Skip to main content

Introduction to Palo Alto Next-Generation Network Firewalls

palo-alto-firewalls-introduction-features-technical-specifications-1aDuring the past decade, we’ve seen the global IT security market flooded with new network security and firewall security appliances. New vendors emerging into the market while existing well-known vendors introduce new smarter and complex firewalls that aim to keep enterprise organizations as safe as possible. Palo Alto Networks is one of the new-generation security vendors who have managed to break into a saturated market and make their stand.

It’s no coincidence that Palo Alto Networks is considered to be a leader and pioneer when it comes to Next Generation Firewall appliances and Gartner seems to agree with this statement based on their Magic Quadrant report in the Next Generation Firewall Segment:

Magic Quadrant for Enterprise Network Firewalls

Figure 1. Gartner Magic Quadrant for Enterprise Network Firewalls

Palo Alto Networks Next-Generation Firewalls unique way of processing a packet using the Single ­­­Pass Parallel Processing (SP3) engine makes them a clear leader.

Note: Read all our technical articles covering Palo Alto Firewalls by visiting our Palo Alto Firewall Section.

Basically, the SP3 engine utilizes the same stream-based signature format to process the protection features like Anti-Virus, Spyware, Vulnerability Protection and Data Filtering. By doing so the firewall saves valuable processing power, unlike other Unified Threat Management (UTM) appliances which serially process each security feature offered, this often introduces latency to the network traffic.

The advanced security features like App-ID, User-ID, Content-ID along with Security profiles, comprising feature like Antivirus, Anti-Spyware, Vulnerability protection, URL Filtering, DoS Protection and Data Filtering makes Palo Alto the leader. Most importantly its malware analysis solution WildFire offers advanced protection from unknown threats.

Palo Alto Networks offers its firewalls as Hardware Platforms and Virtual Platforms. Its Hardware Platforms comes in different flavors.

palo-alto-firewalls-introduction-features-technical-specifications-2

Figure 2. The Palo Alto Firewall family

PA-200 and PA-500 Series Firewalls are meant for Small Businesses and come with very limited throughput and do not support Virtual Systems. Virtual Systems, also known as VSYS, is used to create virtual firewall instances in a single-pair of Palo Alto Firewalls, in other words, Virtual Systems can be compared to contexts in Cisco ASA Firewalls or vdom in Fortinet firewalls. The PA-200, PA-500 Series Firewalls offer a very limited number of security policies like security rules, NAT rules, policy based forwarding rules and a few more.

Datasheets on Palo Alto Firewall appliances and Virtual Servers are available at our Palo Alto Datasheets and Guides download area

The table below provides a clear comparison of features and technical specifications of both PA-500 and PA-200 firewall models:

 

Features

palo-alto-firewalls-introduction-features-technical-specifications-pa500PA-500

palo-alto-firewalls-introduction-features-technical-specifications-pa200
PA-200

Performance

   

App-ID firewall throughput

250 Mbps

100 Mbps

Threat prevention throughput

100 Mbps

50 Mbps

IPSec VPN throughput

50 Mbps

50 Mbps

Connections per second

7,500

1,000

Sessions

   

Max sessions (IPv4 or IPv6)

64,000

64,000

Policies

   

Security rules

1,000

250

Security rule schedules

256

256

NAT rules

160

160

Decryption rules

100

100

App override rules

100

100

QoS rules

100

100

Policy based forwarding rules

100

100

Captive portal rules

100

10

DoS protection rules

100

100

Table 1. Technical Specifications of PA-500 & PA-200 Firewall Appliances

The PA-2000 & PA-4000 Series Firewalls are older End-of-Sales platforms, but can certainly be used for any type of lab environment and training.

The PA-3000 series Palo Alto Firewalls like the PA-3020, PA-3050 & PA-3060 are good for Mid-Size Enterprise Networks and they offer a throughput (App-ID) between 2Gbps and 4Gbps based the on model selected. The PA-3060 is the only firewall that comes with 2 x 10Gbps SFP+ Interfaces, while the rest of the PA-3000 Series offer only 1Gig Interfaces, which are both copper and fiber.

Table 2 below compares features and technical specifications between the PA-3020, PA-3050 & PA-3060 firewall models:

 

Features

Palo Alto Firewall 3060

PA-3060

Palo Alto 3050 Firewall Security Appliance

PA-3050

Palo Alto 3020 Firewall Security Appliance

PA-3020

Performance

     

App-ID firewall throughput

4 Gbps

4 Gbps

2 Gbps

Threat prevention throughput

2 Gbps

2 Gbps

1 Gbps

IPSec VPN throughput

500 Mbps

500 Mbps

500 Mbps

Connections per second

50,000

50,000

50,000

Policies

     

Security rules

5,000

5,000

2,500

Security rule schedules

256

256

256

NAT rules

5,000

5,000

3,000

Decryption rules

500

500

250

App override rules

500

500

250

QoS rules

1,000

1,000

1,000

Policy based forwarding rules

500

500

500

Captive portal rules

1,000

1,000

1,000

DoS protection rules

1,000

1,000

1,000

Interfaces

     

Mgmt - out-of-band

10/100/1000, RJ45 console

10/100/1000, RJ45 console

10/100/1000, RJ45 console

Mgmt - 10/100/1000 high availability

2

2

2

Mgmt - 40Gbps high availability

NA

NA

NA

Traffic - 10/100/1000

8

12

12

Traffic - 1Gbps SFP

8

8

8

Traffic - 10Gbps SFP+

2

NA

NA

Table 2. Comparing the PA-3020, PA-3050 & PA-3060 firewall models

The PA-5000 Series firewalls such as the PA-5020, PA-5050 & PA-5060 are very powerful and best suited for medium to large Enterprise Networks. This series of firewalls offers an impressive throughput (App-ID) between 5Gbps and 20Gbps. These are the most stable firewalls the industry has seen and it’s often recommended to have a PA-5060 firewall as a Data Centre Firewall for mid to large size data centres.

 

Features

Palo Alto Firewall Security Appliance - 5060 Series

PA-5060

Palo Alto Firewall Security Appliance - 5050 Series

PA-5050

Palo Alto Firewall Security Appliance - 5060 Series

PA-5020

Performance

     

App-ID firewall throughput

20 Gbps

10 Gbps

5 Gbps

Threat prevention throughput

10 Gbps

5 Gbps

2 Gbps

IPSec VPN throughput

4 Gbps

4 Gbps

2 Gbps

Connections per second

120,000

120,000

120,000

Interfaces

     

Mgmt - out-of-band

10/100/1000, RJ45 console

10/100/1000, RJ45 console

10/100/1000, RJ45 console

Mgmt - 10/100/1000 high availability

2

2

2

Mgmt - 40Gbps high availability

NA

NA

NA

Traffic - 10/100/1000

12

12

12

Traffic - 1Gbps SFP

8

8

8

Traffic - 10Gbps SFP+

4

4

NA

Table 3. Comparing the PA-5020, PA-5050 & PA-5060 firewall models

The PA-7000 Series firewalls are the chassis based firewalls available in PA-7050 & PA-7080 models, these firewalls offer a huge throughput (App-ID) between 120Gbps and 200Gbps, and are targeted for Service Provider Networks.

 

 

Features

palo-alto-firewalls-introduction-features-technical-specifications-pa7080

PA-7080

palo-alto-firewalls-introduction-features-technical-specifications-pa7050

PA-7050

Performance

   

App-ID firewall throughput

200 Gbps

120 Gbps

Threat prevention throughput

100 Gbps

60 Gbps

IPSec VPN throughput

80 Gbps

48 Gbps

Connections per second

1,200,000

720,000

Interfaces

   

Mgmt - out-of-band

10/100/1000, RJ45 console

10/100/1000, RJ45 console

Mgmt - 10/100/1000 high availability

2

2

Mgmt - 40Gbps high availability

2

2

Traffic - 10/100/1000

120

72

Traffic - 1Gbps SFP

80

48

Traffic - 10Gbps SFP+

120

72

Routing

   

IPv4 forwarding table size*

32,000

32,000

IPv6 forwarding table size*

32,000

32,000

Max route maps per virtual router

50

50

Max routing peers (protocol dependent)

500

500

Static entries - DNS proxy

1,024

1,024

L2 Forwarding

   

ARP table size per device

32,000

32,000

IPv6 neighbor table size

32,000

32,000

MAC table size per device

32,000

32,000

Max ARP entries per broadcast domain

32,000

32,000

Max MAC entries per broadcast domain

32,000

32,000

Table 4. Technical specifications of the PA-7000 series firewalls targeting Service Provider Networks

Palo Alto Networks also offers Virtual Firewalls that are ideal for protecting virtual data centres and "East-West" traffic. With the advent of Software Defined Networking and the growing popularity of VMWare NSX, Palo Alto is offering a dedicated Virtualized Firewall VM-1000-HV. The Palo Alto VM-1000-HV was specifically developed to support VMWare NSX setups along with VMWare ESXI, Citrix Netscaler SDX , KVM and Amazon Web Services (AWS) platforms.

Palo Alto also offers the VM-300, VM-200 and VM-100 Virtualized platforms which offer a throughput (App-ID) of 1Gbps.

Feature

VM-1000-HV

VM-300

VM-200 / VM-100

Performance

     

App-ID firewall throughput

1 Gbps

1 Gbps

1 Gbps

Threat prevention throughput

600 Mbps

600 Mbps

600 Mbps

IPSec VPN throughput

250 Mbps

250 Mbps

250 Mbps

Connections per second

8,000

8,000

8,000

Sessions

     

Max sessions (IPv4 or IPv6)

250,000

250,000

100,000 / 50,000

Table 5. The VM-300, VM-200 and VM-100 virtual Palo Alto firewall appliances

Palo Alto Firewalls have been quickly adopted by thousands of organizations around the globe thanks to their advanced security features, incredible performance and ability to provide complete unified threat management security services without degrading network speed. Visit our Palo Alto Firewall section for more technical and how-to articles.

Your IP address:

3.133.156.193

All-in-one protection for Microsoft 365

All-in-one protection for Microsoft 365

FREE Hyper-V & VMware Backup

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Generate/Crack any
WEP, WPA, WPA2 Key!

Network and Server Monitoring

Network and Server Monitoring

Follow Firewall.cx

Cisco Password Crack

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Bandwidth Monitor

Zoho Netflow Analyzer Free Download

Free PatchManager

Free PatchManager

EventLog Analyzer

ManageEngine Eventlog Analyzer

Security Podcast

Hornet-Security-The-Swarm-Podcast

Firewall Analyzer

zoho firewall analyzer