https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-sessions/m-p/1245333#M6590 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1383433371">@wasan.altalhouni</a>&nbsp;,</P> <P>&nbsp;</P> <P>It sounds like the vendor is trying to sell 'Aggregate Session Limits' by load-balancing across two boxes ? While you can technically spread the load, you aren't 'adding' the capacity of the hardware. You are just splitting the risk. If a single session exceeds the limit of one box, or if one box fails, the whole 'added' math falls apart because the session state can't be seamlessly shared at that scale.<BR /><BR />You should size firewalls based on the single-appliance limit and should avoid&nbsp;playing "math games" with HA pairs because security is about reliability. If you need 200k sessions, you buy a box rated for 200k sessions.</P> <P>&nbsp;</P> <P>Think about what happens during a failover&nbsp;— If they are truly 'combining' sessions to reach a higher number, what happens to the traffic when one firewall needs a reboot or a cable gets pulled? The risk is that one firewall can't handle the load of both and there's a risk that the network goes down.&nbsp; At that point they've bought a single point of failure split into two boxes.</P> <P>&nbsp;</P> <P>Kind regards,</P> Mon, 12 Jan 2026 09:10:30 GMT kiwi 2026-01-12T09:10:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-sessions/m-p/1245321#M6587 <LI-SPOILER><FONT size="4">I'm in a competition against a vendor who is claiming that two small firewalls sessions (not bandwidth ) can be added to give higher number of sessions and the customer seems to be buying it, although the.firewall doesn't work that way as its a statedul device and sessions can't be added to maximise the number of sessions I've seen in in the Firewall RFC but wanted to verify this from paloalto as well</FONT></LI-SPOILER> Mon, 12 Jan 2026 05:00:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-sessions/m-p/1245321#M6587 wasan.altalhouni 2026-01-12T05:00:35Z https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-sessions/m-p/1245333#M6590 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1383433371">@wasan.altalhouni</a>&nbsp;,</P> <P>&nbsp;</P> <P>It sounds like the vendor is trying to sell 'Aggregate Session Limits' by load-balancing across two boxes ? While you can technically spread the load, you aren't 'adding' the capacity of the hardware. You are just splitting the risk. If a single session exceeds the limit of one box, or if one box fails, the whole 'added' math falls apart because the session state can't be seamlessly shared at that scale.<BR /><BR />You should size firewalls based on the single-appliance limit and should avoid&nbsp;playing "math games" with HA pairs because security is about reliability. If you need 200k sessions, you buy a box rated for 200k sessions.</P> <P>&nbsp;</P> <P>Think about what happens during a failover&nbsp;— If they are truly 'combining' sessions to reach a higher number, what happens to the traffic when one firewall needs a reboot or a cable gets pulled? The risk is that one firewall can't handle the load of both and there's a risk that the network goes down.&nbsp; At that point they've bought a single point of failure split into two boxes.</P> <P>&nbsp;</P> <P>Kind regards,</P> Mon, 12 Jan 2026 09:10:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-sessions/m-p/1245333#M6590 kiwi 2026-01-12T09:10:30Z