Products

Palo Alto Networks' Next-Generation Firewalls

Palo Alto Networks next-generation firewalls provide flexible deployment options for your network. Firewall platforms, available in hardware and virtualized platforms, support the same consistent next-generation firewall features available in PAN-OS™. In addition, Panorama management platforms for centralized policy and device management over a network of next-generation firewalls are also available in both virtualized and hardware platforms.

Firewall Platforms

PA-7050

Deploy next-generation security in your datacenters without compromising performance.

PA-7050

PA7050
120 Gbps firewall throughput (App-ID enabled1)
10 Gbps threat prevention throughput
4 Gbps IPSec VPN throughput
100 Gbps threat prevention throughput (DSRI Enabled2)
60 Gbps threat prevention throughput
24 Gbps IPSec VPN throughput
24,000,000 max sessions
720,000 new sessions per second
25/225 virtual systems (Base/Max3)

1 Performance and capacities are measured under ideal testing conditions using PAN-OS 6.0

2 DSRI = Disable Server Response Inspection

3 Adding virtual systems to the base quantity requires a separately purchased license

PA-5000 Series

Deploy the PA-5060, PA-5050 and PA-5020 to protect high speed datacenters, server farms and service provider environments with next-generation firewall security.

PA-5060

PA5060

PA-5050

PA5050

PA-5020

PA5020
20 Gbps firewall throughput 10 Gbps firewall throughput 5 Gbps firewall throughput
10 Gbps threat prevention throughput 5 Gbps threat prevention throughput 2 Gbps threat prevention throughput
4 Gbps IPSec VPN throughput 4 Gbps IPSec VPN throughput 2 Gbps IPSec VPN throughput
4,000,000 max sessions 2,000,000 max sessions 1,000,000 max sessions
120,000 new sessions per second 120,000 new sessions per second 120,000 new sessions per second
8,000 IPSec VPN tunnels/tunnel interfaces 4,000 IPSec VPN tunnels/tunnel interfaces 2,000 IPSec VPN tunnels/tunnel interfaces
20,000 SSL VPN Users 10,000 SSL VPN Users 5,000 SSL VPN Users
225 virtual routers 125 virtual routers 20 virtual routers
25/225* virtual systems (base/max*) 25/225* virtual systems (base/max*) 10/20* virtual systems (base/max*)
900 security zones 500 security zones 80 security zones
40,000 max number of policies 20,000 max number of policies 10,000 max number of policies

PA-3000 Series

Utilize the PA-3050 and the PA-3020 to protect medium-to-large branch enterprise networks with next-generation firewall security.

PA-3050

PA3050

PA-3020

PA3020
4 Gbps firewall throughput 2 Gbps firewall throughput
2 Gbps threat prevention throughput 1 Gbps threat prevention throughput
500 Mbps IPSec VPN throughput 500 Mbps IPSec VPN throughput
500,000 max sessions 250,000 max sessions
50,000 new sessions per second 50,000 new sessions per second
2,000 IPSec VPN tunnels/tunnel interfaces 1,000 IPSec VPN tunnels/tunnel interfaces
2,000 SSL VPN Users 1,000 SSL VPN Users
10 virtual routers 10 virtual routers
1/6* virtual systems (base/max*) 1/6* virtual systems (base/max*)
40 security zones 40 security zones
5,000 max number of policies 2,500 max number of policies

PA-2000 Series

Secure high-speed networks in medium-to-large branch enterprises with next-generation firewall capabilities using the PA-2050 or the PA-2020.

PA-2050

PA2050

PA-2020

PA2020
1 Gbps firewall throughput 500 Mbps firewall throughput
500 Mbps threat prevention throughput 200 Mbps threat prevention throughput
300 Mbps IPSec VPN throughput 200 Mbps IPSec VPN throughput
250,000 max sessions 125,000 max sessions
15,000 new sessions per second 15,000 new sessions per second
2,000 IPSec VPN tunnels/tunnel interfaces 1,000 IPSec VPN tunnels/tunnel interfaces
1,000 SSL VPN Users 500 SSL VPN Users
10 virtual routers 10 virtual routers
1/6* virtual systems (base/max*) 1/6* virtual systems (base/max*)
40 security zones 40 security zones
5,000 max number of policies 2,500 max number of policies

PA-500

Protect medium-to-large branch office and medium enterprise networks with next-generation firewall security from the PA-500.

PA-500

PA500
250 Mbps firewall throughput
100 Mbps threat prevention throughput
50 Mbps IPSec VPN throughput
64,000 max sessions
7,500 new sessions per second
250 IPSec VPN tunnels/tunnel interfaces
100 SSL VPN Users
3 virtual routers
N/A virtual systems (base/max*)
20 security zones
1,000 max number of policies

PA-200

Secure medium enterprises and small enterprise branch offices with next-generation firewall security using the PA-200.

PA-200

PA200
100 Mbps firewall throughput
50 Mbps threat prevention throughput
50 Mbps IPSec VPN throughput
64,000 max sessions
1,000 new sessions per second
25 IPSec VPN tunnels/tunnel interfaces
25 SSL VPN Users
3 virtual routers
10 security zones
250 max number of policies

Virtualized Firewall Platforms

Protect your virtualized datacenter and 'East-West' traffic with one of three virtualized Palo Alto Networks next-generation firewalls.

VM-1000-HV

VM-1000-HV
250,000 max sessions
2,000 IPSec VPN tunnels/tunnel interfaces
500 SSL VPN Users
40 security zones
10,000 max number of policies
10,000 address objects
1 Gbps Firewall Throughput
600 Mbps Threat Prevention Throughput
250 Mbps IPSec VPN Throughput
8,000 New sessions per second

VM-300

virtual-machine

VM-200

virtual-machine

VM-100

virtual-machine
250,000 max sessions 100,000 max sessions 50,000 max sessions
2,000 IPSec VPN tunnels/tunnel interfaces 500 IPSec VPN tunnels/tunnel interfaces 25 IPSec VPN tunnels/tunnel interfaces
500 SSL VPN Users 200 SSL VPN Users 25 SSL VPN Users
40 virtual routers 20 virtual routers 10 virtual routers
40 security zones 20 security zones 10 security zones
5,000 max number of policies 2,000 max number of policies 250 max number of policies
10,000 address objects 4,000 address objects 2,500 address objects
1 Gbps Firewall Throughput 1 Gbps Firewall Throughput 1 Gbps Firewall Throughput
600 Mbps Threat Prevention Throughput 600 Mbps Threat Prevention Throughput 600 Mbps Threat Prevention Throughput
250 Mbps IPSec VPN Throughput 250 Mbps IPSec VPN Throughput 250 Mbps IPSec VPN Throughput
8,000 New sessions per second 8,000 New sessions per second 8,000 New sessions per second

Centralized Management

Panorama provides you with the ability to manage your distributed network of our firewalls from a centralized location. View of all your firewall traffic; manage all aspects of device configuration; push global policies; and generate reports on traffic patterns or security incidents - all from one central location. Panorama is available as either a dedicated management appliance or as a virtual machine.

M-100

VM-1000-HV

Virtual Appliance

virtual-appliance
The M-100 allows you to deploy Panorama management and logging functions on a dedicated appliance, or you can separate the functions in a distributed manner for improved performance and scalability. You can deploy Panorama as a virtual appliance on VMware ESX(i), allowing you to support your virtualization initiatives and consolidate rack space.

Mobile Security Manager

GlobalProtect provides a unique, integrated mobile security solution to safely enable mobile devices for business use. It consists of three key components: GlobalProtect Gateway (available on the Palo Alto Networks next-generation network security platform), GlobalProtect Mobile Security Manager (available on the Palo Alto Networks GP-100), and GlobalProtect App (available for iOS and Android devices).

For more information on GlobalProtect, visit the GlobalProtect Technology page.

GP-100

gp-100
GlobalProtect Mobile Security Manager is available on the GP-100 platform, and provides device management, malware detection and shares device state information with GlobalProtect Gateway.

Wildfire Platform

Extend the capabilities of your Palo Alto Networks next-generation firewalls with WildFire, which identifies, analyzes, and blocks known and unknown malware.

WF-500

wf-500
Organizations that prefer not to use public cloud applications due to regulatory and privacy concerns can deploy WildFire as a private cloud using the WF-500.

Security Subscriptions

Security subscriptions allow you to safely enable applications, users, and content by selectively adding fully integrated protection from both known and unknown threats, classification and filtering of URLs, and the ability to build logical policies based on the specific security posture of a user's device. Most importantly, these subscriptions are seamlessly integrated, sharing the context generated by App-ID and allowing you to generate policies that protect your network while also enabling your business.

WildFire

The WildFire subscription provides integrated protection from advanced malware and threats. WildFire adds the increasingly important ability to proactively identify and block unknown threats such as custom or polymorphic malware, which are commonly used in modern cyberattacks.

The subscription provides you with following advanced capabilities:

GlobalProtect

GlobalProtect delivers consistent security to users in all locations. It may be deployed in many different scenarios for extending the protection of your next-generation firewall to endpoints both within and outside of the organization. With a GlobalProtect gateway subscription, you can apply the state of the endpoint device as part of the context for security policy using the Host Information Profile (HIP). In addition, users with mobile devices can use GlobalProtect apps for iOS and Android to connect to the next-generation firewall.

The GlobalProtect Portal license extends the range of coverage by enabling you to deploy GlobalProtect gateways in a greater number of configurations. For example, with a Portal license, you can deploy multiple external gateways in order to support users in different geographies. In addition, with the Portal license, gateways may also be deployed internally to protect local and wireless networks.

URL Filtering

URL filtering is enabled through an annual subscription that provides you with a URL filtering database that controls web activity based on users through URL category level controls, or through customizable white- and black-lists. The URL filtering subscription is not bound by any user limitations, which provides you with greater flexibility in terms of growth and more predictable operational expenses. The URL filtering subscription includes continual updates to the URL filtering database, as well as problem resolution.

Threat Prevention

The Threat Prevention subscription adds integrated protection from a variety of network-borne threats including exploits, malware, dangerous files, and content. This powerful subscription includes IPS functionality, stream-based blocking of millions of known malware samples, protection from spyware, command-and-control traffic, and a variety of hacking tools.

The Threat Prevention subscription even goes beyond simply blocking malicious content to include the control of specific file types by policy, as well as inspecting traffic for specific content to prevent data loss. As a result, this critical subscription not only provides you with critical protection from threats, but also gives you important additional policy controls that keep your network secure.

Endpoint Security

While there are millions of malware samples detected each year, and thousands of vulnerabilities, there are only a couple dozen exploitation techniques available to attackers. Palo Alto Networks is taking a new approach by not identifying the attack through a signature or anomalous behavior, but rather block the attacker’s critical path to exploitation. This is achieved by placing traps and roadblocks across every single critical exploitation path that the attack must go through. These critical paths are in fact 'exploitation techniques' the attack must use to compromise the system. Our unique endpoint solution provides a complete set of 'exploit mitigation' modules that derail the course of an attack, leaving it powerless to cause damage or gain unauthorized access. This solution covers every known exploitation technique, new emerging techniques, and a number of techniques known only to Palo Alto Networks. As a result, it protects against every exploitation attack, including the obfuscated ones, whether based on known vulnerabilities or yet-unknown zero-day vulnerabilities.