MAX concurrent decryption sessions are decreased on Fixed model VM series firewalls after upgrading PAN-OS

After upgrading PAN-OS to 11.1.6-h1 on VM-100, MAX concurrent SSL decryption sessions is decreased to 5,000 sessions.

Before upgrading, it was 6,400 sessions.

PA-VM (Fixed model such as VM-100)
PAN-OS 11.1.6-h1

This capacity change is by design. It changes was implemented into PAN-OS 10.2.13, 11.1.4-h13, 11.1.6-h1, 11.2.4-h7, 11.2.5 as PAN-260290.

You can check both capacities as below:

(Before upgrading)

> show session info | match supported
Number of sessions supported:                    256000

> show system state filter-pretty cfg.general.max-session
cfg.general.max-session: 0x3e802 <<<--- 256,002

> show system state filter-pretty cfg.general.max-proxy-session
cfg.general.max-proxy-session: 0x1901 <<<--- 6,401

(After upgrading)

admin@Lab42-237-PA-VM> show session info | match supported
Number of sessions supported:                    200000

> show system state filter-pretty cfg.general.max-session
cfg.general.max-session: 0x30d42 <<<--- 200,002

> show system state filter-pretty cfg.general.max-proxy-session
cfg.general.max-proxy-session: 0x1389 <<<--- 5,001

If you wan to increase MAX supported sessions/concurrent SSL decryption sessions, you have to change VM license from the fixed model to the credit and assign more memory to the VM instance.

Note: Fixed model license was already EOS, hence you are unable to upgrade VM model for now.

This capacity change is related to PAN-260290.

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-6-known-and-addressed-issues/pan-os-11-1-6-h1-addressed-issues

MAX supported sessions of before/after applying PAN-260290 are described in the following document.

https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/license-the-vm-series-firewall/vm-series-models