Just to add to this thread, yes you should be able to achieve 30Gbps max firewall performance by simply adding an NPC even if you do not use the ports on that NPC. However, there is a change that you may need to make on the system level. By default the session distribution policy is set for ingress-slot. That means that sessions will only be handled by the NPC that has connected ports. In order to load balance between all NPCs you would have to change the session distribution policy to either session-load, random or round-robin. The differences between each setting are documented here. https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/hardware-guides/pa-7000-series/PA-7000-Series_Hardware_Guide.pdf Note that if in HA, the session distribution policy needs to configured the same on both HA peers separately as this is not sync'd with configurations.
... View more