Palo Alto Networks Enterprise Firewall PA-5220
No Compromise Security, High-Performance Versatility

Palo Alto Networks Enterprise Firewall PA-5250

Looking for sizing recommendation? Take our Firewall Sizing Survey

Please Note: We cannot provide sizing recommendations for Palo Alto firewalls being deployed outside of the United States. Palo Alto firewalls are only available for
licensed businesses (not home users). Palo Alto firewalls cannot be sold outside of the United States excluding Canada. 1 Year minimum of Partner Enabled Backline Support is required for all new Palo Alto firewall purchases

Palo Alto Networks Products

PA-5220 Series Hardware

Palo Alto Networks PA-5220 with redundant AC power supplies

#PAN-PA-5220-AC
Get a Quote!

Palo Alto Networks PA-5220 with redundant DC power supplies

#PAN-PA-5220-DC
Get a Quote!

Partner Enabled Premium Support

Partner enabled premium support year 1, PA-5220

#PAN-SVC-BKLN-5220
Get a Quote!

Partner enabled premium support renewal, PA-5220

#PAN-SVC-BKLN-5220-R
Get a Quote!

Partner enabled premium support 3-year prepaid, PA-5220

#PAN-SVC-BKLN-5220-3YR
Get a Quote!

Partner enabled premium support 3-year prepaid renewal, PA-5220

#PAN-SVC-BKLN-5220-3YR-R
Get a Quote!

Partner enabled premium support 5 year prepaid, PA-5220

#PAN-SVC-BKLN-5220-5YR
Get a Quote!

Partner enabled premium support 5 year prepaid renewal, PA-5220

#PAN-SVC-BKLN-5220-5YR-R
Get a Quote!

Click here to jump to more pricing!

Overview:

Key Security Features:

Classifies all applications, on all ports, all the time

Identifies the application, regardless of port, encryption (SSL or SSH), or evasive technique employed
Uses the application, not the port, as the basis for all of your safe enablement policy decisions: allow, deny, schedule, inspect and apply traffic-shaping
Categorizes unidentified applications for policy control, threat forensics or App-ID™ application identification technology development

Enforces security policies for any user, at any location

Deploys consistent policies to local and remote users running on the Windows®, Mac® OS X®, Linux®, Android™ or Apple® iOS platforms
Enables agentless integration with Microsoft® Active Directory® and Terminal Services, LDAP, Novell® eDirectory™ and Citrix®
Easily integrates your firewall policies with 802.1X wireless, proxies, NAC solutions, and any other source of user identity information

Prevents known and unknown threats

Blocks a range of known threats, including exploits, malware and spyware, across all ports, regardless of common threat-evasion tactics employed
Limits the unauthorized transfer of files and sensitive data, and safely enables non-work-related web surfing
Identifies unknown malware, analyzes it based on hundreds of malicious behaviors, and then automatically creates and delivers protection

The controlling element of the PA-5200 Series is PAN-OS®, security operating system, which that natively classifies all traffic, inclusive of applications, threats and content, and then ties that traffic to the user, regardless of location or device type. The application, content and user – in other words, the business elements that run your business – are then used as the basis of your security policies, resulting in an improved security posture and a reduction in incident response time.

Performance and Capacities¹	PA-5260	PA-5250	PA-5220
Firewall throughput2 (App-ID enabled)	72.2 Gbps	35.9 Gbps	18.5 Gbps
Threat prevention throughput3	30 Gbps	20.3 Gbps	9.2 Gbps
IPsec VPN throughput	21 Gbps	14 Gbps	5 Gbps
Max sessions	32,000,000	8,000,000	4,000,000
New sessions per second4	458,000	348,000	169,000
Virtual systems (base/max5)	25/225	25/125	10/20

Performance and capacities are measured under ideal testing conditions.

Firewall throughput measured with App-ID and User-ID features enabled utilizing 64K HTTP transactions

Threat prevention throughput measured with App-ID, User-ID, IPS, AntiVirus and Anti-Spyware features enabled utilizing 64K HTTP transactions

New sessions per second is measured with 4K HTTP transactions

Adding virtual systems base quantity requires a separately purchased license

Networking Features:

Interface Modes

L2, L3, Tap, Virtual wire (transparent mode)
Point-to-point protocol over Ethernet (PPPoE) and DHCP supported for dynamic address assignment

Routing

OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP, Static routing
Policy-based forwarding
Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
Bidirectional Forwarding Detection (BFD)

IPv6

L2, L3, Tap, Virtual Wire (transparent mode)
Features: App-ID™, User-ID™, Content-ID™, WildFire™, and SSL decryption
SLAAC

IPsec VPN

Key exchange: Manual key, IKE v1 and IKEv2 (pre-shared key, certificate-based authentication)
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
GlobalProtect™ large-scale VPN (LSVPN) for simplified configuration and management

VLANs

802.1q VLAN tags per device/per interface: 4,094/4,094
Aggregate interfaces (802.3ad), LACP

Network Address Translation (NAT)

NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation)
NAT64, NPTv6
Additional NAT features: Dynamic IP reservation, tun- able dynamic IP and port oversubscription

High Availability

Modes: Active/Active, Active/Passive
Failure detection: Path monitoring, interface monitoring

Technical Specifications:

I/O

PA-5260 | PA-5250 - (4) 100/1000/10G Cu, (16) Gig/10Gig SFP/SFP+, (4) 40G/100G QSFP28

PA-5220 – (4)100/1000/10G Cu, (16) Gig/10Gig SFP/SFP+, (4) 40G QSFP+

Management I/O

PA-5260 | PA-5250 - (2) 10/100/1000, (1) 40G/100G QSFP28 HA, (1) 10/100/1000 out-of-band management, (1) RJ45 console port

PA-5220 - (2) 10/100/1000, (1) 40G QSFP+ HA, (1) 10/100/1000 out-of-band management, (1) RJ45 console port

Storage Options

Dual Solid State Disk Drives

Storage Capacity

240GB SSD, RAID1, System Storage 2TB HDD, RAID1, Log Storage

Power (Max Power Consumption)

870 Watts

Max BTU/hr

2,970

Power Supplies (base/max)

1:1 Fully Redundant (2/2)

AC Input Voltage (input Hz)

100-240VAC (50-60Hz)

AC Power Supply Output

1200 Watt/power supply

Max Current

AC power supplies — 6.5A@100-240VAC DC power supplies — 19A@-40 to -60VDC

Max Inrush Current

AC power supplies — 50A@230VAC, 50A@120VAC DC power supplies — 200A@72VDC

Mean Time Between Failure (MTBF)

9.23 Years

Rack Mount (Dimensions)

3U, 19” Standard Rack

5.25”H X 20.5”D X 17.25”W (13.33cm X 52.07cm X 43.81cm)

Weight

46lbs (20.87Kg) System only, 62lbs (28.13Kg) as shipped

Safety

cCSAus, CB IEC60950-1

EMI

FCC Class A, CE Class A, VCCI Class A

Certifications

See https://www.paloaltonetworks.com/company/certifications.html

Environment

Operating Temperature: 32°F to 122°F (0° to 50°C)

Non-Operating Temperature: -20° to 70°C (-4°F to 158°F)

Documentation:

Download the Palo Alto Networks Firewall Overview Datasheet (PDF).

Download the Palo Alto Networks PA-5200 Series Specification Datasheet (PDF).

Pricing Notes:

Pricing subject to change without notice.
We cannot provide sizing recommendations for Palo Alto firewalls being deployed outside of the United States.
Palo Alto firewalls are only available for licensed businesses (not home users). Palo Alto firewalls cannot be sold outside of the United States excluding Canada. 1 Year minimum of Partner Enabled Backline Support is required for all new Palo Alto firewall purchases

Palo Alto Networks Products

PA-5220 Series Hardware

Palo Alto Networks PA-5220 with redundant AC power supplies

#PAN-PA-5220-AC
Get a Quote!

Palo Alto Networks PA-5220 with redundant DC power supplies

#PAN-PA-5220-DC
Get a Quote!

Partner Enabled Premium Support

Partner enabled premium support year 1, PA-5220

#PAN-SVC-BKLN-5220
Get a Quote!

Partner enabled premium support renewal, PA-5220

#PAN-SVC-BKLN-5220-R
Get a Quote!

Partner enabled premium support 3-year prepaid, PA-5220

#PAN-SVC-BKLN-5220-3YR
Get a Quote!

Partner enabled premium support 3-year prepaid renewal, PA-5220

#PAN-SVC-BKLN-5220-3YR-R
Get a Quote!

Partner enabled premium support 5 year prepaid, PA-5220

#PAN-SVC-BKLN-5220-5YR
Get a Quote!

Partner enabled premium support 5 year prepaid renewal, PA-5220

#PAN-SVC-BKLN-5220-5YR-R
Get a Quote!

Advanced Threat Prevention

Advanced Threat Prevention subscription year 1, PA-5220

#PAN-PA-5220-ATP
Get a Quote!

Advanced Threat Prevention subscription renewal, PA-5220

#PAN-PA-5220-ATP-R
Get a Quote!

Advanced Threat Prevention subscription for device in an HA pair year 1, PA-5220

#PAN-PA-5220-ATP-HA2
Get a Quote!

Advanced Threat Prevention subscription 3-year term, PA-5220

#PAN-PA-5220-ATP-3YR
Get a Quote!

Advanced Threat Prevention subscription 3-year term renewal, PA-5220

#PAN-PA-5220-ATP-3YR-R
Get a Quote!

Advanced Threat Prevention subscription 3 year term for device in an HA pair, PA-5220

#PAN-PA-5220-ATP-3YR-HA2
Get a Quote!

Advanced Threat Prevention subscription 3 year term renewal for device in an HA pair, PA-5220

#PAN-PA-5220-ATP-3YR-HA2-R
Get a Quote!

Advanced Threat Prevention subscription 5-year term, PA-5220

#PAN-PA-5220-ATP-5YR
Get a Quote!

Advanced Threat Prevention subscription 5-year term renewal, PA-5220

#PAN-PA-5220-ATP-5YR-R
Get a Quote!

Advanced Threat Prevention subscription 5 year term for device in an HA pair, PA-5220

#PAN-PA-5220-ATP-5YR-HA2
Get a Quote!

Advanced Threat Prevention subscription 5 year term renewal for device in an HA pair, PA-5220

#PAN-PA-5220-ATP-5YR-HA2-R
Get a Quote!

Advanced Threat Prevention subscription for device in an HA pair renewal, PA-5220

#PAN-PA-5220-ATP-HA2-R
Get a Quote!

FIPS Hardware Kit

FIPS hardware kit for the PA-5200 Series

#PAN-FIPS-KIT-5200
Get a Quote!

Power supply

PA-5200 Series 1200 Watt AC power supply

#PAN-PWR-1200W-AC
Get a Quote!

PA-5200 Series 1200 Watt DC power supply

#PAN-PWR-1200W-DC
Get a Quote!

Transceivers

NOTE: only models or series cited are supported, unlisted models or series are not supported

QSFP+ form factor, 40Gb Bidirectional optical transceiver, 100m reach over OM3 MMF, 150m over OM4 MMF, duplex LC
PA-7000 Series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-QSFP-40GBASE-BIDI
Get a Quote!

QSFP+ form factor, 40Gb ER4 optical transceiver, extended reach 40Km, SMF, duplex LC, IEEE 802.3ba 40GBASE-ER4 compliant
PA-7000 Series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-QSFP-40GBASE-ER4
Get a Quote!

QSFP+ form factor, 40Gb LM4 universal optical transceiver, 140m OM3 MMF, 160m OM4 MMF, 1km SMF, duplex LC, utilizes IEEE 802.3ba 40GBASE-LR4 4x10G channel plan adaptation referred to as 40GBASE-LM4
PA-7000 Series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-QSFP-40GBASE-LM4
Get a Quote!

QSFP+ form factor, 40Gb LR4 optical transceiver, long reach 10Km, SMF, duplex LC, IEEE 802.3ba 40GBASE-LR4 compliant
PA-7000 Series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-QSFP-40GBASE-LR4
Get a Quote!

QSFP+ form factor, 40Gb SR4 optical transceiver, short reach 100m OM3, 8/12 strand MPO connector, IEEE 802.3ba 40GBASE-SR4 compliant
PA-7000 Series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-QSFP-40GBASE-SR4
Get a Quote!

QSFP+ form factor, 40Gb active optical cable with 2 transceivers and 10m of cable permanently bonded as an assembly
PA-7000 series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-QSFP-AOC-10M
Get a Quote!

SFP form factor, 1Gb copper transceiver, 100m over Cat5 RJ-45, IEEE 802.3ab 1000BASE-T compliant
PA-7000 Series, PA-5450, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series, PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-CG
Get a Quote!

SFP form factor, LX 1Gb optical transceiver, 10Km reach, SMF, duplex LC, IEEE 802.3ab 1000BASE-LX compliant
PA-7000 Series, PA-5450, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series. PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-LX
Get a Quote!

SFP+ form factor, 10Gb copper transceiver, 30m over Cat6a RJ-45, IEEE 802.3an 10GBASE-T compliant
PA-7050-SMC-B, PA-7080-SMC-B, PA-7000-100G-NPC-A, PA-7000-20GQXM-NPC, PA-5450 (NC only), PA-5200 Series, PA-5050, PA-5060, PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-PLUS-10GBASE-T
Get a Quote!

SFP+ form factor, ER 10Gb optical transceiver, extended reach 40Km, SMF, duplex LC, IEEE 802.3ae 10GBASE-ER compliant
PA-7000 series, PA-5450 (NC only), PA-5200 Series, PA-5060, PA-5050, PA-3200 Series, PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-PLUS-ER
Get a Quote!

SFP+ form factor, LR 10Gb optical transceiver, long reach 10Km, SMF, duplex LC, IEEE 802.3ae 10GBASE-LR compliant
PA-7000 series, PA-5450, PA-5200 Series, PA-5060, PA-5050, PA-3200 Series, PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-PLUS-LR
Get a Quote!

SFP+ form factor, SR 10Gb optical transceiver, short reach 300m, OM3 MMF, duplex LC, IEEE 802.3ae 10GBASE-SR compliant
PA-7000 series, PA-5450, PA-5200 Series, PA-5060, PA-5050, PA-3200 Series, PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-PLUS-SR
Get a Quote!

SFP form factor, SX 1Gb optical transceiver, 550m reach on OM2 MMF, duplex LC, IEEE 802.3z 1000BASE-SX compliant
PA-7000 Series, PA-5450, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series, PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-SX
Get a Quote!

SFP form factor, ZX 1Gb optical transceiver, 80Km reach, SMF, duplex LC
PA-7000 Series, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series, PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-ZX
Get a Quote!

TAA Compliant QSFP+ form factor, 40Gb LR4 optical transceiver, long reach 10Km, SMF, duplex LC, IEEE 802.3ba 40GBASE-LR4 compliant
PA-7000 Series, PA-5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-Q-40GBASE-LR4
Get a Quote!

TAA Compliant QSFP+ form factor, 40Gb SR4 optical transceiver, short reach 100m OM3, 8/12 strand MPO connector, IEEE 802.3ba 40GBASE-SR4 compliant
PA-7000 Series, PA_5450, PA-5200 Series, PA-3260; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-Q-40GBASE-SR4
Get a Quote!

TAA Compliant SFP form factor, 1Gb copper transceiver, 100m over Cat5 RJ-45, IEEE 802.3ab 1000BASE-T compliant
PA-7000 Series, PA-5450, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series, PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-S-CG
Get a Quote!

TAA Compliant SFP form factor, LX 1Gb optical transceiver, 10Km reach, SMF, duplex LC, IEEE 802.3ab 1000BASE-LX compliant
PA-7000 Series, PA-5450, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series. PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-S-LX
Get a Quote!

TAA Compliant SFP+ form factor, LR 10Gb optical transceiver, long reach 10Km, SMF, duplex LC, IEEE 802.3ae 10GBASE-LR compliant
PA-7000 series, PA-5450, PA-5200 Series, PA-5060, PA-5050, PA-3200 Series, PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-S-PLUS-LR
Get a Quote!

TAA Compliant SFP+ form factor, SR 10Gb optical transceiver, short reach 300m, OM3 MMF, duplex LC, IEEE 802.3ae 10GBASE-SR compliant
PA-7000 series, PA-5450, PA-5200 Series, PA-5060, PA-5050, PA-3200 Series, PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-S-PLUS-SR
Get a Quote!

TAA Compliant SFP form factor, SX 1Gb optical transceiver, 550m reach on OM2 MMF, duplex LC, IEEE 802.3z 1000BASE-SX compliant
PA-7000 Series, PA-5450, PA-5000 Series, PA-5200 Series, PA-3200 Series, PA-3000 Series, PA-800 Series, PA-220R; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-T-S-SX
Get a Quote!

Cable

NOTE: only models or series cited are supported, unlisted models or series are not supported

SFP+ form factor, 10Gb direct attach twin-ax passive cable with 2 transceiver ends and 5m of cable permanently bonded as an assembly, IEEE 802.3ae 10GBASE-CR compliant
PA-7000 Series, PA-5450, PA-5200 Series, PA-5060, PA-5050,PA-3200 Series PA-3060, PA-850; NOTE: only models or series cited are supported, unlisted models or series are not supported

#PAN-SFP-PLUS-CU-5M
Get a Quote!

PA-5200 Packaging Set

PA-5200 packaging set - 1 each of ESD unit bag, foam set, insert tray, and shipping box

#PAN-PA-5200-PKG-SET
Get a Quote!