MAC Address Limit on the Palo Alto 500 Firewalls

One of my clients recently suffered from continuous semi-outages with peculiar symptoms. As the number of people logging onto the internal network increased, new users were unable to access resources while existing users were completely unaffected. Initially, the two causes that came to mind were service policy limits and utilization on the data plane. I have deployed many Palo Alto 500s before and after careful analysis of these issues, I realized that the amount of traffic should not warrant such behavior. After calling support and escalating the ticket, it turns out that the Palo Alto 500 firewalls have a software limit of 500 MAC addresses. That number is extremely low and does not make sense; however, there is no way around it. I decided to relocate the firewall behind a Cisco router because Cisco routers do not have MAC address limitations (memory permitting). All in all, the Palo Alto firewall is extremely powerful in preventing attacks and analyzing deep into the packets; however on layer 2 capability, I would say they missed the mark here. Interestingly enough, Palo Alto just issued a new patch that increases the limit to 1,000 MAC addresses. This makes much more sense, thus kudos to them for listening to their partners.