Is there a way to increase the PA-5220 platform capacity limit for security policies, objects, or zones?
24883
Created On 02/22/19 03:22 AM - Last Modified 03/22/19 20:37 PM
Question
Limited policy and object capacity of the PA-5220 platforms may present challenges for large configurations
Sample of error message when exceeding the platform's max capacity:
Server error : zone-DMZ constraints failed : Maximum number of zones exceeded
Environment
- PAN-OS
- PA-5220
Answer
Feature is automatically enabled on upgrade to PAN-OS 9.0 where no configuration or additional licensing required
PA-5220 PAN-OS Chart Comparison
| Feature | PAN-OS 8.1 |
PAN-OS |
| Security Zones | ||
|
Max security zones
| 2,500 | 5,000 |
| Policy | ||
|
Security rulebase
| 20,000 | 30,000 |
|
Security rule schedules
| 256 | 256 |
|
SSL decryption rulebase
| 2,000 | 3,500 |
|
App Override rulebase
| 2,000 | 3,500 |
|
Tunnel content inspection rules
| 2,000 | 2,500 |
|
Policy Based Forwarding
| 2,000 | 2,000 |
|
Captive Portal
| 2,000 | 2,000 |
|
DoS Protection
| 1,000 | 1,000 |
| Objects (Addresses & Services) | ||
|
Max address entries
| 40,000 | 80,000 |
|
Max address groups
| 4,000 | 40,000 |
|
Max members per address group
| 2,500 | 2,500 |
|
Max services entries
| 2,000 | 8,000 |
|
Max services groups
| 250 | 4,000 |
|
Max members per services group
| 500 | 2,500 |
|
FQDN
| 6,144 | 6,144 |
|
Total IPs across all
Dynamic Address Groups | 100,000 | 100,000 |
*Note: Downgrade will fail if PAN-OS 8.1 capacities are exceeded. Reduce the amount of policies and objects in config if downgrade is needed
Additional Information
Refer to the 9.0 PAN-OS® New Features Guide for more information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html