PA-VM Firewall in AWS achieves throughput of 2Gbps Over IPsec Tunnel

PA-VM Firewall in AWS achieves throughput of 2Gbps Over IPsec Tunnel

Created On 03/18/20 16:26 PM - Last Modified 05/23/24 09:46 AM


  • The Bi-directional throughput of the traffic across the IPsec tunnel is 2Gbps across the tunnel.

Log in to the firewall CLI and execute the CLI command below:

> show session info

Number of sessions supported: 4194290
Number of active sessions: 135
Number of active TCP sessions: 103
Number of active UDP sessions: 20
Number of active ICMP sessions: 5
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 2
Session table utilization: 3%
Number of sessions created since bootup: 34
Packet rate: 170388/s
Throughput: 1823660 kbps <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
New connection establish rate: 3 cps
  • The CLI highlighted above will show the overall Firewall throughput, not just for the IPsec tunnel.
  • To determine the specific IPsec tunnel throughput, either the FW should only handle IPsec traffic or a client/server can be used for testing.
  • In this case, we have the throughput on the PA-VM FW of about 2Gbps.


  • Platform: PA-VM
  • PAN-OS: 10.2.x versions and above
  • Deployment: AWS


  • This limitation is due to the PAN-OS architecture, where each IPsec tunnel session is processed by only one core. Each core encapsulates and decapsulates the traffic, resulting in a bidirectional throughput of approximately 2Gbps.


  • To test the data transfer capacity of the IPsec tunnel, you can initiate data flow through the tunnel using both a client and a server. Currently, we are using AWS with 4 CPUs, capable of supporting a throughput of 2 Gigabits.

Additional Information

  • Print
  • Copy Link

Choose Language