Prevent threats, safely enable applications

Protection for the branch and midsize business

The PA-800 Series is a family of next-generation firewall appliances that help secure enterprise branches and midsize business by preventing a broad range of cyberthreats while safely enabling applications.

Full visibility, granular control and power to prevent network threats

The PA-800 Series appliances provide safe enablement of applications, users and content at throughput speeds up to 1.9 Gbps, with I/O options of up to four 10-gigabit SFP+ ports. Redundant power supplies provide hardware resiliency, and the USB port allows rapid deployment of large numbers of firewalls with consistent configuration.

Classifies all applications, on all ports, all the time

PA-800 Series appliances identify any application, regardless of port, encryption (SSL or SSH) or evasive technique employed, and use the application – not the port – as the basis for all your safe enablement policy decisions: allow, deny, schedule, inspect and apply traffic-shaping. They also categorize unidentified applications for policy control, threat forensics or custom App-ID™ development.

Learn more

Enforces security policies for any user, at any location

The PA-800 Series NGFWs are integrated on multiple levels to facilitate policy deployment and enforcement. You can deploy consistent policies to local and remote users running on Windows®, macOS®, Linux, Android® or Apple® iOS platforms. You get agentless integration with Microsoft® Active Directory® and Terminal Services, LDAP, Novell® eDirectory™ and Citrix®, and you can integrate your firewall policies easily with 802.1X wireless, proxies, network access control and other sources of user identity

Prevents known and unknown threats

PA-800 Series appliances block a range of threats, including exploits, malware and spyware, across all ports, regardless of common threat-evasion tactics employed. They limit the unauthorized transfer of files and sensitive data to safely enable applications. They also identify unknown malware, analyze it based on hundreds of malicious behaviors, and then automatically create and deliver protection.

Learn what’s new

The PA-800 Series family


  • 2/2 Gbps firewall throughput1
  • 780/1000 Mbps Threat Prevention throughput2
  • 500 Mbps IPsec VPN throughput
  • 192,000 max sessions3
  • 13,000 new sessions per second3
  • 2,000 IPsec VPN tunnels/tunnel interfaces
  • 5 virtual routers
  • 40 security zones
  • 1,500 max number of policies


  • 1/1 Gbps firewall throughput1
  • 620/790Mbps Threat Prevention throughput2
  • 400 Mbps IPsec VPN throughput
  • 128,000 max sessions
  • 8,300 new sessions per second3
  • 2,000 IPsec VPN tunnels/tunnel interfaces
  • 5 virtual routers
  • 30 security zones
  • 1,500 max number of policies

1. Firewall throughput measured with App-ID and logging enabled utilizing 64KB HTTP/appmix transactions
2. Threat Prevention throughput measured with App-ID, IPS, antivirus, anti-spyware, WildFire and logging enabled utilizing 64KB HTTP/appmix transactions
3. IPsec VPN throughput measured with 64KB HTTP transactions
4. New sessions per second measured with application-override utilizing 1-byte HTTP transactions


Request your Security Lifecycle Review (SLR)

The SLR examines your network traffic and generates a comprehensive report unique to your organization to help you discover the applications and threats exposing vulnerabilities in your security posture. Request now



Are you ready to take the
Ultimate Test Drive?

If you're ready to take the test drive, pick the best time for you below!

All times are displayed in Pacific time.