1. PA L O A LT O N E T W O R K S : PA - 2 0 0 0 S e r i e s S p e c s h e e t
PA-2000 Series
The PA-2000 Series is a next-generation
firewall that delivers unprecedented PA-2020 PA-2050
visibility and control over applications,
users and content on enterprise
The Palo Alto NetworksTM PA-2000 Series is comprised of two
networks.
high performance platforms, the PA-2020 and the PA-2050,
both of which are targeted at high speed Internet gateway
APPLICATION IDENTIFICATION:
deployments. The PA-2000 Series manages network traffic
• Identifies more than 950 applications flows using dedicated processing and memory for networking,
irrespective of port, protocol, SSL
security, threat prevention and management.
encryption or evasive tactic employed.
• Enables positive enforcement
A high speed backplane smoothes the pathway between dedicated processors,
application usage policies: allow, deny,
schedule, inspect, apply traffic shaping.
and the separation of data and control plane ensures that management access
• Graphical visibility tools enable simple
is always available, irrespective of the traffic load. Interface density for the
and intuitive view into application traffic. PA-2020 and the PA-2050 is unmatched with up to 20 traffic interfaces and
dedicated out-of-band management interfaces.
USER IDENTIFICATION:
• Policy-based visibility and control over The controlling element of the PA-2000 Series next-generation firewalls is
who is using the applications through PAN-OSTM, a security-specific operating system that tightly integrates three
seamless integration with Active
unique identification technologies: App-IDTM, User-ID and Content-ID, with
Directory, LDAP, and eDirectory.
key firewall, networking, VPN and management features.
• Identifies Citrix and Microsoft Terminal
Services users, enabling visibility and
control over their respective application
KEy PERFORmANCE SPECIFICATIONS PA-2020 PA-2050
usage.
• Control non-Windows hosts via web- Firewall throughput 500 Mbps 1 Gbps
Threat prevention throughput 200 Mbps 500 Mbps
based authentication.
IPSec VPN throughput 200 Mbps 300 Mbps
CONTENT IDENTIFICATION: IPSec VPN tunnels/interfaces 1,000 2,000
• Block viruses, spyware, and vulnerability SSL VPN concurrent users 500 1,000
New sessions per second 15,000 15,000
exploits, limit unauthorized transfer of
Max sessions 125,000 250,000
files and sensitive data such as CC# or
SSN, and control non-work related web
surfing.
For a complete description of the PA-2000 Series feature set, please visit www.
• Single pass software architecture
paloaltonetworks.com/literature.
enables multi-gigabit throughput with
low latency while scanning content.
2. PA L O A LT O N E T W O R K S : PA - 2 0 0 0 S e r i e s S p e c s h e e t
Additional PA-2000 Series Specifications and Features
APP-ID NETwORKINg
• Identifies and controls more than 950 applications • Dynamic routing (BGP, OSPF and RIPv2)
• SSL decryption (inbound and outbound) • Tap mode, virtual wire, layer 2, layer 3
• Customize application properties • Network address translation (NAT)
• Custom HTTP and SSL applications - Source and destination address translation
- Dynamic IP and port pool: 254
FIREwALL
- Dynamic IP pool: 16,234
• Policy-based control by application, application category, • DHCP server/ DHCP relay: Up to 3 servers
subcategory, technology, risk factor or characteristic • 802.1Q VLANs: 4,094
• Application function control • Policy-based forwarding
• Fragmented packet protection • Point-to-Point Protocol over Ethernet (PPPoE)
• Reconnaissance scan protection • IPv6 application visibility, control and full content inspection (Virtual
• Denial of Service (DoS)/Distributed Denial of Services (DDoS) wire mode only)
protection • Virtual routers: 10
• Maximum number of policies: (PA-2020) 2,500 (PA-2050) 5,000 • Security zones: 40
• Virtual systems (base/max): 1/6*
USER-ID
THREAT PREVENTION (SUbSCRIPTION REqUIRED)
• Visibility and control by user, group and IP address
• Active Directory, LDAP, eDirectory, Citrix and Microsoft Terminal • Detect and block application vulnerability exploits (IPS)
Services • Stream-based protection against viruses, spyware and worms
• XML API (external user repository integration) • HTML/Javascript virus protection
• WMI and NetBios polling • Inspect compressed files that use the Deflate algorithm (Zip, Gzip,
• Maximum concurrent user/IP mappings: 64,000 etc)
• Custom vulnerability and spyware phone home signatures
DATA FILTERINg • Content updates: daily (malware), weekly (vulnerability signatures),
• Control unauthorized data transfer (social security numbers, credit emergency (all)
card numbers, custom data patterns)
qUALITy OF SERVICE (qOS)
• Control unauthorized transfer of more than 50 file types
• Policy-based traffic shaping by application, user, source, destination,
URL FILTERINg (SUbSCRIPTION REqUIRED) interface, IPSec VPN tunnel and more
• 76-category, 20M URL on-box database • 8 traffic classes with guaranteed, maximum and priority bandwidth
• Custom 1M URL cache database (from 180M URL database) parameters
• Custom block pages and URL categories • Real-time bandwidth monitor
• Per policy diffserv marking
IPSEC VPN (SITE-TO-SITE)
mANAgEmENT TOOLS
• Manual key, IKE v1
• 3DES, AES (128-bit, 192-bit, 256-bit) encryption • Integrated web interface
• SHA1, MD5 authentication • Command line interface (CLI)
• Role-based administration
SSL VPN (REmOTE ACCESS) • Syslog and SNMPv2
• IPSec transport with SSL fall-back • Customizable administrator login banner
• Enforce unique policies for SSL VPN traffic • XML-based REST API
• Enable/disable split tunneling to control client access • Centralized management (Panorama)
• LDAP, SecurID, or local DB authentication • Centrally manage PAN-OS and content updates (Panorama)
• Client OS: Windows XP, Windows Vista (32 and 64 bit), Windows 7 (32 • Shared policies (Panorama)
and 64 bit)
VISIbILITy AND REPORTINg TOOLS
HIgH AVAILAbILITy • Graphical summary of applications, URL categories, threats and data
• Active/Passive failover (ACC)
• Configuration and session synchronization • View, filter, export traffic, threat, URL, and data filtering logs
• Heartbeat checking • Fully customizable reporting
• Link and path failure monitoring • Trace session tool
* Adding virtual systems to the base quantity requires a separately purchased license.
PAGE 2