zones
Max security zones30
Objects (addresses and services)
Address objects2,500
Address groups250
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*1,000
Tags per IP address32
Security Profiles
Security profiles100
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*32
SSL Decryption
Max SSL inbound certificates75
SSL certificate cache (forward proxy)1,000
Max concurrent decryption sessions12,800
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availability2
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10004
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFP8
Traffic – 10Gbps SFP+NA
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces6
Maximum SD-WAN virtual interfaces500
Virtual Routers
Virtual routers5
Virtual Wires
Virtual wires512
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*10,000
IPv6 forwarding table size*5,000
System total forwarding table size15,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA
L2 Forwarding
ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)400
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*400
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers5
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses48
QoS
Number of QoS policies250
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported1,024
IPSec VPN
Max IKE Peers1,000
Site to site (with proxy id)2,000
SD-WAN IPSec tunnels1,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000
GlobalProtect Clientless VPN
Max SSL tunnels200
Multicast
Replication (egress interfaces)200
Routes1,500
Product Notes
End-of-saleNA

PA-850
App-ID firewall throughput 2.1 Gbps
Threat prevention throughput 1.2 Gbps
Connections per second 13,000
Max sessions (IPv4 or IPv6) 192,000
Hardware Specifications: 4 ports 10/100/1000 RJ45,
4 ports SFP Gigabit, 4 ports SFP + 10 Gigabit
Performance
App-ID firewall throughput2.1 Gbps
Threat prevention throughput1.2 Gbps
IPSec VPN throughput1.7 Gbps
Connections per second13,000
Sessions
Max sessions (IPv4 or IPv6)192,000
Policies
Security rules1,500
Security rule schedules256
NAT rules3,000
Decryption rules150
App override rules100
Tunnel content inspection rules250
SD-WAN rules100
Policy based forwarding rules250
Captive portal rules500
DoS protection rules250
Security Zones
Max security zones40
Objects (addresses and services)
Address objects3,500
Address groups350
Members per address group2,500
Service objects1,000
Service groups250
Members per service group500
FQDN address objects2,000
Max DAG IP addresses*2,500
Tags per IP address32
Security Profiles
Security profiles150
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*1,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents1,000
Tags per User*32
SSL Decryption
Max SSL inbound certificates100
SSL certificate cache (forward proxy)2,000
Max concurrent decryption sessions19,200
SSL Port MirrorYes
SSL Decryption BrokerNo
HSM SupportedNo
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering90,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system50,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availability2
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/10004
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFP4/8
Traffic – 10Gbps SFP+0/4
Traffic – 40/100Gbps QSFP+/QSFP28NA
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)1,024
Maximum aggregate interfaces6
Maximum SD-WAN virtual interfaces500
Virtual Routers
Virtual routers5
Virtual Wires
Virtual wires512
Virtual Systems
Base virtual systems1
Max virtual systems*NA
Routing
IPv4 forwarding table size*10,000
IPv6 forwarding table size*5,000
System total forwarding table size15,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) SessionsNA
L2 Forwarding
ARP table size per device3,000
IPv6 neighbor table size3,000
MAC table size per device3,000
Max ARP entries per broadcast domain3,000
Max MAC entries per broadcast domain3,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)400
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*400
Default DIPP pool oversubscription*2
Address Assignment
DHCP servers5
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses48
QoS
Number of QoS policies500
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported1,024
IPSec VPN
Max IKE Peers1,000
Site to site (with proxy id)2,000
SD-WAN IPSec tunnels1,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,000
GlobalProtect Clientless VPN
Max SSL tunnels200
Multicast
Replication (egress interfaces)200
Routes1,500
Product Notes
End-of-saleNA

PA-3220
App-ID firewall throughput 4.8 Gbps
Threat prevention throughput 2.6 Gbps
Connections per second 52,800
Max sessions (IPv4 or IPv6) 1,000,000
Hardware Specifications: 12 ports 10/100/1000 RJ45,
4 ports SFP 1 Gb, 4 ports SFP/SFP 1 Gb/10 Gb
Performance
App-ID firewall throughput4.8 Gbps
Threat prevention throughput2.6 Gbps
IPSec VPN throughput2.6 Gbps
Connections per second52,800
Sessions
Max sessions (IPv4 or IPv6)1,000,000
Policies
Security rules10,000
Security rule schedules256
NAT rules3,000
Decryption rules1,500
App override rules1,500
Tunnel content inspection rules1,000
SD-WAN rules300
Policy based forwarding rules1,000
Captive portal rules2,000
DoS protection rules2,000
Security Zones
Max security zones200
Objects (addresses and services)
Address objects30,000
Address groups15,000
Members per address group2,500
Service objects4,000
Service groups2,000
Members per service group2,500
FQDN address objects2,048
Max DAG IP addresses*200,000
Tags per IP address32
Security Profiles
Security profiles150
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,000
Tags per User*32
SSL Decryption
Max SSL inbound certificates150
SSL certificate cache (forward proxy)4,000
Max concurrent decryption sessions100,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availability2
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availability1
Traffic – 10/100/100012
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFP0/8
Traffic – 10Gbps SFP+0/4
Traffic – 40/100Gbps QSFP+/QSFP28
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,000
Virtual Routers
Virtual routers10
Virtual Wires
Virtual wires2,048
Virtual Systems
Base virtual systems1
Max virtual systems*6
Routing
IPv4 forwarding table size*16,000
IPv6 forwarding table size*12,000
System total forwarding table size28,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions512
L2 Forwarding
ARP table size per device16,000
IPv6 neighbor table size16,000
MAC table size per device16,000
Max ARP entries per broadcast domain16,000
Max MAC entries per broadcast domain16,000
NAT
Total NAT rule capacity3,000
Max NAT rules (static)*3,000
Max NAT rules (DIP)*2,000
Max NAT rules (DIPP)2,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*2,000
Default DIPP pool oversubscription*4
Address Assignment
DHCP servers10
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses64
QoS
Number of QoS policies2,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported500
IPSec VPN
Max IKE Peers2,000
Site to site (with proxy id)4,000
SD-WAN IPSec tunnels2,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)1,024
GlobalProtect Clientless VPN
Max SSL tunnels200
Multicast
Replication (egress interfaces)1,000
Routes4,000
Product Notes
End-of-saleNA

PA-3250
App-ID firewall throughput 5.8 Gbps
Threat prevention throughput 3.1 Gbps
Connections per second 63,700
Max sessions (IPv4 or IPv6) 2,000,000
Hardware Specifications: 12 ports 10/100/1000 RJ45,
8 ports SFP/SFP 1 Gb/10 Gb
Performance
App-ID firewall throughput5.8 Gbps
Threat prevention throughput3.1 Gbps
IPSec VPN throughput2.9 Gbps
Connections per second63,700
Sessions
Max sessions (IPv4 or IPv6)2,000,000
Policies
Security rules10,000
Security rule schedules256
NAT rules6,000
Decryption rules1,500
App override rules1,500
Tunnel content inspection rules1,000
SD-WAN rules300
Policy based forwarding rules1,000
Captive portal rules2,000
DoS protection rules2,000
Security Zones
Max security zones200
Objects (addresses and services)
Address objects30,000
Address groups15,000
Members per address group2,500
Service objects4,000
Service groups2,000
Members per service group2,500
FQDN address objects2,048
Max DAG IP addresses*200,000
Tags per IP address32
Security Profiles
Security profiles375
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,000
Tags per User*32
SSL Decryption
Max SSL inbound certificates300
SSL certificate cache (forward proxy)8,000
Max concurrent decryption sessions200,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availability2
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availability1
Traffic – 10/100/100012
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFP0/8
Traffic – 10Gbps SFP+0/8
Traffic – 40/100Gbps QSFP+/QSFP280
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,000
Virtual Routers
Virtual routers10
Virtual Wires
Virtual wires2,048
Virtual Systems
Base virtual systems1
Max virtual systems*6
Routing
IPv4 forwarding table size*44,000
IPv6 forwarding table size*44,000
System total forwarding table size88,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions512
L2 Forwarding
ARP table size per device72,000
IPv6 neighbor table size72,000
MAC table size per device72,000
Max ARP entries per broadcast domain72,000
Max MAC entries per broadcast domain72,000
NAT
Total NAT rule capacity6,000
Max NAT rules (static)*6,000
Max NAT rules (DIP)*4,000
Max NAT rules (DIPP)4,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*4,000
Default DIPP pool oversubscription*4
Address Assignment
DHCP servers10
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses64
QoS
Number of QoS policies2,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported2,048
IPSec VPN
Max IKE Peers3,000
Site to site (with proxy id)6,000
SD-WAN IPSec tunnels3,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)2,048
GlobalProtect Clientless VPN
Max SSL tunnels400
Multicast
Replication (egress interfaces)1,000
Routes4,000
Product Notes
End-of-saleNA

PA-3260
App-ID firewall throughput 8.7 Gbps
Threat prevention throughput 4.7 Gbps
Connections per second 94,400
Max sessions (IPv4 or IPv6) 2,200,000
Hardware Specifications: 12 ports 10/100/1000 RJ45,
8 ports SFP/SFP 1 Gb/10 Gb, 4 ports QSFP + 40 Gb
Performance
App-ID firewall throughput8.7 Gbps
Threat prevention throughput4.7 Gbps
IPSec VPN throughput4.7 Gbps
Connections per second94,400
Sessions
Max sessions (IPv4 or IPv6)2,200,000
Policies
Security rules10,000
Security rule schedules256
NAT rules6,000
Decryption rules1,500
App override rules1,500
Tunnel content inspection rules1,000
SD-WAN rules300
Policy based forwarding rules1,000
Captive portal rules2,000
DoS protection rules2,000
Security Zones
Max security zones200
Objects (addresses and services)
Address objects30,000
Address groups15,000
Members per address group2,500
Service objects4,000
Service groups2,000
Members per service group2,500
FQDN address objects2,048
Max DAG IP addresses*200,000
Tags per IP address32
Security Profiles
Security profiles375
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)128,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,000
Tags per User*32
SSL Decryption
Max SSL inbound certificates500
SSL certificate cache (forward proxy)12,000
Max concurrent decryption sessions300,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes
URL Filtering
Total entries for allow list, block list and custom categories25,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system1,000,000
Max number of URL per system100,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45/Micro USB console
Mgmt – 10/100/1000 high availability2
Mgmt – 40Gbps high availabilityNA
Mgmt – 10Gbps high availability1
Traffic – 10/100/100012
Traffic – 100/1000/10000NA
Traffic – 1Gbps SFP0/8
Traffic – 10Gbps SFP+0/8
Traffic – 40/100Gbps QSFP+/QSFP284×40
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,000
Virtual Routers
Virtual routers10
Virtual Wires
Virtual wires2,048
Virtual Systems
Base virtual systems1
Max virtual systems*6
Routing
IPv4 forwarding table size*44,000
IPv6 forwarding table size*44,000
System total forwarding table size88,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions512
L2 Forwarding
ARP table size per device72,000
IPv6 neighbor table size72,000
MAC table size per device72,000
Max ARP entries per broadcast domain72,000
Max MAC entries per broadcast domain72,000
NAT
Total NAT rule capacity6,000
Max NAT rules (static)*6,000
Max NAT rules (DIP)*4,000
Max NAT rules (DIPP)4,000
Max translated IPs (DIP)128,000
Max translated IPs (DIPP)*4,000
Default DIPP pool oversubscription*4
Address Assignment
DHCP servers10
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses64
QoS
Number of QoS policies2,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface31
DSCP marking by policyYes
Subinterfaces supported2,048
IPSec VPN
Max IKE Peers3,000
Site to site (with proxy id)6,000
SD-WAN IPSec tunnels3,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)2,048
GlobalProtect Clientless VPN
Max SSL tunnels400
Multicast
Replication (egress interfaces)1,000
Routes4,000
Product Notes
End-of-saleNA

PA-5220
App-ID firewall throughput 17 Gbps
Threat prevention throughput 9.7 Gbps
Connections per second 166,000
Max sessions (IPv4 or IPv6) 4,000,000
Hardware Specifications: 4 ports 10/100/1000 RJ45,
16 ports SFP/SFP + 1 Gb/10 Gb, 4 ports QSFP + 40 Gb
Performance
App-ID firewall throughput17 Gbps
Threat prevention throughput9.7 Gbps
IPSec VPN throughput9.7 Gbps
Connections per second166,000
Sessions
Max sessions (IPv4 or IPv6)4,000,000
Policies
Security rules30,000
Security rule schedules256
NAT rules6,000
Decryption rules3,500
App override rules3,500
Tunnel content inspection rules2,500
SD-WAN rules300
Policy based forwarding rules2,000
Captive portal rules8,000
DoS protection rules2,000
Security Zones
Max security zones4,000
Objects (addresses and services)
Address objects80,000
Address groups40,000
Members per address group2,500
Service objects8,000
Service groups4,000
Members per service group2,500
FQDN address objects6,144
Max DAG IP addresses*500,000
Tags per IP address32
Security Profiles
Security profiles750
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)512,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,500
Tags per User*32
SSL Decryption
Max SSL inbound certificates600
SSL certificate cache (forward proxy)16,000
Max concurrent decryption sessions400,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes
URL Filtering
Total entries for allow list, block list and custom categories100,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system4,000,000
Max number of URL per system250,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45 console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availability1
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/1000NA
Traffic – 100/1000/100004
Traffic – 1Gbps SFP0/16
Traffic – 10Gbps SFP+0/16
Traffic – 40/100Gbps QSFP+/QSFP284X40
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,500
Virtual Routers
Virtual routers20
Virtual Wires
Virtual wires2,048
Virtual Systems
Base virtual systems10
Max virtual systems*20
Routing
IPv4 forwarding table size*100,000
IPv6 forwarding table size*100,000
System total forwarding table size200,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions1,024
L2 Forwarding
ARP table size per device128,000
IPv6 neighbor table size128,000
MAC table size per device128,000
Max ARP entries per broadcast domain128,000
Max MAC entries per broadcast domain128,000
NAT
Total NAT rule capacity6,000
Max NAT rules (static)*6,000
Max NAT rules (DIP)*4,000
Max NAT rules (DIPP)4,000
Max translated IPs (DIP)64,000
Max translated IPs (DIPP)*4,000
Default DIPP pool oversubscription*8
Address Assignment
DHCP servers20
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses4,096
QoS
Number of QoS policies4,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface63
DSCP marking by policyYes
Subinterfaces supported2,048
IPSec VPN
Max IKE Peers3,000
Site to site (with proxy id)10,000
SD-WAN IPSec tunnels3,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)15,000
GlobalProtect Clientless VPN
Max SSL tunnels2,500
Multicast
Replication (egress interfaces)1,000
Routes4,000
Product Notes
End-of-saleNA

PA-5250
App-ID firewall throughput 37 Gbps
Threat prevention throughput 23 Gbps
Connections per second 392,000
Max sessions (IPv4 or IPv6) 8,000,000
Hardware Specifications: 4 ports 10/100/1000 RJ45,
16 ports SFP/SFP + 1 Gb/10 Gb, 4 ports QSFP28 of 40 Gb/100 Gb
Performance
App-ID firewall throughput37 Gbps
Threat prevention throughput23 Gbps
IPSec VPN throughput19 Gbps
Connections per second392,000
Sessions
Max sessions (IPv4 or IPv6)8,000,000
Policies
Security rules65,000
Security rule schedules256
NAT rules8,000
Decryption rules5,000
App override rules4,000
Tunnel content inspection rules8,500
SD-WAN rules500
Policy based forwarding rules2,000
Captive portal rules8,000
DoS protection rules2,000
Security Zones
Max security zones17,000
Objects (addresses and services)
Address objects160,000
Address groups80,000
Members per address group2,500
Service objects12,000
Service groups6,000
Members per service group2,500
FQDN address objects6,144
Max DAG IP addresses*500,000
Tags per IP address32
Security Profiles
Security profiles750
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)512,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,500
Tags per User*32
SSL Decryption
Max SSL inbound certificates1,200
SSL certificate cache (forward proxy)24,000
Max concurrent decryption sessions800,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes
URL Filtering
Total entries for allow list, block list and custom categories100,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size600,000
EDL
Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system4,000,000
Max number of URL per system250,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45 console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availability1
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/1000NA
Traffic – 100/1000/100004
Traffic – 1Gbps SFP0/16
Traffic – 10Gbps SFP+0/16
Traffic – 40/100Gbps QSFP+/QSFP284×40/100
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)4,096
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,500
Virtual Routers
Virtual routers125
Virtual Wires
Virtual wires2,048
Virtual Systems
Base virtual systems25
Max virtual systems*125
Routing
IPv4 forwarding table size*100,000
IPv6 forwarding table size*100,000
System total forwarding table size200,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions1,024
L2 Forwarding
ARP table size per device128,000
IPv6 neighbor table size128,000
MAC table size per device128,000
Max ARP entries per broadcast domain128,000
Max MAC entries per broadcast domain128,000
NAT
Total NAT rule capacity8,000
Max NAT rules (static)*8,000
Max NAT rules (DIP)*8,000
Max NAT rules (DIPP)6,000
Max translated IPs (DIP)160,000
Max translated IPs (DIPP)*6,000
Default DIPP pool oversubscription*8
Address Assignment
DHCP servers125
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses4,096
QoS
Number of QoS policies4,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface63
DSCP marking by policyYes
Subinterfaces supported2,048
IPSec VPN
Max IKE Peers4,000
Site to site (with proxy id)12,000
SD-WAN IPSec tunnels4,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)30,000
GlobalProtect Clientless VPN
Max SSL tunnels5,000
Multicast
Replication (egress interfaces)2,000
Routes4,000
Product Notes
End-of-saleNA

PA-5260
App-ID firewall throughput 60 Gbps
Threat prevention throughput 34 Gbps
Connections per second 580,000
Max sessions (IPv4 or IPv6) 32,000,000
Hardware Specifications: 4 ports 10/100/1000 RJ45,
16 ports SFP/SFP + 1 Gb/10 Gb, 4 ports QSFP28 of 40 Gb/100 Gb
Performance
App-ID firewall throughput60 Gbps
Threat prevention throughput34 Gbps
IPSec VPN throughput28 Gbps
Connections per second580,000
Sessions
Max sessions (IPv4 or IPv6)32,000,000
Policies
Security rules65,000
Security rule schedules256
NAT rules16,000
Decryption rules5,000
App override rules4,000
Tunnel content inspection rules8,500
SD-WAN rules500
Policy based forwarding rules2,000
Captive portal rules8,000
DoS protection rules2,000
Security Zones
Max security zones17,000
Objects (addresses and services)
Address objects160,000
Address groups80,000
Members per address group2,500
Service objects12,000
Service groups6,000
Members per service group2,500
FQDN address objects6,144
Max DAG IP addresses*500,000
Tags per IP address32
Security Profiles
Security profiles750
App-ID
Custom App-ID signatures6,000
Shared custom App-IDs512
Custom App-IDs (virtual system specific)6,416
User-ID
IP-User mappings (management plane)524,288
IP-User mappings (data plane)512,000
Active and unique groups used in policy*10,000
Number of User-ID agents100
Monitored servers for User-ID100
Terminal server agents2,500
Tags per User*32
SSL Decryption
Max SSL inbound certificates2,000
SSL certificate cache (forward proxy)32,000
Max concurrent decryption sessions3,200,000
SSL Port MirrorYes
SSL Decryption BrokerYes
HSM SupportedYes
URL Filtering
Total entries for allow list, block list and custom categories100,000
Max custom categories2,849
Max custom categories (virtual system specific)500
Dataplane cache size for URL filtering250,000
Management plane dynamic cache size900,000
EDL
Max number of custom lists30
Max number of IPs per system150,000
Max number of DNS Domains per system4,000,000
Max number of URL per system250,000
Shortest check interval (min)5
Interfaces
Mgmt – out-of-band10/100/1000, RJ45 console
Mgmt – 10/100/1000 high availabilityNA
Mgmt – 40Gbps high availability1
Mgmt – 10Gbps high availabilityNA
Traffic – 10/100/1000NA
Traffic – 100/1000/100004
Traffic – 1Gbps SFP0/16
Traffic – 10Gbps SFP+0/16
Traffic – 40/100Gbps QSFP+/QSFP284×40/100
802.1q tags per device4,094
802.1q tags per physical interface4,094
Max interfaces (logical and physical)5,120
Maximum aggregate interfaces16
Maximum SD-WAN virtual interfaces1,500
Virtual Routers
Virtual routers225
Virtual Wires
Virtual wires2,048
Virtual Systems
Base virtual systems25
Max virtual systems*225
Routing
IPv4 forwarding table size*100,000
IPv6 forwarding table size*100,000
System total forwarding table size200,000
32,00050
Max routing peers (protocol dependent)1,000
Static entries – DNS proxy1,024
Bidirectional Forwarding Detection (BFD) Sessions1,024
L2 Forwarding
ARP table size per device128,000
IPv6 neighbor table size128,000
MAC table size per device128,000
Max ARP entries per broadcast domain128,000
Max MAC entries per broadcast domain128,000
NAT
Total NAT rule capacity16,000
Max NAT rules (static)*16,000
Max NAT rules (DIP)*16,000
Max NAT rules (DIPP)8,000
Max translated IPs (DIP)320,000
Max translated IPs (DIPP)*8,000
Default DIPP pool oversubscription*8
Address Assignment
DHCP servers225
Max number of assigned addresses64,000
High Availability
Devices supported2
Max virtual addresses4,096
QoS
Number of QoS policies4,000
Physical interfaces supporting QoS12
Clear text nodes per physical interface63
DSCP marking by policyYes
Subinterfaces supported2,048
IPSec VPN
Max IKE Peers5,000
Site to site (with proxy id)15,000
SD-WAN IPSec tunnels5,000
GlobalProtect Client VPN
Max tunnels (SSL, IPSec, and IKE with XAUTH)60,000
GlobalProtect Clientless VPN
Max SSL tunnels10,000
Multicast
Replication (egress interfaces)2,000
Routes4,000
Product Notes
End-of-saleNA