Is there a way to increase the PA-3220 platform capacity limit for security policies, objects, or zones?
31947
Created On 02/21/19 02:48 AM - Last Modified 03/22/19 20:35 PM
Question
Limited policy and object capacity of the PA-3220 platforms may present challenges for large configurations
Sample of error message when exceeding the platform's max capacity:
Server error : zone-DMZ constraints failed : Maximum number of zones exceeded
Environment
- PAN-OS
- PA-3220
Answer
Feature is automatically enabled on upgrade to PAN-OS 9.0 where no configuration or additional licensing required
PA-3220 PAN-OS Chart Comparison
| Feature | PAN-OS 8.1 |
PAN-OS |
| Security Zones | ||
|
Max security zones
| 60 | 200 |
| Policy | ||
|
Security rulebase
| 2,500 | 10,000 |
|
Security rule schedules
| 256 | 256 |
|
SSL decryption rulebase
| 250 | 1,500 |
|
App Override rulebase
| 250 | 1,500 |
|
Tunnel content inspection rules
| 500 | 1,000 |
|
Policy Based Forwarding
| 500 | 1,000 |
|
Captive Portal
| 1,000 | 2,000 |
|
DoS Protection
| 1,000 | 2,000 |
| Objects (Addresses & Services) | ||
|
Max address entries
| 5,000 | 30,000 |
|
Max address groups
| 1,500 | 15,000 |
|
Max members per address group
| 2,500 | 2,500 |
|
Max services entries
| 1,000 | 4,000 |
|
Max services groups
| 375 | 2,000 |
|
Max members per services group
| 1,000 | 1,000 |
|
FQDN
| 2,000 | 2,000 |
|
Total IPs across all
Dynamic Address Groups | 5,000 | 10,000 |
*Note: Downgrade will fail if PAN-OS 8.1 capacities are exceeded. Reduce the amount of policies and objects in config if downgrade is needed
Additional Information
Refer to the 9.0 PAN-OS® New Features Guide for more information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html