Products
Palo Alto Networks' Next-Generation Firewalls
Palo Alto Networks next-generation firewalls provide flexible deployment options for your network. Firewall platforms, available in hardware and virtualized platforms, support the same consistent next-generation firewall features available in PAN-OS™. In addition, Panorama management platforms for centralized policy and device management over a network of next-generation firewalls are also available in both virtualized and hardware platforms.
Firewall Platforms
PA-7050
Deploy next-generation security in your datacenters without compromising performance.
PA-7050 |
| 120 Gbps firewall throughput (App-ID enabled1) |
| 10 Gbps threat prevention throughput |
| 4 Gbps IPSec VPN throughput |
| 100 Gbps threat prevention throughput (DSRI Enabled2) |
| 60 Gbps threat prevention throughput |
| 24 Gbps IPSec VPN throughput |
| 24,000,000 max sessions |
| 720,000 new sessions per second |
| 25/225 virtual systems (Base/Max3) |
1 Performance and capacities are measured under ideal testing conditions using PAN-OS 6.0
2 DSRI = Disable Server Response Inspection
3 Adding virtual systems to the base quantity requires a separately purchased license
PA-5000 Series
Deploy the PA-5060, PA-5050 and PA-5020 to protect high speed datacenters, server farms and service provider environments with next-generation firewall security.
PA-5060 |
PA-5050 |
PA-5020 |
| 20 Gbps firewall throughput | 10 Gbps firewall throughput | 5 Gbps firewall throughput |
| 10 Gbps threat prevention throughput | 5 Gbps threat prevention throughput | 2 Gbps threat prevention throughput |
| 4 Gbps IPSec VPN throughput | 4 Gbps IPSec VPN throughput | 2 Gbps IPSec VPN throughput |
| 4,000,000 max sessions | 2,000,000 max sessions | 1,000,000 max sessions |
| 120,000 new sessions per second | 120,000 new sessions per second | 120,000 new sessions per second |
| 8,000 IPSec VPN tunnels/tunnel interfaces | 4,000 IPSec VPN tunnels/tunnel interfaces | 2,000 IPSec VPN tunnels/tunnel interfaces |
| 20,000 SSL VPN Users | 10,000 SSL VPN Users | 5,000 SSL VPN Users |
| 225 virtual routers | 125 virtual routers | 20 virtual routers |
| 25/225* virtual systems (base/max*) | 25/225* virtual systems (base/max*) | 10/20* virtual systems (base/max*) |
| 900 security zones | 500 security zones | 80 security zones |
| 40,000 max number of policies | 20,000 max number of policies | 10,000 max number of policies |
PA-3000 Series
Utilize the PA-3050 and the PA-3020 to protect medium-to-large branch enterprise networks with next-generation firewall security.
PA-3050 |
PA-3020 |
| 4 Gbps firewall throughput | 2 Gbps firewall throughput |
| 2 Gbps threat prevention throughput | 1 Gbps threat prevention throughput |
| 500 Mbps IPSec VPN throughput | 500 Mbps IPSec VPN throughput |
| 500,000 max sessions | 250,000 max sessions |
| 50,000 new sessions per second | 50,000 new sessions per second |
| 2,000 IPSec VPN tunnels/tunnel interfaces | 1,000 IPSec VPN tunnels/tunnel interfaces |
| 2,000 SSL VPN Users | 1,000 SSL VPN Users |
| 10 virtual routers | 10 virtual routers |
| 1/6* virtual systems (base/max*) | 1/6* virtual systems (base/max*) |
| 40 security zones | 40 security zones |
| 5,000 max number of policies | 2,500 max number of policies |
PA-2000 Series
Secure high-speed networks in medium-to-large branch enterprises with next-generation firewall capabilities using the PA-2050 or the PA-2020.
PA-2050 |
PA-2020 |
| 1 Gbps firewall throughput | 500 Mbps firewall throughput |
| 500 Mbps threat prevention throughput | 200 Mbps threat prevention throughput |
| 300 Mbps IPSec VPN throughput | 200 Mbps IPSec VPN throughput |
| 250,000 max sessions | 125,000 max sessions |
| 15,000 new sessions per second | 15,000 new sessions per second |
| 2,000 IPSec VPN tunnels/tunnel interfaces | 1,000 IPSec VPN tunnels/tunnel interfaces |
| 1,000 SSL VPN Users | 500 SSL VPN Users |
| 10 virtual routers | 10 virtual routers |
| 1/6* virtual systems (base/max*) | 1/6* virtual systems (base/max*) |
| 40 security zones | 40 security zones |
| 5,000 max number of policies | 2,500 max number of policies |
PA-500
Protect medium-to-large branch office and medium enterprise networks with next-generation firewall security from the PA-500.
PA-500 |
| 250 Mbps firewall throughput |
| 100 Mbps threat prevention throughput |
| 50 Mbps IPSec VPN throughput |
| 64,000 max sessions |
| 7,500 new sessions per second |
| 250 IPSec VPN tunnels/tunnel interfaces |
| 100 SSL VPN Users |
| 3 virtual routers |
| N/A virtual systems (base/max*) |
| 20 security zones |
| 1,000 max number of policies |
PA-200
Secure medium enterprises and small enterprise branch offices with next-generation firewall security using the PA-200.
PA-200 |
| 100 Mbps firewall throughput |
| 50 Mbps threat prevention throughput |
| 50 Mbps IPSec VPN throughput |
| 64,000 max sessions |
| 1,000 new sessions per second |
| 25 IPSec VPN tunnels/tunnel interfaces |
| 25 SSL VPN Users |
| 3 virtual routers |
| 10 security zones |
| 250 max number of policies |
Virtualized Firewall Platforms
Protect your virtualized datacenter and 'East-West' traffic with one of three virtualized Palo Alto Networks next-generation firewalls.
VM-1000-HV |
| 250,000 max sessions |
| 2,000 IPSec VPN tunnels/tunnel interfaces |
| 500 SSL VPN Users |
| 40 security zones |
| 10,000 max number of policies |
| 10,000 address objects |
| 1 Gbps Firewall Throughput |
| 600 Mbps Threat Prevention Throughput |
| 250 Mbps IPSec VPN Throughput |
| 8,000 New sessions per second |
VM-300 |
VM-200 |
VM-100 |
| 250,000 max sessions | 100,000 max sessions | 50,000 max sessions |
| 2,000 IPSec VPN tunnels/tunnel interfaces | 500 IPSec VPN tunnels/tunnel interfaces | 25 IPSec VPN tunnels/tunnel interfaces |
| 500 SSL VPN Users | 200 SSL VPN Users | 25 SSL VPN Users |
| 40 virtual routers | 20 virtual routers | 10 virtual routers |
| 40 security zones | 20 security zones | 10 security zones |
| 5,000 max number of policies | 2,000 max number of policies | 250 max number of policies |
| 10,000 address objects | 4,000 address objects | 2,500 address objects |
| 1 Gbps Firewall Throughput | 1 Gbps Firewall Throughput | 1 Gbps Firewall Throughput |
| 600 Mbps Threat Prevention Throughput | 600 Mbps Threat Prevention Throughput | 600 Mbps Threat Prevention Throughput |
| 250 Mbps IPSec VPN Throughput | 250 Mbps IPSec VPN Throughput | 250 Mbps IPSec VPN Throughput |
| 8,000 New sessions per second | 8,000 New sessions per second | 8,000 New sessions per second |
Centralized Management
Panorama provides you with the ability to manage your distributed network of our firewalls from a centralized location. View of all your firewall traffic; manage all aspects of device configuration; push global policies; and generate reports on traffic patterns or security incidents - all from one central location. Panorama is available as either a dedicated management appliance or as a virtual machine.
M-100 |
Virtual Appliance |
| The M-100 allows you to deploy Panorama management and logging functions on a dedicated appliance, or you can separate the functions in a distributed manner for improved performance and scalability. | You can deploy Panorama as a virtual appliance on VMware ESX(i), allowing you to support your virtualization initiatives and consolidate rack space. |
Mobile Security Manager
GlobalProtect provides a unique, integrated mobile security solution to safely enable mobile devices for business use. It consists of three key components: GlobalProtect Gateway (available on the Palo Alto Networks next-generation network security platform), GlobalProtect Mobile Security Manager (available on the Palo Alto Networks GP-100), and GlobalProtect App (available for iOS and Android devices).
For more information on GlobalProtect, visit the GlobalProtect Technology page.
GP-100 |
| GlobalProtect Mobile Security Manager is available on the GP-100 platform, and provides device management, malware detection and shares device state information with GlobalProtect Gateway. |
Wildfire Platform
Extend the capabilities of your Palo Alto Networks next-generation firewalls with WildFire, which identifies, analyzes, and blocks known and unknown malware.
WF-500 |
| Organizations that prefer not to use public cloud applications due to regulatory and privacy concerns can deploy WildFire as a private cloud using the WF-500. |
Security Subscriptions
Security subscriptions allow you to safely enable applications, users, and content by selectively adding fully integrated protection from both known and unknown threats, classification and filtering of URLs, and the ability to build logical policies based on the specific security posture of a user's device. Most importantly, these subscriptions are seamlessly integrated, sharing the context generated by App-ID and allowing you to generate policies that protect your network while also enabling your business.
WildFire
The WildFire subscription provides integrated protection from advanced malware and threats. WildFire adds the increasingly important ability to proactively identify and block unknown threats such as custom or polymorphic malware, which are commonly used in modern cyberattacks.
The subscription provides you with following advanced capabilities:
- WildFire signature feed – receive new malware protections every 30 minutes covering newly discovered malware identified by WildFire.
- Integrated WildFire logs – logs automatically delivered to the firewall including analysis verdicts for all analyzed files and malware.
- WildFire API – Enables you to programmatically submit files to WildFire, as well as take advantage of WildFire integration with Bit9 and Mandiant solutions.
GlobalProtect
GlobalProtect delivers consistent security to users in all locations. It may be deployed in many different scenarios for extending the protection of your next-generation firewall to endpoints both within and outside of the organization. With a GlobalProtect gateway subscription, you can apply the state of the endpoint device as part of the context for security policy using the Host Information Profile (HIP). In addition, users with mobile devices can use GlobalProtect apps for iOS and Android to connect to the next-generation firewall.
The GlobalProtect Portal license extends the range of coverage by enabling you to deploy GlobalProtect gateways in a greater number of configurations. For example, with a Portal license, you can deploy multiple external gateways in order to support users in different geographies. In addition, with the Portal license, gateways may also be deployed internally to protect local and wireless networks.
URL Filtering
URL filtering is enabled through an annual subscription that provides you with a URL filtering database that controls web activity based on users through URL category level controls, or through customizable white- and black-lists. The URL filtering subscription is not bound by any user limitations, which provides you with greater flexibility in terms of growth and more predictable operational expenses. The URL filtering subscription includes continual updates to the URL filtering database, as well as problem resolution.
Threat Prevention
The Threat Prevention subscription adds integrated protection from a variety of network-borne threats including exploits, malware, dangerous files, and content. This powerful subscription includes IPS functionality, stream-based blocking of millions of known malware samples, protection from spyware, command-and-control traffic, and a variety of hacking tools.
The Threat Prevention subscription even goes beyond simply blocking malicious content to include the control of specific file types by policy, as well as inspecting traffic for specific content to prevent data loss. As a result, this critical subscription not only provides you with critical protection from threats, but also gives you important additional policy controls that keep your network secure.
Endpoint Security
While there are millions of malware samples detected each year, and thousands of vulnerabilities, there are only a couple dozen exploitation techniques available to attackers. Palo Alto Networks is taking a new approach by not identifying the attack through a signature or anomalous behavior, but rather block the attacker’s critical path to exploitation. This is achieved by placing traps and roadblocks across every single critical exploitation path that the attack must go through. These critical paths are in fact 'exploitation techniques' the attack must use to compromise the system. Our unique endpoint solution provides a complete set of 'exploit mitigation' modules that derail the course of an attack, leaving it powerless to cause damage or gain unauthorized access. This solution covers every known exploitation technique, new emerging techniques, and a number of techniques known only to Palo Alto Networks. As a result, it protects against every exploitation attack, including the obfuscated ones, whether based on known vulnerabilities or yet-unknown zero-day vulnerabilities.