Palo Alto Networks Enterprise Firewall PA-7080

Model: PA-7080

Redefining high-performance network security, the PA-7000 Series of next-generation firewall appliances offers the perfect blend of power, intelligence and simplicity. Power, derived from a proven architecture, blends ultra-efficient software with nearly 700 function-specific processors for networking, security, content inspection and management.


Overview:

Redefining high-performance network security, the PA-7000 Series of next-generation firewall appliances offers the perfect blend of power, intelligence and simplicity. Power, derived from a proven architecture, blends ultra-efficient software with nearly 700 function-specific processors for networking, security, content inspection and management. Its intelligence maximizes security-processing resource utilization and automatically scales as new computing power becomes available. The PA-7000 Series offers simplicity defined by a single-system approach to management and licensing.

Key Security Features:

  • Classifies all applications, on all ports, all the time
  • Identifies the application, regardless of port, encryption (SSL or SSH), or evasive technique employed.
  • Uses the application, not the port, as the basis for all of your safe enablement policy decisions: allow, deny, schedule, inspect and apply traffic-shaping.
  • Categorizes unidentified applications for policy control, threat forensics or App-ID™ development. Enforces security policies for any user, at any location
  • Deploys consistent policies to local and remote users running on the Windows®, MacOS™, Linux®, Android®, or Apple® iOS platforms.
  • Enables agentless integration with Microsoft® Active Directory® and Terminal Services, LDAP, Novell® eDirectory™ and Citrix®.
  • Easily integrates your firewall policies with 802.1X wireless, proxies, NAC solutions, and any other source of user identity information. Prevents known and unknown threats
  • Blocks a range of known threats, including exploits, malware and spyware, across all ports, regardless of common threat-evasion tactics employed.
  • Limits the unauthorized transfer of files and sensitive data, and safely enables non-work-related web surfing.
  • Identifies unknown malware, analyzes it based on hundreds of malicious behaviors, and then automatically creates and delivers protection.
  • Threat prevention throughput is measured with App-ID, User-ID, IPS, antivirus, anti-spyware and Disable Server Response Inspection(DSRI) features enabled
  • Throughput is measured with 64Kb HTTP transactions
  • Connections per second is measured with 4Kb HTTP transactions
Performance and capacities PA-7080 system PA-7050 system PA-7000 NPC PA-7000 NPC-XM2
Firewall throughput (App-ID enabled) 200 Gbps 120 Gbps 20 Gbps 20 Gbps
Threat prevention throughput (DSRI Enabled) 160 Gbps 100 Gbps 16 Gbps 16 Gbps
Threat prevention throughput 100 Gbps 60 Gbps 10 Gbps 10 Gbps
IPsec VPN throughput 80 Gbps 48 Gbps 8 Gbps 8 Gbps
Max sessions 80,000,000 48,000,000 4,000,000 8,000,000
New sessions per second 1,200,000 720,000 120,000 120,000
Virtual systems (base/max1) 25/225* 25/225*

1 Adding virtual systems to the base quantity requires a separately purchased license.

2 Network processing card with enhanced session capacity.

The PA-7000 Series Architecture :

The PA-7000 Series is powered by a scalable architecture for the express purpose of applying the appropriate type and volume of processing power to the key functional tasks of networking, security, content inspection and management. The PA-7000 Series chassis intelligently distributes the computational processing demands of networking, security, threat prevention and management across three subsystems, each with massive amounts of computing power and dedicated memory

  • Network Processing Card (NPC): The NPC is dedicated to executing all packet-processing tasks including networking, traffic classification and threat prevention. Each NPC has up to 67 processing cores, all focused on the singular task of protecting your network at up to 20 Gbps per NPC. Scaling the throughput and capacity to the maximum 200 Gbps on the PA-7080 or 120 Gbps on the PA-7050 is as easy as adding a new NPC and allowing the system to determine the best use of the newly added processing power. Addressing the increasing demand for higher density 10 Gig and 40 Gig connectivity, as well as the more common 10 Gbps and 1 Gbps interface alternatives, four NPC options are available and can be used interchangeably.
  • Switch Management Card (SMC): Acting as the control center of the PA-7000 Series, the SMC intelligently oversees all traffic and executes all management functions, using a combination of three elements: the First Packet Processor, a high-speed backplane, and the management subsystem.
    • First Packet Processor (FPP) is the key to maximizing performance and delivering linear scalability to the PA- 7000 Series. The FPP constantly tracks the shared pool of available processing and I/O resources across all NPCs, intelligently directing inbound traffic to any underutilized processing. This means that, as NPCs are added to increase performance and capacity, no traffic management changes are required, nor is it necessary to re-cable or reconfigure your PA-7000 Series.
    • High-speed backplane operates at 1.2 Tbps, which means each of the network processing cards has access to approximately 100 Gbps of traffic capacity, ensuring that performance will scale in a linear manner as your requirements increase
    • Management subsystem acts as a dedicated point of contact for controlling all aspects of the PA-7000 Series.
  • Log Processing Card (LPC): The LPC is a dedicated subsystem designed to perform the critical task of managing the high volume of logs generated by the PA-7000 Series. The LPC is unique to the PA-7000 Series and uses two high-speed, multi-core processors and 2 TB of RAID 1 storage to offload the logging-related activities without impacting the processing required for other management or traffic processing-related tasks. The LPC enables you to generate on-system queries and reports from the most recent logs collected or forward them to a syslog server for archiving or additional analysis.

The PA-7000 Series is managed as a single, unified system, which enables you to easily direct all of the available resources to the singular task of protecting your data. The controlling element of the PA-7000 Series is an ultra-efficient, single-pass classification engine that analyzes all traffic traversing the appliance to immediately determine three critical elements that become the heart of your security policy: the application identity, regardless of port; the content, malicious or otherwise; and the user identity. The benefits of determining the application, content and user in a single pass, and basing your security policy on those business relevant elements, are threefold. The first is an improvement in your security posture introduced by more directly mapping your security policies to key business initiatives. The second is a reduction in the administrative overhead associated with keeping security policies current in a highly dynamic environment. The third benefit is a reduction in latency brought on by the elimination of the redundant scanning and look-up tasks commonly found in alternative offerings. To help further simplify administrative effort, annual support and subscription fees for the PA-7000 Series are system-wide, which means that, no matter how many NPCs are installed, the annual fees are constant, providing you with a predictable, annual cost structure.

Features:

The PA-7000 Series supports a wide range of networking features that enable you to more easily integrate our security features into your existing network.

Networking Features
Interface Modes IPsec VPN
  • L2, L3, Tap, Virtual Wire (transparent mode)
  • Point-to-Point Protocol over Ethernet (PPPoE) and DHCP supported for dynamic address assignment
  • Key Exchange: Manual key, IKEv1 and IKEv2 (pre-shared key, certificate-based authentication)
  • Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
  • Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
  • GlobalProtect large-scale VPN (LSVPN) for simplified configuration and management
Routing
  • OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP, static routing
  • Policy-based forwarding
  • Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
  • Bidirectional Forwarding Detection (BFD)
VLANs
  • 802.1q VLAN tags per device/per interface: 4,094/4,094
  • Aggregate interfaces (802.3ad)
IPv6
Network Address Translation (NAT)
  • L2, L3, Tap, Virtual Wire (transparent mode)
  • Features: App-ID™, User-ID™, Content-ID™, WildFire™, and SSL decryption
  • NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation)
  • NAT64, NPTv6
  • Additional NAT features: dynamic IP reservation, tunable dynamic IP and port oversubscription
 
High Availability
  • Modes: Active/Active, Active/Passive
  • Failure detection: Path monitoring, interface monitoring

 

Technical Specifications:

Hardware Specifications PA-7000 NPC PA-7080 Full System PA-7050 Full System
NPC Option 1: NPC-XM Option 11: (2) QSFP+, (12) SFP+ (20) QSFP+, (120) SFP+ (12) QSFP +, (72) SFP+
NPC Option 2: NPC-XM Option 21: (12) 10/100/1000, (8) SFP, (4) SFP+ (120) 10/100/1000, (80) SFP, (40) SFP+ (72) 10/100/1000, (48) SFP, (24) SFP+
Management I/O - (2) 10/100/1000, (2) QSFP+ high availability, (1) 10/100/1000 out-of-band management, (1) RJ45 console port
Storage options - 80 GB SSD System Drive, 4x1 TB HDD on Log Processing Card
Storage capacity - 2 TB RAID1
AC input voltage (input Hz) - 90-305Vac (47 to 66 Hz) 90-264Vac (47 to 63 Hz)
AC power supply output - 2500 Watts @ 240Vac 1200 Watts @ 120Vac 2500 Watts @ 240Vac 1200 Watts @ 120Vac
DC input voltage - -36 to -75Vdc -40 to -72Vdc
DC power output - 2500 watts / power supply 2500 watts / power supply
Max current / power supply - 12Adc @ 240Vac In 75Adc @ >40Vdc In 16A @ 180Vac In 75A @ 37.5Vdc In
Power supplies (base/max) - 4/8 4/4
Max inrush current / power supply - 30Aac / 100Adc peak 50Aac / 75Adc peak
Mean time between failure (MTBF) Configuration dependent; contact your Palo Alto Networks representative for MTBF details.
Max BTU/hr - 20,132 10,236
Rack mountable (dimensions) - 19U, 19” standard rack (32.22”H x 19”W x 24.66”D) 9U, 19” standard rack (15.75”H x 19”W x 24”D)
Weight (stand-alone device/as shipped) - 299.3 lbs. AC / 298.3 lbs. DC 187.4lbs AC / 185lbs DC
Safety - cTUVus, cCSAus, CB
EMI - FCC Class A, CE Class A, VCCI Class A
Certifications - NEBS Level 3
Environment
Operating temperature - 32° to 122° F, 0° to 50° C
Non-operating temperature - -4° to 158° F, -20° to 70° C

1 Network processing card supporting enhanced session table capacity up to 8 million sessions.

Others

  • PA-7000 Series

    PA-7000 Series

    PA-7000 Series

    The PA-7000 Series of next-generation firewall appliances offers the perfect blend of power, intelligence and simplicity. Power, derived from a proven architecture, blends ultra-efficient software with nearly 700 function-specific processors for networking, security, content inspection and management. Data sheet
  • Palo Alto Networks Enterprise Firewall PA-5250

    Palo Alto Networks Enterprise Firewall PA-5250

    PA-5250

    Palo Alto Networks PA-5200 Series of next-generation  firewall  appliances comprises the PA-5260, the PA-5250 and the  PA-5220, which target high-speed data  center, internet  gateway and service provider deployments.
  • Palo Alto Networks Enterprise Firewall PA-200

    Palo Alto Networks Enterprise Firewall PA-200

    PA-200

    The PA-220 next-generation firewall safely enables applications and prevents modern cyber threats. Suitable for small organizations, branch offices and retail locations,
  • Palo Alto Networks Enterprise Firewall PA-500

    Palo Alto Networks Enterprise Firewall PA-500

    PA-500

    The Palo Alto Networks™ PA-500 is targeted at high speed firewall deployments for enterprise branch offices and medium size businesses.
  • Palo Alto Networks Enterprise Firewall PA-820

    Palo Alto Networks Enterprise Firewall PA-820

    PA-820

    Identifies the application, regardless of port, encryption (SSL or SSH), or evasive technique employed Uses the application, not the port, as the basis for all of your safe enablement policy decisions: allow, deny, y development
  • Palo Alto Networks Enterprise Firewall PA-850

    Palo Alto Networks Enterprise Firewall PA-850

    PA-850

    Identifies the application, regardless of port, encryption (SSL or SSH), or evasive technique employedUses the application, not the port, as the basis for all of your safe enablement policy decisions