Compare Firewall Products

PA-220 & PA-800 Series:

	PA-220	PA-220R	PA-820	PA-850
Firewall Performance and Capacities1
Firewall throughput (App-ID, appmix)	580 Mbps	580 Mbps	1.6 Gbps	2 Gbps
Threat Prevention throughput (appmix)	280 Mbps	280 Mbps	800 Mbps	1 Gbps
IPsec VPN throughput	500 Mbps	500 Mbps	1.2 Gbps	1.6 Gbps
New sessions per second	4,200	4,200	8,300	13,000
Maximum sessions	64,000	64,000	128,000	192,000
Virtual systems (base)	1	1	1	1
Hardware Specifications
Interfaces supported2	(8) 10/100/1000	(6) 10/100/1000 and 2 SFP	(4) 10/100/1000, (8) SFP	(4) 10/100/1000, (4) SFP, (4) 10 SFP+
Management I/O	(1) 10/100/1000 Out-of-band management, (1) RJ-45 Console, (1) USB, (1) Micro USB console	(1) 10/100/1000 Out-of-band management, (1) RJ-45 Console, (1) USB, (1) Micro USB console	(1) 10/100/1000 out-of-band management, (2) 10/100/1000 high availability, (1) RJ-45 console, (1) USB, (1) Micro USB console
Size	1.62” H x 6.29” D x 8.07” W	2.0” H x 8.66” D x 9.25” W	1U, 19” standard rack
Power supply	Dual redundant 40 W	None	200 W	(2) 500 W AC; one is redundant
Redundant power supply	Yes (optional)	None	No	Yes
Disk drives	32 GB EMMC	32 GB EMMC	240 GB SSD	240 GB SSD
Hot-swappable fans	No	No	No	No

(1) Optical/Copper transceivers are sold separately.

PA 3200 Series:

	PA-3220	PA-3250	PA-3260
Firewall Performance and Capacities1
Firewall throughput (App-ID, appmix)	10 Gbps	6.6 Gbps	5 Gbps
Threat Prevention throughput (appmix)	4.4 Gbps	3 Gbps	2.4 Gbps
IPsec VPN throughput	4.8 Gbps	3.2 Gbps	2.7 Gbps
New sessions per second	118,000	84,000	57,000
Maximum sessions	3,000,000	2,000,000	1,000,000
Virtual systems (base/max2)	1/6	1/6	1/6
Hardware Specifications
Interfaces supported3	(12) 10/100/1000, (4) 1G SFP, (4) 1G/10G SFP/SFP+	(12) 10/100/1000, (8) 1G/10G SFP/SFP+	(12) 10/100/1000, (8) 1G/10G SFP/SFP+, (4) 40G QSFP+
Management I/O	(1) 10/100/1000 out-of-band management port, (2) 10/100/1000 high availability, (1) 10G SFP+ high availability, (1) RJ-45 console port, (1) Micro USB
Size	2U, 19” standard rack (3.5” H x 20.53” D x 17.34” W)
Power supply	650 W AC or DC (180/240)	650 W AC or DC (180/240)	650 W AC or DC (180/240)
Redundant power supply	Yes	Yes	Yes
Disk drives	240 GB SSD	240 GB SSD	240 GB SSD
Hot-swappable fans	Yes	Yes	Yes

(1) VM-Series performance will vary based on underlying virtualization infrastructure (hypervisor/cloud). Refer to the individual datasheets for detailed performance and testing information.
(2) Adding virtual systems to the base quantity requires a separately purchased license.
(3) Optical/Copper transceivers are sold separately.

PA 5200 Series:

	PA-5220	PA-5250	PA-5260	PA-5280
Firewall Performance and Capacities1
Firewall throughput (App-ID, appmix)	20 Gbps	40 Gbps	56 Gbps	56 Gbps
Threat Prevention throughput (appmix)	8.9 Gbps	21 Gbps	31.5 Gbps	31.5 Gbps
IPsec VPN throughput	10 Gbps	18 Gbps	27 Gbps	27 Gbps
New sessions per second	150,000	284,000	390,000	390,000
Maximum sessions	4,000,000	8,000,000	32,000,000	64,000,000
Virtual systems (base/max2)	10/20	25/125	25/225	25/225
Hardware Specifications
Interfaces supported NPC option 13	(4) 100/1000/10G Cu, (16) 1G/10G SFP/SFP+, (4) 40G QSFP+	(4) 100/1000/10G Cu, (16) 1G/10G SFP/SFP+, (4) 40G/100G QSFP28	(4) 100/1000/10G Cu, (16) 1G/10G SFP/SFP+, (4) 40G/100G QSFP28	(4) 100/1000/10G Cu, (16) 1G/10G SFP/SFP+, (4) 40G/100G QSFP28
Management I/O	(2) 10/100/1000 Cu, (1) 10/100/1000 out-of-band management, (1) RJ45 console, (1) 40G QSFP+ HA	(2) 10/100/1000 Cu, (1) 10/100/1000 out-of-band management, (1) RJ45 console, (1) 40G/100G QSFP28 HA
Size	3U, 19” standard rack	3U, 19” standard rack	3U, 19” standard rack	3U, 19” standard rack
Power supply	(2) 1200 W AC or DC (1:1 fully redundant)	(2) 1200 W AC or DC (1:1 fully redundant)	(2) 1200 W AC or DC (1:1 fully redundant)	(2) 1200 W AC or DC (1:1 fully redundant)
Redundant power supply	Yes	Yes	Yes	Yes
Disk drives	System: 240 GB SSD, RAID1 | Log: 2 TB HDD, RAID1	System: 240 GB SSD, RAID1 | Log: 2 TB HDD, RAID1	System: 240 GB SSD, RAID1 | Log: 2 TB HDD, RAID1	System: 240 GB SSD, RAID1 | Log: 2 TB HDD, RAID1
Hot-swappable fans	Yes	Yes	Yes	Yes

(1) VM-Series performance will vary based on underlying virtualization infrastructure (hypervisor/cloud). Refer to the individual datasheets for detailed performance and testing information.
(2) Adding virtual systems to the base quantity requires a separately purchased license.
(3) Optical/Copper transceivers are sold separately.

PA 7000 Series:

	PA-7050	PA-7080
Firewall Performance and Capacities1
Firewall throughput (App-ID, appmix)	360 Gbps	700 Gbps
Threat Prevention throughput (appmix)	198 Gbps	350 Gbps
IPsec VPN throughput	168 Gbps	280 Gbps
New sessions per second	2,900,000	4,800,000
Maximum sessions	192,000,000	320,000,000
Virtual systems (base/max2)	25/225	25/225
Hardware Specifications
Interfaces supported NPC option 14	Up to (72) 10/100/1000, (48) SFP/ SFP+, (24) QSFP+/ QSFP28	Up to (120) 10/100/1000, (80) SFP/ SFP+, (40) QSFP+/QSFP28
Management I/O	(2) SFP/SFP+ MGT, (2) SFP/SFP+ HA1, (2) HSCI HA2/HA3 QSFP+/QSFP28, (1) RJ45 serial console, (1) micro-USB serial console
Size	9U, 19” standard rack or 14U, 19” standard rack with optional PAN-AIRDUCT kit	19U, 19” standard rack
Power supply	(4) 2500 W AC (2400 W / 2700 W)	(4) 2500 W AC (2400 W / 2700 W) expandable to 8
Redundant power supply	Yes	Yes
Disk drives	(2) 240 GB SSD system drive, RAID1	(2) 240 GB SSD system drive, RAID1
Hot-swappable fans	Yes	Yes

(1) VM-Series performance will vary based on underlying virtualization infrastructure (hypervisor/cloud). Refer to the individual datasheets for detailed performance and testing information.
(2) Adding virtual systems to the base quantity requires a separately purchased license.
(3) New sessions per second and max session capacity for PA-7000 Series specified with 100G-NPCs.
(4) Optical/Copper transceivers are sold separately.

Key Features:

Next-Generation Firewall	Supported Across All Models
Deep visibility and granular control for thousands of applications; ability to create custom applications; ability to manage unknown traffic based on policy
User identification and control: VPNs, WLAN controllers, captive portal, proxies, Active Directory, eDirectory, Exchange, Terminal Services, syslog parsing, XML API
Granular SSL decryption and inspection (inbound and outbound); per-policy SSH control (inbound and outbound)
Networking: dynamic routing (RIP, OSPF, BGP, multiprotocol BGP), DHCP, DNS, NAT, route redistribution, ECMP, LLDP, BFD, tunnel content inspection
QoS: policy-based traffic shaping (priority, guaranteed, maximum) per application, per user, per tunnel, based on DSCP classification
Virtual systems: logical, separately managed firewall instances within a single physical firewall, with each virtual system’s traffic kept separate
Zone-based network segmentation and zone protection; DoS protection against flooding of new sessions
Threat Prevention (subscription required)
In-line malware prevention automatically enforced through payload-based signatures, updated daily
Vulnerability-based protections against exploits and evasive techniques on network and application layers, including port scans, buffer overflows, packet fragmentation, and obfuscation
Command-and-control (C2) activity stopped from exfiltrating data or delivering secondary malware payloads; infected hosts identified through DNS sinkholing
URL Filtering (subscription required)
Automatic prevention of web-based attacks, including phishing links in emails, phishing sites, HTTP-based C2, and pages that carry exploit kits
Ability to stop in-process credential phishing
Custom URL categories, alerts, and notification pages
WildFire malware prevention (subscription required)
Detection of zero-day malware and exploits with layered, complementary analysis techniques
Automated prevention in as few as five minutes across networks, endpoints, and clouds
Community-based data for protection, including more than 30,000 subscribers
AutoFocus threat intelligence (subscription required)
Contextualization and classification of attacks, including malware family, adversary, and campaign, to speed triage and response efforts
Rich, globally correlated threat analysis sourced from WildFire
Third-party threat intelligence for automated prevention
DNS Security (subscription required)
Automatically prevent tens of millions of malicious domains identified with realtime analysis and continuously growing global threat intelligence
Quickly detect C2 or data theft employing DNS tunneling with machine learning-powered analysis
Automate dynamic response to find infected machines and quickly respond in policy
File and data filtering
Bidirectional control over the unauthorized transfer of file types and Social Security numbers, credit card numbers, and custom data patterns
GlobalProtect network security for endpoints (subscription required)
Remote access VPN (SSL, IPsec, clientless); mobile threat prevention and policy enforcement based on apps, users, content, device, and device state
BYOD: app-level VPN for user privacy
Panorama network security management (subscription required for managing multiple firewalls
Intuitive policy control with applications, users, threats, advanced malware prevention, URLs, file types, and data patterns all in the same policy
Actionable insight into traffic and threats with Application Command Center (ACC); fully customizable reporting
Aggregated logging and event correlation
Consistent scalable management of up to 30,000 hardware and all VM-Series firewalls; role-based access control; logical and hierarchical device groups; and templates
GUI, CLI, XML-based REST API