End-of-Life Notice

Palo Alto Networks PA-5220

Name: Palo Alto Networks PA-5220
Brand: Palo Alto Networks
Availability: Discontinued

The PA-5220 has reached end-of-life and is no longer available for new deployments. The designated replacement is the PA-5410, delivering 3.3x faster firewall throughput with hardware-accelerated SSL decryption to eliminate the software-based encryption bottleneck.

View the PA-5410 Contact a specialist

End-of-life product information

The PA-5220 was a mid-range data center next-generation firewall delivering up to 16 Gbps of firewall throughput with dedicated processing for networking, security, and management. Its software-based SSL decryption approach became a performance bottleneck as encrypted traffic volumes increased. This model is no longer sold or supported for new deployments.

Designated replacement

PA-5410

Data center NGFW with ML-powered security, hardware-accelerated SSL decryption, and 52 Gbps firewall throughput for high-performance enterprise environments.

View PA-5410

Related end-of-life model

PA-5250

Higher-throughput variant in the PA-5200 Series, also discontinued. Replaced by the PA-5400 Series platforms.

View PA-5250 EOL details

Related end-of-life model

PA-5260

Top-tier model in the PA-5200 Series, also discontinued. Replaced by the PA-5400 Series platforms.

View PA-5260 EOL details

Upgrade path

Why upgrade from PA-5220 to PA-5410

The PA-5400 Series addresses the fundamental architectural limitations of the PA-5200 Series, replacing software-based SSL decryption with purpose-built hardware acceleration and delivering ML-powered inline threat prevention.

3.3x throughput increase

The PA-5220 delivers 16 Gbps of firewall throughput. The PA-5410 provides 52 Gbps, enabling organizations to consolidate security functions without creating network bottlenecks at the data center edge.

Hardware-accelerated SSL decryption

The PA-5220 relies on software-based SSL decryption, which degrades throughput as encrypted traffic volumes grow. The PA-5410 offloads decryption to dedicated hardware, maintaining full inspection speeds.

ML-powered threat prevention

The PA-5410 integrates machine learning directly into the data plane, enabling inline prevention of zero-day threats, file-based attacks, and command-and-control traffic without relying solely on signature updates.

2x session capacity

Maximum concurrent sessions increase from 4,000,000 on the PA-5220 to 8,000,000 on the PA-5410, providing headroom for growing east-west traffic in virtualized data center environments.

View full PA-5410 specifications Browse all PA-Series models

Legacy vs. current generation

A direct specification comparison between the end-of-life PA-5220 and its designated replacement, the PA-5410.

Specification	PA-5220 (Legacy)	PA-5410 (Current)	Improvement
Firewall throughput	16 Gbps	52 Gbps	3.3x faster
Threat prevention throughput	9 Gbps	35 Gbps	3.9x faster
IPSec VPN throughput	8 Gbps	29 Gbps	3.6x faster
New sessions per second	127,000	295,000	2.3x faster
Max sessions	4,000,000	8,000,000	2x capacity
SSL decryption approach	Software-based	Hardware-accelerated	Dedicated hardware
Threat intelligence	Signature-based	ML-powered inline	Real-time ML

Trade-in programs may be available for existing PA-5220 deployments. Contact a specialist for details.

View PA-5410 details Compare all models

Throughput comparison

Firewall throughput improvement from PA-5220 to PA-5410.

PA-5220 (Legacy) 16 Gbps

PA-5410 (Current) 52 Gbps

PA-5220 technical specifications

Reference specifications for the end-of-life PA-5220 platform.

Performance and capacity

Firewall throughput	16 Gbps
Threat prevention throughput	9 Gbps
IPSec VPN throughput	8 Gbps
New sessions per second	127,000
Max sessions	4,000,000
SSL decryption approach	Software-based
SSL decrypt sessions	300,000
IPSec VPN tunnels / tunnel interfaces	6,000
GlobalProtect (SSL VPN) concurrent users	10,000
SSL inbound certificates	1,000
Virtual systems (base / max)	10 / 20
Virtual routers	10
Security zones	40
Max number of policies	10,000

Hardware specifications

I/O	(4) 100/1000/10G Cu, (16) Gig/10Gig SFP/SFP+, (4) 40G QSFP+
Management I/O	(2) 10/100/1000, (1) 40G QSFP+ HA, (1) 10/100/1000 out-of-band management, (1) RJ-45 console port
Storage capacity	240 GB SSD (RAID1), 2 TB HDD (RAID1) log storage
Power supply (max consumption)	1:1 fully redundant (870W max)
Max BTU/HR	2,970 BTU
Input voltage (input frequency)	100-240VAC (50-60Hz)
Max current consumption	6.5A @ 100-240VAC
Mean time between failure (MTBF)	9.23 years
Dimensions	3U, 5.25"H x 20.5"D x 17.25"W
Weight (standalone / as shipped)	46 lbs / 62 lbs
Safety	cCSAus, CB IEC60950-1
EMI	FCC Class A, CE Class A, VCCI Class A
Certifications	ICSA, Common Criteria (NDPP), FIPS 140-2, USGv6

Environmental specifications

Operating temperature	32° to 122° F, 0° to 50° C
Non-operating temperature	-4° to 158° F, -20° to 70° C

Networking specifications

Interface modes	L2, L3, Tap, Virtual Wire (transparent mode)
Routing	OSPFv2/v3, RIP, BGP, Static, PIM-SM, PIM-SSM, IGMP v1/v2/v3
Forwarding table size	10,000 entries per device / per VR
High availability	Active/Active, Active/Passive with session synchronization
Address assignment (device)	DHCP Client / PPPoE / Static
Address assignment (users)	DHCP Server / DHCP Relay / Static
IPv6	L2, L3, Tap, Virtual Wire; App-ID, User-ID, Content-ID, WildFire, SSL Decryption
802.1q VLAN tags	4,094 per device / 4,094 per interface
Max NAT rules	5,000
Max virtual wires	2,048
ARP table size	10,000 per device