PA-220

Palo Alto Networks PA-220 brings

Highlights
ML-Powered Next-Generation Firewall
• World’s first ML-Powered NGFW
capabilities to distributed enterprise
• Eight-time Leader in the Gartner Magic
Quadrant® for Network Firewalls branch offices, retail locations, and
• Leader in The Forrester Wave™: Enterprise ­midsize businesses.
Firewalls, Q3 2020
• Highest Security Effectiveness score in the
2019 NSS Labs NGFW Test Report, with
100% of evasions blocked
• Extends visibility and security to all devices,
including unmanaged IoT devices, without
the need to deploy additional sensors
• Supports high availability with active/
PA-220
active and active/passive modes
• Delivers predictable performance with
security services The world’s first ML-Powered NGFW enables you to
• Features a silent, fanless design with prevent unknown threats, see and secure everything—­
an optional redundant power supply for
branch and home offices including IoT—and reduce errors with automatic policy
• Simplifies deployment of large numbers recommendations.
of firewalls with optional Zero Touch
Provisioning (ZTP)

Strata by Palo Alto Networks | PA-220 | Datasheet 1

The controlling element of the PA-220 is PAN-OS®, the same • Applies consistent policies irrespective of users’ locations
software that runs all Palo Alto Networks Next-Generation (office, home, travel, etc.) and devices (iOS and Android®
Firewalls. PAN-OS natively classifies all traffic, inclusive of mobile devices, macOS®, Windows®, Linux desktops, lap-
applications, threats, and content, and then ties that traffic tops; Citrix and Microsoft VDI and Terminal Servers).
to the user regardless of location or device type. The appli- • Prevents corporate credentials from leaking to third-party
cation, content, and user—in other words, the elements that websites, and prevents reuse of stolen credentials by en-
run your business—then serve as the basis of your security abling multi-factor authentication (MFA) at the network
policies, resulting in improved security posture and reduced layer for any application, without any application changes.
incident response times.
• Provides dynamic security actions based on user behavior
Key Security and Connectivity to restrict suspicious or malicious users.

Features Prevents malicious activity concealed in

­encrypted traffic
ML-Powered Next Generation Firewall
• Inspects and applies policy to TLS/SSL-encrypted traffic,
• Embeds machine learning (ML) in the core of the firewall both inbound and outbound, including for traffic that uses
to provide inline signatureless attack prevention for file- TLS 1.3 and HTTP/2.
based attacks while identifying and immediately stopping
• Offers rich visibility into TLS traffic, such as amount of
never-before-seen phishing attempts.
encrypted traffic, TLS/SSL versions, cipher suites, and
• Leverages cloud-based ML processes to push zero-delay more, without decrypting.
signatures and instructions back to the NGFW.
• Enables control over use of legacy TLS protocols, insecure
• Uses behavioral analysis to detect internet of things ciphers, and incorrectly configured certs to mitigate risks.
(IoT) devices and make policy recommendations; cloud-­
• Facilitates easy deployment of decryption and lets you use
delivered and natively ­integrated service on the NGFW.
built-in logs to troubleshoot issues, such as applications
• Automates policy recommendations that save time and with pinned certs.
­reduce the chance of human error.
• Lets you enable or disable decryption flexibly based on
Identifies and categorizes all applications, on all URL category and source and destination zone, address,
ports, all the time, with full Layer 7 inspection user, user group, device, and port, for privacy and regula-
• Identifies the applications traversing your network tory compliance purposes.
­irrespective of port, protocol, evasive techniques, or en- • Allows you to create a copy of decrypted traffic from the
cryption (TLS/SSL). firewall (i.e., decryption mirroring) and send it to traffic
• Uses the application, not the port, as the basis for all your collection tools for forensics, historical purposes, or data
safe enablement policy decisions: allow, deny, schedule, loss prevention (DLP).
inspect, and apply traffic-shaping. Extends native protection across all ­attack ­vectors
• Offers the ability to create custom App-IDs for proprietary with cloud-delivered security subscriptions
applications or request App-ID development for new appli- • Threat Prevention—inspects all traffic to automatically
cations from Palo Alto Networks. block known vulnerabilities, malware, vulnerability ex-
• Identifies all payload data within the application, such as ploits, spyware, command and control (C2), and custom
files and data patterns, to block malicious files and thwart intrusion prevention system (IPS) signatures.
data exfiltration attempts. • WildFire® malware prevention—unifies inline machine
• Creates standard and customized application usage re- learning protection with robust cloud-based analysis to
ports, including software-as-a-service (SaaS) reports instantly prevent new threats in real time as well as dis-
that provide insight into all SaaS traffic—sanctioned and cover and remediate evasive threats faster than ever.
­unsanctioned—on your network. • URL Filtering—prevents access to malicious sites and
• Enables safe migration of legacy Layer 4 rule sets to protects users against web-based threats, including cre-
­App-ID-based rules with built-in Policy Optimizer, giving dential phishing attacks.
you a rule set that is more secure and easier to manage. • DNS Security—detects and blocks known and unknown
Enforces security for users at any location, on threats over DNS (including data exfiltration via DNS tun­
any device, while adapting policy in response neling), prevents attackers from bypassing security mea-
to user activity sures, and eliminates the need for independent tools or
changes to DNS routing.
• Enables visibility, security policies, reporting, and forensics
based on users and groups—not just IP addresses. • IoT Security—discovers all unmanaged devices in your
network quickly and accurately with ML, without the need
• Easily integrates with a wide range of repositories to lever-
to deploy additional sensors. Identifies risks and vul-
age user information: wireless LAN controllers, VPNs,
nerabilities, prevents known and unknown threats, pro-
­directory servers, SIEMs, proxies, and more.
vides risk-based policy recommendations, and automates
• Allows you to define Dynamic User Groups (DUGs) on the ­enforcement.
firewall to take time-bound security actions without wait-
ing for changes to be applied to user directories.

Strata by Palo Alto Networks | PA-220 | Datasheet 2

Delivers a unique approach to packet processing ­ ignatures in a single pass, using stream-based, uniform
s
with Single-Pass Architecture signature matching.
• Performs networking, policy lookup, application and
­decoding, and signature matching—for any and all threats
Enables SD-WAN functionality
and content—in a single pass. This significantly reduces • Allows you to easily adopt SD-WAN by simply enabling it on
the amount of processing overhead required to perform your existing firewalls.
multiple functions in one security device. • Enables you to safely implement SD-WAN, which is natively
• Enables consistent and predictable performance when integrated with our industry-leading security.
­security subscriptions are enabled. • Delivers an exceptional end user experience by minimizing
• Avoids introducing latency by scanning traffic for all latency, jitter, and packet loss.

Table 1: PA-220 Performance and Capacities1 Table 2: PA-220 Networking Features (continued)
575/540
Firewall throughput (HTTP/appmix)2
Mbps IPv6

Threat Prevention throughput (HTTP/ 275/320 L2, L3, tap, virtual wire (transparent mode)
appmix)3 Mbps
IPsec VPN throughput4 540 Mbps Features: App-ID, User-ID, Content-ID, WildFire, and SSL
Decryption
Max sessions 64,000

New sessions per second 5

4,300 SLAAC

1. Results were measured on PAN-OS 10.0. IPsec VPN

2.  Firewall throughput is measured with App-ID and logging enabled, using 64
KB HTTP/appmix transactions.
Key exchange: manual key, IKEv1, and IKEv2
3. Threat Prevention throughput is measured with App-ID, IPS, antivirus, anti-
spyware, WildFire, file blocking, and logging enabled, utilizing 64 KB HTTP/ (pre-shared key, ­certificate-based authentication)
appmix transactions.
4. IPsec VPN throughput is measured with 64 KB HTTP transactions and logging
enabled.
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
5. New sessions per second is measured with application-override utilizing 1 byte
HTTP transactions. Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512

VLANs
The PA-220 supports a wide range of networking features
that enable you to more easily integrate our security features 802.1Q VLAN tags per device/per interface: 4,094/4,094
into your existing network.
Network Address Translation
Table 2: PA-220 Networking Features

Interface Modes NAT modes (IPv4): static IP, dynamic IP, dynamic IP and
port (port address translation)
L2, L3, tap, virtual wire (transparent mode)
NAT64, NPTv6
Routing

OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP, Additional NAT features: dynamic IP reservation, tunable
static routing dynamic IP and port oversubscription

Policy-based forwarding High Availability

Point-to-Point Protocol over Ethernet (PPPoE) Modes: active/active, active/passive

Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3

Failure detection: path monitoring, interface monitoring
SD-WAN
Zero Touch Provisioning (ZTP)
Path quality measurement (jitter, packet loss, latency)
Available with -ZTP SKUs (PA-220-ZTP)
Initial path selection (PBF)

Requires Panorama 9.1.3 or higher

Dynamic path change

Strata by Palo Alto Networks | PA-220 | Datasheet 3

 Table 3: PA-220 Hardware Specifications Table 3: PA-220 Hardware Specifications (continued)

I/O Dimensions

10/100/1000 (8) 1.62” H x 6.29” D x 8.07” W

Management I/O Weight (Standalone Device/As Shipped)

10/100/1000 out-of-band management port (1) 3.0 lbs / 5.4 lbs

RJ-45 console port (1)
USB port (1) Safety
Micro USB console port (1)
cTUVus, CB
Storage Capacity
EMI
32 GB eMMC
FCC Class B, CE Class B, VCCI Class B
Power Supply (Avg/Max Power Consumption)
Certifications
Optional: dual redundant 40 W (21 W / 25 W)
See paloaltonetworks.com/company/certifications.html

Environment
102
Operating temperature: 32° to 104° F, 0° to 40° C
Input Voltage (Input Frequency) Non-operating temperature: -4° to 158° F, -20° to 70° C
Passive cooling
100–240 VAC (50–60Hz)

Max Current Consumption To learn more about the features and associated capacities
of the PA-220, please visit paloaltonetworks.com/network-
Firewall: 1.75 A @ 12 VDC
security/next-generation-firewall/pa-220.
Power supply (AC side): 1.5A

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 pa-220-ds-092920
Support: +1.866.898.9087

www.paloaltonetworks.com