Compare Firewall Products
Branch Offices and Medium-Sized Enterprises:
| PA-200 | PA-500 | PA-3020 | PA-3050 | PA-3060 | |
|---|---|---|---|---|---|
 |
 |
 |
 |
 |
|
| Performance | |||||
| App-ID firewall throughput | 100 Mbps | 250 Mbps | 2 Gbps | 4 Gbps | 4 Gbps |
| Threat prevention throughput | 50 Mbps | 100 Mbps | 1 Gbps | 2 Gbps | 2 Gbps |
| IPSec VPN throughput | 50 Mbps | 50 Mbps | 500 Mbps | 500 Mbps | 500 Mbps |
| Connections per second | 1,000 | 7,500 | 50,000 | 50,000 | 50,000 |
| Sessions | |||||
| Max sessions (IPv4 or IPv6) | 64,000 | 64,000 | 250,000 | 500,000 | 500,000 |
| Policies | |||||
| Security rules | 250 | 1,000 | 2,500 | 5,000 | 5,000 |
| Security rule schedules | 256 | 256 | 256 | 256 | 256 |
| NAT rules | 160 | 160 | 3,000 | 5,000 | 5,000 |
| Decryption rules | 100 | 100 | 250 | 500 | 500 |
| App override rules | 100 | 100 | 250 | 500 | 500 |
| QoS rules | 100 | 100 | 1,000 | 1,000 | 1,000 |
| Policy based forwarding rules | 100 | 100 | 500 | 500 | 500 |
| Captive portal rules | 10 | 10 | 1,000 | 1,000 | 1,000 |
| DoS protection rules | 100 | 100 | 1,000 | 1,000 | 1,000 |
| Security Zones | |||||
| Max security zones | 10 | 20 | 40 | 40 | 40 |
| Objects (addresses and services) | |||||
| Address objects | 2,500 | 2,500 | 5,000 | 10,000 | 10,000 |
| Address groups | 125 | 250 | 500 | 1,000 | 1,000 |
| Members per address group | 500 | 500 | 500 | 500 | 500 |
| Service objects | 1,000 | 1,000 | 1,000 | 1,000 | 1,000 |
| Service groups | 250 | 250 | 250 | 250 | 250 |
| Members per service group | 500 | 500 | 500 | 500 | 500 |
| FQDN address objects | 1,000 | 1,000 | 1,000 | 1,000 | 1,000 |
| Max IP addresses registered per system | 1,000 | 1,000 | 5,000 | 5,000 | 5,000 |
| Security Profiles | |||||
| Security profiles | 25 | 50 | 100 | 250 | 100 |
| App-ID | |||||
| Custom App-ID signatures | 6,000 | 6,000 | 6,000 | 6,000 | 6,000 |
| Shared custom App-ID signatures | 512 | 512 | 512 | 512 | 512 |
| Custom App-IDs (virtual system specific) | 6,416 | 6,416 | 6,416 | 6,416 | 6,416 |
| User-ID | |||||
| User-IP mappings (management plane) | 512,000 | 512,000 | 512,000 | 512,000 | 512,000 |
| User-IP mappings (data plane) | 64,000 | 64,000 | 64,000 | 64,000 | 64,000 |
| Active and unique groups used in policy | 640 | 640 | 640 | 640 | 640 |
| Number of agents | 100 | 100 | 100 | 100 | 100 |
| Monitored servers per agent | 100 | 100 | 100 | 100 | 100 |
| Maximum terminal services agents | 400 | 400 | 400 | 400 | 400 |
| SSL Decryption | |||||
| Max SSL inbound certificates | 25 | 25 | 25 | 25 | 25 |
| SSL certificate cache (forward proxy) | 128 | 128 | 128 | 128 | 128 |
| Max concurrent decryption sessions | 1,024 | 1,024 | 7,936 | 15,360 | 15,360 |
| URL Filtering | |||||
| Total entries for allow list, block list and custom categories | 25,000 | 25,000 | 25,000 | 25,000 | 25,000 |
| Max custom categories | 50 | 50 | 50 | 50 | 50 |
| Dataplane cache size for URL filtering | 5,000 | 10,000 | 20,000 | 20,000 | 20,000 |
| Management plane dynamic cache size | 1,000,000 | 1,000,000 | 1,000,000 | 1,000,000 | 1,000,000 |
| Interfaces | |||||
| 802.1q tags per device | 4,094 | 4,094 | 4,094 | 4,094 | 4,094 |
| 802.1q tags per physical interface | 4,094 | 4,094 | 4,094 | 4,094 | 4,094 |
| Max interfaces (logical and physical) | 100 | 288 | 1,024 | 1,024 | 2,048 |
| Maximum aggregate interfaces | NA | 4 | 8 | 8 | 8 |
| Virtual Routers and Wires | |||||
| Virtual routers | 3 | 3 | 10 | 10 | 10 |
| Virtual wires | 50 | 144 | 512 | 1,024 | 1,024 |
| Virtual Systems | |||||
| Base virtual systems | 1 | 1 | 1 | 1 | 1 |
| Max virtual systems | NA | NA | 6 | 6 | 6 |
| Routing | |||||
| IPv4 forwarding table size | 500 | 625 | 1,250 | 2,500 | 2,500 |
| IPv6 forwarding table size | 500 | 625 | 1,250 | 2,500 | 2,500 |
| Max route maps per virtual router | 50 | 50 | 50 | 50 | 50 |
| Max routing peers (protocol dependent) | 500 | 500 | 500 | 500 | 500 |
| Static entries - DNS proxy | 1,024 | 1,024 | 1,024 | 1,024 | 1,024 |
| L2 Forwarding | |||||
| ARP table size per device | 500 | 1,000 | 1,500 | 2,500 | 5,000 |
| IPv6 neighbor table size | 500 | 1,000 | 1,500 | 2,500 | 5,000 |
| MAC table size per device | 500 | 1,000 | 1,500 | 2,500 | 5,000 |
| Max ARP entries per broadcast domain | 500 | 1,000 | 1,500 | 2,500 | 5,000 |
| Max MAC entries per broadcast domain | 500 | 1,000 | 1,500 | 2,500 | 5,000 |
| NAT | |||||
| Total NAT rule capacity | 160 | 160 | 3,000 | 5,000 | 5,000 |
| Max NAT rules (static) | 160 | 160 | 3,000 | 5,000 | 5,000 |
| Max NAT rules (DIP) | 160 | 160 | 2,000 | 3,000 | 3,000 |
| Max NAT rules (DIPP) | 160 | 160 | 400 | 600 | 800 |
| DIPP pool oversubscription | 8 | 8 | 8 | 8 | 8 |
| Address Assignment | |||||
| DHCP servers | 3 | 3 | 10 | 10 | 10 |
| Max number of assigned addresses | 64,000 | 64,000 | 64,000 | 64,000 | 64,000 |
| High Availability | |||||
| Devices per cluster | 2 | 2 | 2 | 2 | 2 |
| Max virtual addresses | NA | 32 | 64 | 64 | 64 |
| QoS | |||||
| Number of QoS policies | 100 | 100 | 1,000 | 1,000 | 1,000 |
| Physical interfaces supporting QoS | 4 | 6 | 6 | 6 | 6 |
| Clear text nodes per physical interface | 32 | 32 | 32 | 32 | 32 |
| DSCP marking by policy | |||||
| Subinterfaces supported | NA | NA | NA | NA | NA |
| IPSec VPN | |||||
| Site to site and IKE with XAUTH tunnels (security associations) | 25 | 250 | 1,000 | 2,000 | 2,000 |
| Max IKE Peers | 25 | 250 | 1,000 | 1,000 | 1,000 |
| GlobalProtect Client VPN | |||||
| Max tunnels (SSL and IPSec) | 25 | 100 | 1,000 | 2,000 | 2,000 |
| Multicast | |||||
| Replication (egress interfaces) | 100 | 100 | 100 | 100 | 100 |
| Routes | 500 | 1,000 | 2,000 | 2,000 | 2,000 |
Enterprise Environments:
| PA-5020 | PA-5050 | PA-5060 | PA-7000-20G-NPC | PA-7050 | |
|---|---|---|---|---|---|
 |
 |
 |
 |
 |
|
| Performance | |||||
| App-ID firewall throughput | 5 Gbps | 10 Gbps | 20 Gbps | 20 Gbps | 120 Gbps |
| Threat prevention throughput | 2 Gbps | 5 Gbps | 10 Gbps | 10 Gbps | 60 Gbps |
| IPSec VPN throughput | 2 Gbps | 4 Gbps | 4 Gbps | 4 Gbps | 24 Gbps |
| Connections per second | 120,000 | 120,000 | 120,000 | 120,000 | 720,000 |
| Sessions | |||||
| Max sessions (IPv4 or IPv6) | 1,000,000 | 2,000,000 | 4,000,000 | 4,000,000 | 24,000,000 |
| Policies | |||||
| Security rules | 10,000 | 20,000 | 40,000 | 40,000 | 40,000 |
| Security rule schedules | 256 | 256 | 256 | 256 | 256 |
| NAT rules | 6,000 | 8,000 | 16,000 | 16,000 | 16,000 |
| Decryption rules | 1,000 | 2,000 | 5,000 | 5,000 | 5,000 |
| App override rules | 1,000 | 2,000 | 4,000 | 4,000 | 4,000 |
| QoS rules | 1,000 | 2,000 | 4,000 | 8,000 | 8,000 |
| Policy based forwarding rules | 500 | 2,000 | 2,000 | 2,000 | 2,000 |
| Captive portal rules | 1,000 | 2,000 | 4,000 | 4,000 | 4,000 |
| DoS protection rules | 1,000 | 1,000 | 2,000 | 2,000 | 2,000 |
| Security Zones | |||||
| Max security zones | 50 | 500 | 900 | 900 | 900 |
| Objects (addresses and services) | |||||
| Address objects | 10,000 | 40,000 | 80,000 | 80,000 | 80,000 |
| Address groups | 1,000 | 2,500 | 4,000 | 8,000 | 8,000 |
| Members per address group | 500 | 500 | 500 | 500 | 500 |
| Service objects | 1,000 | 2,000 | 4,000 | 8,000 | 8,000 |
| Service groups | 250 | 250 | 250 | 250 | 250 |
| Members per service group | 500 | 500 | 500 | 500 | 500 |
| FQDN address objects | 1,000 | 1,000 | 1,000 | 8,000 | 8,000 |
| Max IP addresses registered per system | 25,000 | 50,000 | 100,000 | 100,000 | 100,000 |
| Security Profiles | |||||
| Security profiles | 250 | 500 | 500 | 500 | 500 |
| App-ID | |||||
| Custom App-ID signatures | 6,000 | 6,000 | 6,000 | 6,000 | 6,000 |
| Shared custom App-ID signatures | 512 | 512 | 512 | 512 | 512 |
| Custom App-IDs (virtual system specific) | 6,416 | 6,416 | 6,416 | 6,416 | 6,416 |
| User-ID | |||||
| User-IP mappings (management plane) | 512,000 | 512,000 | 512,000 | 512,000 | 512,000 |
| User-IP mappings (data plane) | 128,000 | 128,000 | 256,000 | 256,000 | 256,000 |
| Active and unique groups used in policy | 640 | 640 | 640 | 640 | 640 |
| Number of agents | 100 | 100 | 100 | 100 | 100 |
| Monitored servers per agent | 100 | 100 | 100 | 100 | 100 |
| Maximum terminal services agents | 1,000 | 1,000 | 1,000 | 1,000 | 1,000 |
| SSL Decryption | |||||
| Max SSL inbound certificates | 100 | 300 | 1,000 | 4,000 | 4,000 |
| SSL certificate cache (forward proxy) | 1,024 | 1,024 | 1,024 | 1,024 | 1,024 |
| Max concurrent decryption sessions | 15,872 | 47,616 | 90,112 | 131,072 | 786,432 |
| URL Filtering | |||||
| Total entries for allow list, block list and custom categories | 25,000 | 50,000 | 100,000 | 200,000 | 200,000 |
| Max custom categories | 50 | 50 | 50 | 50 | 50 |
| Dataplane cache size for URL filtering | 40,000 | 100,000 | 100,000 | 100,000 | 100,000 |
| Management plane dynamic cache size | 1,000,000 | 1,000,000 | 1,000,000 | 1,000,000 | 1,000,000 |
| Interfaces | |||||
| 802.1q tags per device | 4,094 | 4,094 | 4,094 | 4,094 | 4,094 |
| 802.1q tags per physical interface | 4,094 | 4,094 | 4,094 | 4,094 | 4,094 |
| Max interfaces (logical and physical) | 2,048 | 4,096 | 4,096 | 4,096 | 4,096 |
| Maximum aggregate interfaces | 8 | 8 | 8 | 8 | 8 |
| Virtual Routers and Wires | |||||
| Virtual routers | 20 | 125 | 225 | 225 | 225 |
| Virtual wires | 1,024 | 2,048 | 2,048 | 2,048 | 2,048 |
| Virtual Systems | |||||
| Base virtual systems | 10 | 25 | 25 | 25 | 25 |
| Max virtual systems | 20 | 125 | 225 | 225 | 225 |
| Routing | |||||
| IPv4 forwarding table size | 32,000 | 32,000 | 32,000 | 32,000 | 32,000 |
| IPv6 forwarding table size | 32,000 | 32,000 | 32,000 | 32,000 | 32,000 |
| Max route maps per virtual router | 50 | 50 | 50 | 50 | 50 |
| Max routing peers (protocol dependent) | 500 | 500 | 500 | 500 | 500 |
| Static entries - DNS proxy | 1,024 | 1,024 | 1,024 | 1,024 | 1,024 |
| L2 Forwarding | |||||
| ARP table size per device | 20,000 | 32,000 | 32,000 | 32,000 | 32,000 |
| IPv6 neighbor table size | 20,000 | 32000 | 32000 | 32000 | 32000 |
| MAC table size per device | 20,000 | 32,000 | 32,000 | 32,000 | 32,000 |
| Max ARP entries per broadcast domain | 20,000 | 32,000 | 32,000 | 32,000 | 32,000 |
| Max MAC entries per broadcast domain | 20,000 | 32,000 | 32,000 | 32,000 | 32,000 |
| NAT | |||||
| Total NAT rule capacity | 6,000 | 8,000 | 16,000 | 16,000 | 16,000 |
| Max NAT rules (static) | 6,000 | 8,000 | 16,000 | 16,000 | 16,000 |
| Max NAT rules (DIP) | 4,000 | 8,000 | 16,000 | 16,000 | 16,000 |
| Max NAT rules (DIPP) | 800 | 2,000 | 4,000 | 4,000 | 4,000 |
| DIPP pool oversubscription | 8 | 8 | 8 | 8 | 8 |
| Address Assignment | |||||
| DHCP servers | 20 | 125 | 225 | 2,000 | 2,000 |
| Max number of assigned addresses | 64,000 | 64,000 | 64,000 | 640,000 | 640,000 |
| High Availability | |||||
| Devices per cluster | 2 | 2 | 2 | 2 | 2 |
| Max virtual addresses | 128 | 1,024 | 1,024 | 1,024 | 1,024 |
| QoS | |||||
| Number of QoS policies | 1,000 | 2,000 | 4,000 | 8,000 | 8,000 |
| Physical interfaces supporting QoS | 12 | 12 | 12 | 12 | 72 |
| Clear text nodes per physical interface | 64 | 64 | 64 | 64 | 64 |
| DSCP marking by policy | |||||
| Subinterfaces supported | NA | NA | NA | 2,048 | 2,048 |
| IPSec VPN | |||||
| Site to site and IKE with XAUTH tunnels (security associations) | 2,000 | 4,000 | 8,000 | 8,000 | 8,000 |
| Max IKE Peers | 1,000 | 1,000 | 1,000 | 1,000 | 1,000 |
| GlobalProtect Client VPN | |||||
| Max tunnels (SSL and IPSec) | 5,000 | 10,000 | 20,000 | 20,000 | 120,000 |
| Multicast | |||||
| Replication (egress interfaces) | 100 | 100 | 100 | 100 | 100 |
| Routes | 4,000 | 4,000 | 4,000 | 4,000 | 4,000 |
Virtualized Firewalls:
| VM-100 | VM-200 | VM-300 | VM-1000-HV | |
|---|---|---|---|---|
 |
|
|
 |
|
| Performance | ||||
| App-ID firewall throughput | 1 Gbps | 1 Gbps | 1 Gbps | 1 Gbps |
| Threat prevention throughput | 600 Mbps | 600 Mbps | 600 Mbps | 600 Mbps |
| IPSec VPN throughput | 250 Mbps | 250 Mbps | 250 Mbps | 250 Mbps |
| Connections per second | 8,000 | 8,000 | 8,000 | 8,000 |
| Sessions | ||||
| Max sessions (IPv4 or IPv6) | 50,000 | 100,000 | 250,000 | 250,000 |
| Policies | ||||
| Security rules | 250 | 2,000 | 5,000 | 10,000 |
| Security rule schedules | 256 | 256 | 256 | 256 |
| NAT rules | 125 | 1,000 | 1,000 | 1,000 |
| Decryption rules | 100 | 100 | 500 | 1,000 |
| App override rules | 100 | 100 | 500 | 1,000 |
| QoS rules | 100 | 100 | 1,000 | 1,000 |
| Policy based forwarding rules | 100 | 100 | 100 | 100 |
| Captive portal rules | 100 | 100 | 100 | 1,000 |
| DoS protection rules | 100 | 100 | 100 | 1,000 |
| Security Zones | ||||
| Max security zones | 10 | 20 | 40 | 40 |
| Objects (addresses and services) | ||||
| Address objects | 2,500 | 4,000 | 10,000 | 10,000 |
| Address groups | 125 | 250 | 1,000 | 1,000 |
| Members per address group | 500 | 500 | 500 | 500 |
| Service objects | 1,000 | 1,000 | 1,000 | 2,000 |
| Service groups | 250 | 250 | 250 | 500 |
| Members per service group | 500 | 500 | 500 | 500 |
| FQDN address objects | 1,000 | 1,000 | 1,000 | 1,000 |
| Max IP addresses registered per system | 1,000 | 1,000 | 1,000 | 100,000 |
| Security Profiles | ||||
| Security profiles | 25 | 50 | 250 | 250 |
| App-ID | ||||
| Custom App-ID signatures | 6,000 | 6,000 | 6,000 | 6,000 |
| Shared custom App-ID signatures | 512 | 512 | 512 | 512 |
| Custom App-IDs (virtual system specific) | 6,416 | 6,416 | 6,416 | 6,416 |
| User-ID | ||||
| User-IP mappings (management plane) | 512,000 | 512,000 | 512,000 | 512,000 |
| User-IP mappings (data plane) | 64000 | 64000 | 64000 | 64000 |
| Active and unique groups used in policy | 640 | 640 | 640 | 640 |
| Number of agents | 100 | 100 | 100 | 100 |
| Monitored servers per agent | 100 | 100 | 100 | 100 |
| Maximum terminal services agents | 400 | 400 | 400 | 400 |
| SSL Decryption | ||||
| Max SSL inbound certificates | 25 | 25 | 25 | 1,000 |
| SSL certificate cache (forward proxy) | 128 | 128 | 128 | 256 |
| Max concurrent decryption sessions | 1,024 | 1,024 | 1,024 | 12,500 |
| URL Filtering | ||||
| Total entries for allow list, block list and custom categories | 25,000 | 25,000 | 25,000 | 25,000 |
| Max custom categories | 50 | 50 | 50 | 50 |
| Dataplane cache size for URL filtering | 10,000 | 10,000 | 10,000 | 10,000 |
| Management plane dynamic cache size | 1,000,000 | 1,000,000 | 1,000,000 | 1,000,000 |
| Interfaces | ||||
| 802.1q tags per device | 4,094 | 4,094 | 4,094 | 4,094 |
| 802.1q tags per physical interface | 4,094 | 4,094 | 4,094 | 4,094 |
| Max interfaces (logical and physical) | 100 | 100 | 2,000 | 2,000 |
| Maximum aggregate interfaces | NA | NA | NA | NA |
| Virtual Routers and Wires | ||||
| Virtual routers | 3 | 3 | 3 | 3 |
| Virtual wires | 50 | 250 | 250 | 1,000 |
| Virtual Systems | ||||
| Base virtual systems | 1 | 1 | 1 | 1 |
| Max virtual systems | NA | NA | NA | NA |
| Routing | ||||
| IPv4 forwarding table size | 1,000 | 1,250 | 5,000 | 5,000 |
| IPv6 forwarding table size | 1,000 | 1,250 | 5,000 | 5,000 |
| Max route maps per virtual router | 50 | 50 | 50 | 50 |
| Max routing peers (protocol dependent) | 500 | 500 | 500 | 500 |
| Static entries - DNS proxy | 1,024 | 1,024 | 1,024 | 1,024 |
| L2 Forwarding | ||||
| ARP table size per device | 500 | 500 | 2,500 | 2,500 |
| IPv6 neighbor table size | 500 | 500 | 1,000 | 1,000 |
| MAC table size per device | 500 | 500 | 2,500 | 2,500 |
| Max ARP entries per broadcast domain | 500 | 500 | 2,500 | 2,500 |
| Max MAC entries per broadcast domain | 500 | 500 | 2,500 | 2,500 |
| NAT | ||||
| Total NAT rule capacity | 125 | 1,000 | 1,000 | 1,000 |
| Max NAT rules (static) | 125 | 1,000 | 1,000 | 1,000 |
| Max NAT rules (DIP) | 125 | 1,000 | 1,000 | 1,000 |
| Max NAT rules (DIPP) | 120 | 200 | 200 | 200 |
| DIPP pool oversubscription | 8 | 8 | 8 | 8 |
| Address Assignment | ||||
| DHCP servers | 3 | 3 | 3 | 3 |
| Max number of assigned addresses | 64,000 | 64,000 | 64,000 | 64,000 |
| High Availability | ||||
| Devices per cluster | 2 | 2 | 2 | 2 |
| Max virtual addresses | NA | NA | NA | NA |
| QoS | ||||
| Number of QoS policies | 100 | 100 | 1,000 | 1,000 |
| Physical interfaces supporting QoS | 4 | 6 | 6 | 6 |
| Clear text nodes per physical interface | 32 | 32 | 32 | 32 |
| DSCP marking by policy | ||||
| Subinterfaces supported | NA | NA | NA | NA |
| IPSec VPN | ||||
| Site to site and IKE with XAUTH tunnels (security associations) | 25 | 500 | 2,000 | 2,000 |
| Max IKE Peers | 25 | 500 | 1,000 | 1,000 |
| GlobalProtect Client VPN | ||||
| Max tunnels (SSL and IPSec) | 25 | 200 | 500 | 500 |
| Multicast | ||||
| Replication (egress interfaces) | 100 | 100 | 100 | 100 |
| Routes | 500 | 1,000 | 2,000 | 2,000 |