PA-220

Palo Alto Networks PA-220 brings

ML-Powered Next-Generation Firewall
capabilities to distributed enterprise
branch offices, ­retail locations, and
Highlights midsize businesses.
• High availability with active/active
and active/passive modes
• Redundant power input for
increased reliability
• Fanless design
• Simplified deployments of large PA-220
numbers of firewalls through USB

The controlling element of the PA-220 is PAN-OS®, which

natively classifies all traffic, inclusive of applications,
threats, and content, and then ties that traffic to the user
regardless of location or device type. The application,
content, and user—in other words, the elements that run
your business—then serve as the basis of your security
policies, resulting in improved security posture and reduced
incident response time.

Strata by Palo Alto Networks | PA-220 | Datasheet 1

Key Security and Connectivity Extends native protection across all attack vectors
with cloud-delivered security subscriptions
­Features • Threat Prevention—inspects all traffic to automatically
Classifies all applications, on all ports, all the time block known vulnerabilities, malware, vulnerability exploits,
• Identifies the application, regardless of port, SSL/SSH spyware, command and control (C2), and custom intrusion
­encryption, or evasive technique employed. prevention system (IPS) signatures.

• Uses the application, not the port, as the basis for all your • WildFire® malware prevention—protects against unknown
safe enablement policy decisions: allow, deny, schedule, file-based threats, delivering automated prevention in
inspect, and apply traffic-shaping. ­seconds for most new threats across networks, endpoints,
and clouds.
• Categorizes unidentified applications for policy control,
threat forensics, or App-ID™ technology development. • URL Filtering—prevents access to malicious sites and
protects users against web-based threats.
­
• Provides full visibility into the details of all TLS-encrypted
connections and stops threats hidden in encrypted traffic, • DNS Security—detects and blocks known and unknown
including traffic that uses TLS 1.3 and HTTP/2 protocols. threats over DNS while predictive analytics disrupt attacks
using DNS for C2 or data theft.
Enforces security policies for any user, at any • IoT Security—discovers all unmanaged devices in your
location network, identifies risks and vulnerabilities, and automates
• Deploys consistent policies to local and remote users ­enforcement policies for your ML-Powered NGFW using a
running on the Windows®, ­macOS®, Linux, Android®, or new Device-ID™ policy construct.
Apple iOS ­platforms.
Enables SD-WAN functionality
• Enables agentless integration with M
­ icrosoft Active Direc-
tory® and Terminal Services, LDAP, Novell ­eDirectory™, and • Allows you to easily adopt SD-WAN by simply enabling it
Citrix. on your existing firewalls.

• Easily integrates your firewall policies with 802.1X wire- • Enables you to safely implement SD-WAN, which is n
­ atively
less, proxies, network access control, and any other source integrated with our industry-leading security.
of user identity information. • Delivers an exceptional end user experience by minimizing
latency, jitter, and packet loss.

Table 1: PA-220 Performance and Capacities1 Table 2: PA-220 Networking Features

575/540 Interface Modes

Firewall throughput (HTTP/appmix)2
Mbps
L2, L3, tap, virtual wire (transparent mode)
Threat Prevention throughput (HTTP/ 275/320 Routing
appmix)3 Mbps
OSPFv2/v3 with graceful restart, BGP with graceful restart,
IPsec VPN throughput4 540 Mbps RIP, static routing
Max sessions 64,000 Policy-based forwarding
New sessions per second5 4,300 Point-to-Point Protocol over Ethernet (PPPoE)

1. Results were measured on PAN-OS 10.0. Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
2.  Firewall throughput is measured with App-ID and logging enabled, using 64
KB HTTP/appmix transactions.
SD-WAN
3. Threat Prevention throughput is measured with App-ID, IPS, antivirus, anti- Path quality measurement (jitter, packet loss, latency)
spyware, WildFire, file blocking, and logging enabled, utilizing 64 KB HTTP/
appmix transactions.
Initial path selection (PBF)
4. IPsec VPN throughput is measured with 64 KB HTTP transactions and logging
enabled. Dynamic path change
5. New sessions per second is measured with application-override utilizing 1 byte
HTTP transactions. IPv6
L2, L3, tap, virtual wire (transparent mode)
The PA-220 supports a wide range of networking features
that enable you to more easily integrate our security features Features: App-ID, User-ID, Content-ID, WildFire,
into your existing network. and SSL Decryption
SLAAC
IPsec VPN
Key exchange: manual key, IKEv1, and IKEv2
(pre-shared key, ­certificate-based authentication)
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512

Strata by Palo Alto Networks | PA-220 | Datasheet 2

 Table 2: PA-220 Networking Features (continued) Table 3: PA-220 Hardware Specifications (continued)
VLANs Max BTU/hr
802.1Q VLAN tags per device/per interface: 4,094/4,094 102
Network Address Translation Input Voltage (Input Frequency)
NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port 100–240 VAC (50–60Hz)
(port address translation)
Max Current Consumption
NAT64, NPTv6
Firewall: 1.75 A @ 12 VDC
Additional NAT features: dynamic IP reservation, tunable
Power supply (AC side): 1.5A
dynamic IP and port oversubscription
High Availability Dimensions

Modes: active/active, active/passive 1.62” H x 6.29” D x 8.07” W

Failure detection: path monitoring, interface monitoring Weight (Standalone Device/As Shipped)
Zero Touch Provisioning (ZTP) 3.0 lbs / 5.4 lbs
Available with -ZTP SKUs (PA-220-ZTP) Safety
Requires Panorama 9.1.3 or higher cTUVus, CB
EMI
Table 3: PA-220 Hardware Specifications FCC Class B, CE Class B, VCCI Class B
I/O Certifications
10/100/1000 (8) See [Link]/company/[Link]
Management I/O Environment
10/100/1000 out-of-band management port (1) Operating temperature: 32° to 104° F, 0° to 40° C
RJ-45 console port (1) Non-operating temperature: -4° to 158° F, -20° to 70° C
USB port (1) Passive cooling
Micro USB console port (1)
Storage Capacity
32 GB eMMC To learn more about the features and associated capacities
of the PA-220, please visit [Link]/network-
Power Supply (Avg/Max Power Consumption)
security/next-generation-firewall/pa-220.
Optional: dual redundant 40 W (21 W / 25 W)

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
[Link] All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 pa-220-ds-071020
Support: +1.866.898.9087

[Link]