PA-5200 Series

Highlights
• World’s first ML-Powered NGFW
• Eight-time Leader in the Gartner Magic
Quadrant® for Network Firewalls
PA-5260
• Leader in The Forrester Wave™:
Enterprise Firewalls, Q3 2020
Palo Alto Networks PA-5200 Series ML-Powered
• Highest Security Effectiveness score in
the 2019 NSS Labs NGFW Test Report, NGFWs—the PA-5280, PA-5260, PA-5250, and
with 100% of evasions blocked PA-5220—are ideal for high-speed data ­
center,
• Extends visibility and security to all internet gateway, and service provider deployments.
devices, including unmanaged IoT
devices, without the need to deploy
The ­
PA-5200 Series delivers up to 64 Gbps of
additional sensors throughput, using dedicated processing and
• Supports high availability with active/ memory, for the key functional areas of networking,
active and active/passive modes
security, threat prevention, and management.
• Delivers predictable performance with
security services

Strata by Palo Alto Networks | PA-5200 Series | Datasheet 1

The world’s first ML-Powered NGFW enables you to prevent • Allows you to define Dynamic User Groups (DUGs) on the
unknown threats, see and secure everything—­including the firewall to take time-bound security actions without wait-
internet of things (IoT)—and reduce errors with automat- ing for changes to be applied to user directories.
ic policy recommendations. The controlling element of the • Applies consistent policies irrespective of users’ locations
PA-5200 is ­PAN-OS®, the same software that runs all Palo (office, home, travel, etc.) and devices (iOS and Android®
Alto ­Networks Next-Generation Firewalls. PAN-OS native- mobile devices, macOS®, Windows®, Linux desktops, lap-
ly classifies all traffic, inclusive of applications, threats, and tops; Citrix and Microsoft VDI and Terminal Servers).
content, and then ties that traffic to the user regardless of
• Prevents corporate credentials from leaking to third-party
location or device type. The application, content, and user—
websites, and prevents reuse of stolen credentials by en-
in other words, the elements that run your business—then
abling multi-factor authentication (MFA) at the network
serve as the basis of your security policies, resulting in im-
layer for any application, without any application changes.
proved security posture and reduced incident response time.
• Provides dynamic security actions based on user behavior
Key Security and Connectivity to restrict suspicious or malicious users.

Features Prevents malicious activity concealed in

ML-Powered Next-Generation Firewall ­encrypted traffic
• Inspects and applies policy to TLS/SSL-encrypted traffic,
• Embeds machine learning (ML) in the core of the firewall
both inbound and outbound, including for traffic that uses
to provide inline signatureless attack prevention for file-
TLS 1.3 and HTTP/2.
based attacks while identifying and immediately stopping
never-before-seen phishing attempts. • Offers rich visibility into TLS traffic, such as amount of en-
crypted traffic, TLS/SSL versions, cipher suites, and more,
• Leverages cloud-based ML processes to push zero-delay
without decrypting.
signatures and instructions back to the NGFW.
• Enables control over use of legacy TLS protocols, insecure
• Uses behavioral analysis to detect IoT devices and make
ciphers, and incorrectly configured certs to mitigate risks.
policy recommendations; cloud-­delivered and natively
­integrated service on the NGFW. • Facilitates easy deployment of decryption and lets you use
built-in logs to troubleshoot issues, such as applications
• Automates policy recommendations that save time and
with pinned certs.
­reduce the chance of human error.
• Lets you enable or disable decryption flexibly based on URL
Identifies and categorizes all applications, on all category and source and destination zone, address, user,
ports, all the time, with full Layer 7 inspection user group, device, and port, for privacy and regulatory
• Identifies the applications traversing your network compliance purposes.
­irrespective of port, protocol, evasive techniques, or en- • Allows you to create a copy of decrypted traffic from the
cryption (TLS/SSL). firewall (i.e., decryption mirroring) and send it to traffic
• Uses the application, not the port, as the basis for all your collection tools for forensics, historical purposes, or data
safe enablement policy decisions: allow, deny, schedule, loss prevention (DLP).
inspect, and apply traffic-shaping.
Extends native protection across all ­attack ­vectors
• Offers the ability to create custom App-IDs for proprietary with cloud-delivered security subscriptions
applications or request App-ID development for new appli-
• Threat Prevention—inspects all traffic to automatically
cations from Palo Alto Networks.
block known vulnerabilities, malware, vulnerability ex-
• Identifies all payload data within the application, such as ploits, spyware, command and control (C2), and custom
files and data patterns, to block malicious files and thwart intrusion prevention system (IPS) signatures.
data exfiltration attempts.
• WildFire® malware prevention—unifies inline machine
• Creates standard and customized application usage re- learning protection with robust cloud-based analysis to
ports, including software-as-a-service (SaaS) reports instantly prevent new threats in real time as well as dis-
that provide insight into all SaaS traffic—sanctioned and cover and remediate evasive threats faster than ever.
­unsanctioned—on your network.
• URL Filtering—prevents access to malicious sites and
• Enables safe migration of legacy Layer 4 rule sets to protects users against web-based threats, including cre-
­App-ID-based rules with built-in Policy Optimizer, giving dential phishing attacks.
you a rule set that is more secure and easier to manage.
• DNS Security—detects and blocks known and unknown
Enforces security for users at any location, on threats over DNS (including data exfiltration via DNS tun­
any device, while adapting policy in response neling), prevents attackers from bypassing security mea-
to user activity sures, and eliminates the need for independent tools or
• Enables visibility, security policies, reporting, and forensics changes to DNS routing.
based on users and groups—not just IP addresses. • IoT Security—discovers all unmanaged devices in your net-
• Easily integrates with a wide range of repositories to lever- work quickly and accurately with ML, without the need to de-
age user information: wireless LAN controllers, VPNs, ploy additional sensors. Identifies risks and vulnerabilities,
­directory servers, SIEMs, proxies, and more. prevents known and unknown threats, provides risk-based
policy recommendations, and automates ­enforcement.
Strata by Palo Alto Networks | PA-5200 Series | Datasheet 2
Delivers a unique approach to packet processing ­ ignatures in a single pass, using stream-based, uniform
s
with Single-Pass Architecture signature matching.
• Performs networking, policy lookup, application and
­decoding, and signature matching—for any and all threats
Enables SD-WAN functionality
and content—in a single pass. This significantly reduces • Allows you to easily adopt SD-WAN by simply enabling it on
the amount of processing overhead required to perform your existing firewalls.
multiple functions in one security device. • Enables you to safely implement SD-WAN, which is natively
• Enables consistent and predictable performance when integrated with our industry-leading security.
­security subscriptions are enabled. • Delivers an exceptional end user experience by minimizing
• Avoids introducing latency by scanning traffic for all latency, jitter, and packet loss.

Table 1: PA-5200 Series Performance and Capacities

PA-5280 PA-5260 PA-5250 PA-5220
Firewall throughput (HTTP/appmix) *
58/65 Gbps 58/65 Gbps 38/37 Gbps 16/18 Gbps
Threat Prevention throughput (HTTP/appmix)† 29/36 Gbps 29/36 Gbps 19.5/24 Gbps 8.2/10 Gbps
IPsec VPN throughput‡ 28 Gbps 28 Gbps 19 Gbps 11 Gbps
Max sessions 65M 32M 8M 4M
New sessions per second §
600,000 600,000 382,000 180,000
Virtual systems (base/max) ||

25/225 25/225 25/125 10/20

Note: Results were measured on PAN-OS 10.0.

* Firewall throughput is measured with App-ID and logging enabled, utilizing 64 KB HTTP/appmix transactions.
† Threat Prevention throughput is measured with App-ID, IPS, antivirus, anti-spyware, WildFire, file blocking, and logging enabled, utilizing 64 KB HTTP/appmix transactions.
‡ IPsec VPN throughput is measured with 64 KB HTTP transactions and logging enabled.
§ New sessions per second is measured with application-override, utilizing 1 byte HTTP transactions.
|| Adding virtual systems over base quantity requires a separately purchased license.

Table 2: PA-5200 Series Networking Features Table 2: PA-5200 Series Networking Features (cont.)
Interface Modes
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
L2, L3, tap, virtual wire (transparent mode)
Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
Routing
OSPFv2/v3 with graceful restart, BGP with graceful restart, GlobalProtect large-scale VPN for simplified ­configuration
RIP, static routing and management

Policy-based forwarding VLANs

Point-to-point protocol over Ethernet (PPPoE) and DHCP 802.1Q VLAN tags per device/per interface: 4,094/4,094
­supported for dynamic address assignment Aggregate interfaces (802.3ad), LACP
Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3 Network Address Translation
Bidirectional Forwarding Detection (BFD)
NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port
SD-WAN (port address translation)
Path quality measurement (jitter, packet loss, latency) NAT64, NPTv6
Initial path selection (PBF) Additional NAT features: dynamic IP reservation, tunable
­dynamic IP and port oversubscription
Dynamic path change
High Availability
IPv6
Modes: active/active, active/passive, HA clustering
L2, L3, tap, virtual wire (transparent mode)
Failure detection: path monitoring, interface monitoring
Features: App-ID, User-ID, Content-ID, WildFire, and SSL
Decryption Mobile Network Infrastructure

SLAAC GTP Security

IPsec VPN SCTP Security
Key exchange: manual key, IKEv1 and IKEv2 ­(pre-shared key,
certificate-based authentication)

Strata by Palo Alto Networks | PA-5200 Series | Datasheet 3

 Table 3: PA-5200 Series Hardware Specifications Table 3: PA-5200 Series Hardware Specifications (cont.)
I/O Max Inrush Current

PA-5280 / PA-5260 / PA-5250: 100/1000/10G Cu (4), 1G/10G AC: 50 A @ 230 VAC, 50 A @ 120 VAC
SFP/ SFP+ (16), 40G/100G QSFP28 (4) DC: 200 A @ 72 VDC
PA-5220: 100/1000/10G Cu (4), 1G/10G SFP/SFP+ (16), 40G DC: 200 A @ 72 VDC
QSFP+ (4)
9.23 years
Management I/O Rack Mount (Dimensions)

PA-5280 / PA-5260 / PA-5250: 10/100/1000 (2), 40G/100G 3U, 19” standard rack
QSFP28 HA (1), 10/100/1000 out-of-band management (1), 5.25” H x 20.5” D x 17.25” W
RJ45 console port (1) Weight (Standalone Device/As Shipped)
PA-5220: 10/100/1000 (2), 40G QSFP+ HA (1), 10/100/1000 out- 46 lbs / 62 lbs
of-band management (1), RJ45 console port (1) Safety
cTUVus, CB
Storage Capacity
EMI
240 GB SSD, RAID1, system storage
2 TB HDD, RAID1, log storage FCC Class A, CE Class A, VCCI Class A

Power Supply (Avg/Max Power Consumption) Certifications

571/685 W See paloaltonetworks.com/company/certifications.html

Max BTU/hr Environment

2,340 Operating temperature: 32° to 122° F, 0° to 50° C

Power Supplies (Base/Max) Non-operating temperature: -4° to 158° F, -20° to 70° C
1:1 fully redundant (2/2)
To view additional information about the features and
AC Input Voltage (Input Hz)
­associated capacities of the PA-5200 Series, please visit
100–240 VAC (50–60 Hz) paloaltonetworks.com/network-security/next-generation-
AC Power Supply Output firewall/pa-5200-series.

1,200 watts/power supply

Max Current Consumption
AC: 8.5 A @ 100 VAC, 3.6 A @ 240 VAC
DC: 19 A @ -40 VDC, 12.7 A @ -60 VDC

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 pa-5200-110620
Support: +1.866.898.9087

www.paloaltonetworks.com