Palo Alto Networks | Upgrade Older Models
Please note, the last time this page was updated, all the Palo Alto Networks firewalls listed on this page were still actively being sold, supported and getting PANOS updates. This page is being provided as a courtesy for our existing and prospective customers about potential newer model considerations for performance or fiscal considerations.

New PAN Firewall Upgrade Choices



On February 7, 2017, Palo Alto Networks announced PAN-OS 8.0 and a slew of new hardware offerings.

See the button choices above for PAN-OS 8.0 as well as the individual firewalls.

Quick overview of the recent PA model new announcements:
- PA220: Half the list price of the PA200, more ports, more performance, what's not to love?
- PA8xx: Entry model is the same list price as the PA500, more performance and a more responsive GUI
- PA5xxx: Excellent performance increases to choose from three models

PA200 Upgrade Choices

If you already own a PAN PA-200, consider a PA-220 replacement for it. While the PA-200 is still being sold and supported, the performance difference alone warrants an upgrade.

PA220 - New Model

Stacks Image 24112
Compared to PA200:
- More ports
- More performance
- HALF the hardware price
- Redundant power input option!
- HA capable
- USB port for larger deployments
- Still quiet/fanless
- Better throughput than PA500
  • 500 Mbps firewall throughput (App-ID enabled)
  • 150 Mbps threat prevention throughput
  • 100 Mbps IPSec VPN throughput
  • 64,000 max sessions
  • 4,200 new sessions per second
  • 250 IPSec VPN tunnels/tunnel interfaces
  • 3 virtual routers
  • 15 security zones
  • 250 max number of policies
Show PA200 info


Stacks Image 24129


  • 100 Mbps firewall throughput (App-ID enabled)
  • 50 Mbps threat prevention throughput
  • 50 Mbps IPSec VPN throughput
  • 64,000 max sessions
  • 1,000 new sessions per second
  • 25 IPSec VPN tunnels/tunnel interfaces
  • 25 SSL VPN Users
  • 10 security zones
  • 250 max number of policies

PA500 Upgrade Choices

If you already own a PAN PA-500, you have a couple of choices. While the PA-500 is still being sold and supported, the performance difference alone warrants an upgrade. Renewal costs are lower for a PA-220 and the same on the way better PA-820.

You can either go to a smaller PA-220 unit that has better throughput than the PA-500 or move up the line to a PA-800 series (two choices) and get substantially better performance, GUI responsiveness and a redundant power supply option. The PA-8xx is rack mountable like the PA-500.

PA220 - New Model

Stacks Image 24176
Stacks Image 24226

PA8xx - New Models

Stacks Image 24210
Stacks Image 24218

PA850 - New Model

Stacks Image 24212
  • 1.9 Gbps firewall throughput (App-ID enabled)
  • 780 Mbps threat prevention throughput
  • 500 Mbps IPSec VPN throughput
  • 192,000 max sessions
  • 9,500 new sessions per second
  • 1000 IPSec VPN tunnels/tunnel interfaces
  • 5 virtual routers
  • 40 security zones
  • 1,500 max number of policies
Show PA500 info


Stacks Image 24190


Stacks Image 24220

PA3020, PA3050 and PA3060 Upgrade Choices

If you already own a PAN PA-3xxx, you have a new series with three models to choose from. While the PA-3xxx series is still being sold and supported and has great performance and a responsive GUI, the substantial increase in performance may warrant an upgrade. Check out the higher speed physical ports too.

Depending upon the model you have and are considering, look at the greater performance you get and renewal costs.

PA52xx - New Models

Stacks Image 24244
- 5220: 100/1000/10G copper, 10Gig SFP+ and 40G (QSFP+) ports
- 5250/5260: 100/1000/10G copper, 16 Gig/10Gib SFP/SFP+ and 4 40G/100G QSP28
- Dual SSD drives and 2 TB HDD, RAID1, log storage
Stacks Image 24242
Show PA30xx info

PA3000 Models

Stacks Image 24266

PA5020, PA5050 and PA5060

If you already own a PAN PA-5xxx, you have a new series with three models to choose from. While the PA-5xxx series is still being sold and supported and has great performance and a responsive GUI, the performance increase and port choices may warrant an upgrade. Of special note is the IPSec and max sessions improvements.

Perhaps you've been holding out on making the much bigger leap to the 7xxx chassis model because you're not quite ready for that. Now you have excellent performance choices without the huge leap in physical space and dollars.
Stacks Image 24251
- 5220: 100/1000/10G copper, 10Gig SFP+ and 40G (QSFP+) ports
- 5250/5260: 100/1000/10G copper, 16 Gig/10Gib SFP/SFP+ and 4 40G/100G QSP28
- Dual SSD drives and 2 TB HDD, RAID1, log storage
Stacks Image 24256
Show PA50xx info

PA5000 Models

Stacks Image 24271
Palo Alto Networks PAN-OS 8 introduces a number of new/enhanced features. The release notes alone are 60 pages.

I would say this is all about enhanced cyber security along with management features.

Following are just some of my favorite new features:
Content Inspection Features
Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the passwords that provide access to your network. You can now identify and prevent in‐progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This feature integrates with User‐ID (group mapping or user mapping, depending on which method you choose to detect credentials) to enable the firewall to detect when users are attempting to submit their corporate username and or username and password and block the submission.
Palo Alto Networks now provides malicious IP address feeds that you can use to help secure your network from known malicious hosts on the Internet. One feed contains IP addresses verified as malicious by Palo Alto Networks, and another feed contains malicious IP addresses from reputable third‐party threat advisories. Palo Alto Networks maintains both feeds, which you can reference in Security policy rules to allow or block traffic. You can also create your own external dynamic lists based on these feeds and customize them as needed. You must have an active Threat Prevention license to view and use the Palo Alto Networks malicious IP address feeds.
C2 signatures—signatures that detect where a compromised system is surreptitiously communicating with an attacker’s remote server—are now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to a domain name or a URL to identify a C2 host. The new, automatically‐generated C2 signatures detect certain patterns in C2 traffic, providing more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly.
The Malware and Phishing URL categories in PAN‐DB are now updated every five minutes, based on the latest malicious and phishing sites WildFire identifies. These more frequent updates ensure that the firewall is equipped with the very latest information to detect and then block access to malicious and phishing sites.
WildFire Features
The new WildFire Phishing Verdict classifies phishing links detected in emails separately from other emailed links found to be exploits or malware. The firewall logs WildFire submissions that are phishing links to indicate that such a link has been detected in an email.

With both a WildFire license and a PAN‐DB license, you can block access to phishing sites within 5 minutes of initial discovery.
The new WildFire Analysis of Blocked Files enables the firewall to submit blocked files that match existing antivirus signatures for WildFire analysis, in addition to unknown files, so that WildFire can extract valuable information from new malware variants. Malware signatures often match multiple variants of the same malware family, and as such, block new malware variants that the firewall has never seen before. Sending these blocked malware samples for WildFire analysis allows WildFire to analyze them for additional URLs, domain names, and IP addresses that must be blocked. Since all WildFire analysis data is also available on AutoFocus, you can now use WildFire and AutoFocus together to get a more complete perspective of all threats targeting your network, improving the efficacy of your security operations, incident response, and threat intelligence functions.
Authentication Features
To protect your network resources from attackers, you can use the new Authentication policy to ensure all your end users authenticate when they access those resources.

Authentication policy is an improved replacement for Captive Portal policy, which enforced authentication only for some users. Authentication policy has the additional benefit of enabling you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive resources. For example, you can force users to enter a login password and then enter a verification code that they receive by phone.

This approach ensures attackers can’t invade your network and move laterally through it just by stealing passwords. If you want to spare users the hassle of responding to multiple challenges for resources that don’t need such a high degree of protection, you can also have Authentication policy rules that enforce only password or certificate authentication.

The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, and PingID) and integrating through RADIUS with all other MFA platforms.
Decryption Features
You now have increased flexibility to manage traffic excluded from decryption. New, centralized SSL decryption exclusion management enables you to both create your own custom decryption exclusions, and to review Palo Alto Networks predefined decryption exclusions in a single place:
- A simplified workflow allows you to easily exclude traffic from decryption based on hostname.
- The firewall does not decrypt applications that are known to break during decryption.

Now, you can view these decryption exceptions directly on the firewall. Updates and additions to the Palo Alto Networks predefined decryption exclusions are delivered to the firewall in content updates and are enabled by default.
GlobalProtect Features
Clientless VPN, which provides secure remote access to common enterprise web applications that use HTML, HTML5, and JavaScript technologies, is now available in public beta. Users have the advantage of secure access from SSL‐enabled web browsers without installing GlobalProtect client software. This is useful when you need to enable partner or contractor access to applications, and to safely enable unmanaged assets, including personal devices.

You can configure the GlobalProtect portal landing page to provide access to web applications based on users and user groups and also allow single‐sign on to SAML‐enabled applications. Supported operating systems are Windows, Mac, iOS, Android, Chrome, and Linux. Supported browsers are Chrome, Internet Explorer, Safari, and Firefox.

This feature requires you to install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal.
Management Features
You can now commit, validate, preview, save, and revert changes that you made in a Panorama or firewall configuration independent of changes that other administrators have made. This simplifies your configuration workflow because you don't have to coordinate commits with other administrators when your changes are unrelated to theirs, or worry about reverting changes other administrators made that weren't ready.
NOTE: Newer proposed models mentioned on this page all require, ship with and only support versions of PAN-OS starting with version 8.x
© 2017 Altaware, Inc. All rights reserved. | Cyber security reseller/VAR Orange County, CA | 866-833-4070