Please note, the last time this page was updated, all the Palo Alto Networks firewalls listed on this page were still actively being sold (except for the legacy PA-2020 and PA-2050), supported and getting PANOS updates. This page is being provided as a courtesy for our existing and prospective customers about potential newer model considerations for performance or fiscal considerations.
On February 7, 2017, Palo Alto Networks announced PAN-OS 8.0 and a slew of new hardware offerings.
See the button choices above for PAN-OS 8.0 as well as the individual firewalls.
Quick overview of the recent PA model new announcements: - PA220: Half the list price of the PA200, more ports, more performance, what's not to love? - PA8xx: Entry model is the same list price as the PA500, more performance and a more responsive GUI - PA32xx: Three new models from February 2018 - PA52xx: Excellent performance increases to choose from three models
PA200
PA200 Upgrade Choices
If you already own a PAN PA-200, consider a PA-220 replacement for it. While the PA-200 is still being sold and supported, the performance difference alone warrants an upgrade.
PA220 - New Model
Compared to PA200: - More ports - More performance - HALF the hardware price - Redundant power input option! - HA capable - USB port for larger deployments - Still quiet/fanless - Better throughput than PA500
500 Mbps firewall throughput (App-ID enabled)
150 Mbps threat prevention throughput
100 Mbps IPSec VPN throughput
64,000 max sessions
4,200 new sessions per second
250 IPSec VPN tunnels/tunnel interfaces
3 virtual routers
15 security zones
250 max number of policies
PA200
PA500
PA500 Upgrade Choices
If you already own a PAN PA-500, you have a couple of choices. While the PA-500 is still being sold and supported, the performance difference alone warrants an upgrade. Renewal costs are lower for a PA-220 and the same on the way better PA-820.
You can either go to a smaller PA-220 unit that has better throughput than the PA-500 or move up the line to a PA-800 series (two choices) and get substantially better performance, GUI responsiveness and a redundant power supply option. The PA-8xx is rack mountable like the PA-500.
PA220 - New Model
PA8xx - New Models
PA850 - New Model
1.9 Gbps firewall throughput (App-ID enabled)
780 Mbps threat prevention throughput
500 Mbps IPSec VPN throughput
192,000 max sessions
9,500 new sessions per second
1000 IPSec VPN tunnels/tunnel interfaces
5 virtual routers
40 security zones
1,500 max number of policies
Show older PA200/PA500 info
PA200
PA500
PA2000
PA2020 and PA2050 Upgrade Choices
If you already own a PAN PA-2020 or PA-2050, then it's time to replace the EOS (End-of-Sale) hardware with newer platforms. The management GUI on those older platforms just can't handle the new PAN-OS operating systems.
The PA-800 series (two choices) offers good performance, improved GUI responsiveness and a redundant power supply option on the PA-850. The PA-8xx is rack mountable like the PA-2020 and PA-2050.
The PA-3020 offers improved performance and still nice rackmount form factor.
PA8xx - New Models
PA32xx - New Models
PA850 - New Model
1.9 Gbps firewall throughput (App-ID enabled)
780 Mbps threat prevention throughput
500 Mbps IPSec VPN throughput
192,000 max sessions
9,500 new sessions per second
1000 IPSec VPN tunnels/tunnel interfaces
5 virtual routers
40 security zones
1,500 max number of policies
Show PA20x0 info
PA3000
PA3020, PA3050 and PA3060 Upgrade Choices
If you already own a PAN PA-3xxx, you have a new PA-32xx series with three models each to choose from. While the PA-3xxx series is still being sold and supported and has great performance and a responsive GUI, the substantial increase in performance with new models may warrant an upgrade. Check out the higher speed physical ports too for both new x2xx series (PA-52xx and PA-32xx).
Depending upon the model you have and are considering, look at the additional performance and connectivity you can get with the new choices.
If you already own a PAN PA-5xxx, you have a new series with three models to choose from. While the PA-5xxx series is still being sold and supported and has great performance and a responsive GUI, the performance increase and port choices may warrant an upgrade. Of special note is the IPSec and max sessions improvements.
Perhaps you've been holding out on making the much bigger leap to the 7xxx chassis model because you're not quite ready for that. Now you have excellent performance choices without the huge leap in physical space and dollars.
Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the passwords that provide access to your network. You can now identify and prevent in‐progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This feature integrates with User‐ID (group mapping or user mapping, depending on which method you choose to detect credentials) to enable the firewall to detect when users are attempting to submit their corporate username and or username and password and block the submission.
Palo Alto Networks now provides malicious IP address feeds that you can use to help secure your network from known malicious hosts on the Internet. One feed contains IP addresses verified as malicious by Palo Alto Networks, and another feed contains malicious IP addresses from reputable third‐party threat advisories. Palo Alto Networks maintains both feeds, which you can reference in Security policy rules to allow or block traffic. You can also create your own external dynamic lists based on these feeds and customize them as needed. You must have an active Threat Prevention license to view and use the Palo Alto Networks malicious IP address feeds.
C2 signatures—signatures that detect where a compromised system is surreptitiously communicating with an attacker’s remote server—are now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to a domain name or a URL to identify a C2 host. The new, automatically‐generated C2 signatures detect certain patterns in C2 traffic, providing more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly.
The Malware and Phishing URL categories in PAN‐DB are now updated every five minutes, based on the latest malicious and phishing sites WildFire identifies. These more frequent updates ensure that the firewall is equipped with the very latest information to detect and then block access to malicious and phishing sites.
The new WildFire Phishing Verdict classifies phishing links detected in emails separately from other emailed links found to be exploits or malware. The firewall logs WildFire submissions that are phishing links to indicate that such a link has been detected in an email.
With both a WildFire license and a PAN‐DB license, you can block access to phishing sites within 5 minutes of initial discovery.
The new WildFire Analysis of Blocked Files enables the firewall to submit blocked files that match existing antivirus signatures for WildFire analysis, in addition to unknown files, so that WildFire can extract valuable information from new malware variants. Malware signatures often match multiple variants of the same malware family, and as such, block new malware variants that the firewall has never seen before. Sending these blocked malware samples for WildFire analysis allows WildFire to analyze them for additional URLs, domain names, and IP addresses that must be blocked. Since all WildFire analysis data is also available on AutoFocus, you can now use WildFire and AutoFocus together to get a more complete perspective of all threats targeting your network, improving the efficacy of your security operations, incident response, and threat intelligence functions.
To protect your network resources from attackers, you can use the new Authentication policy to ensure all your end users authenticate when they access those resources.
Authentication policy is an improved replacement for Captive Portal policy, which enforced authentication only for some users. Authentication policy has the additional benefit of enabling you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive resources. For example, you can force users to enter a login password and then enter a verification code that they receive by phone.
This approach ensures attackers can’t invade your network and move laterally through it just by stealing passwords. If you want to spare users the hassle of responding to multiple challenges for resources that don’t need such a high degree of protection, you can also have Authentication policy rules that enforce only password or certificate authentication.
The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, and PingID) and integrating through RADIUS with all other MFA platforms.
You now have increased flexibility to manage traffic excluded from decryption. New, centralized SSL decryption exclusion management enables you to both create your own custom decryption exclusions, and to review Palo Alto Networks predefined decryption exclusions in a single place: - A simplified workflow allows you to easily exclude traffic from decryption based on hostname. - The firewall does not decrypt applications that are known to break during decryption.
Now, you can view these decryption exceptions directly on the firewall. Updates and additions to the Palo Alto Networks predefined decryption exclusions are delivered to the firewall in content updates and are enabled by default.
Clientless VPN, which provides secure remote access to common enterprise web applications that use HTML, HTML5, and JavaScript technologies, is now available in public beta. Users have the advantage of secure access from SSL‐enabled web browsers without installing GlobalProtect client software. This is useful when you need to enable partner or contractor access to applications, and to safely enable unmanaged assets, including personal devices.
You can configure the GlobalProtect portal landing page to provide access to web applications based on users and user groups and also allow single‐sign on to SAML‐enabled applications. Supported operating systems are Windows, Mac, iOS, Android, Chrome, and Linux. Supported browsers are Chrome, Internet Explorer, Safari, and Firefox.
This feature requires you to install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal.
You can now commit, validate, preview, save, and revert changes that you made in a Panorama or firewall configuration independent of changes that other administrators have made. This simplifies your configuration workflow because you don't have to coordinate commits with other administrators when your changes are unrelated to theirs, or worry about reverting changes other administrators made that weren't ready.
NOTE: Newer proposed models mentioned on this page all require, ship with and only support versions of PAN-OS starting with version 8.x