Highlights

PA-800 Series
• World’s first ML-Powered NGFW
• Eight-time Leader in the Gartner Magic
Quadrant® for Network Firewalls
• Leader in The Forrester Wave™: Palo Alto Networks PA-800 Series
Enterprise Firewalls, Q3 2020 ML-Powered NGFWs, comprising the
• Highest Security Effectiveness
score in the 2019 NSS Labs NGFW
­PA-850 and PA-820, are designed
Test Report, with 100% of evasions to provide secure connectivity for
blocked
­organizations’ branch offices as well
• Extends visibility and security to all
devices, including unmanaged IoT
as midsize businesses.
devices, without the need to deploy
additional sensors
• Supports high availability with active/
active and active/passive modes
• Delivers predictable performance with
security services
• Simplifies deployment of large PA-850
numbers of firewalls with optional
Zero Touch Provisioning (ZTP)

Strata by Palo Alto Networks | PA-800 Series | Datasheet 1

The controlling element of the PA-800 Series is PAN-OS®,
the same software that runs all Palo Alto Networks Next-­
Generation Firewalls. PAN-OS natively classifies all traffic,
inclusive of applications, threats, and content, and then ties
that traffic to the user regardless of location or device type.
The application, content, and user—in other words, the ele-
ments that run your business—then serve as the basis of your
security policies, resulting in improved security posture and
reduced incident response time.
Key Security and Connectivity
Features
ML-Powered Next-Generation Firewall
• Embeds machine learning (ML) in the core of the firewall
to provide inline signatureless attack prevention for file-
based attacks while identifying and immediately stopping
never-before-seen phishing attempts.
• Leverages cloud-based ML processes to push zero-delay
signatures and instructions back to the NGFW.
• Uses behavioral analysis to detect internet of things
(IoT) devices and make policy recommendations; cloud-­
delivered and natively ­integrated service on the NGFW.
• Automates policy recommendations that save time and
­reduce the chance of human error.
Identifies and categorizes all applications, on all
ports, all the time, with full Layer 7 inspection
• Identifies the applications traversing your network
­irrespective of port, protocol, evasive techniques, or en-
cryption (TLS/SSL).
• Uses the application, not the port, as the basis for all your
safe enablement policy decisions: allow, deny, schedule,
inspect, and apply traffic-shaping.
• Offers the ability to create custom App-IDs for proprietary
applications or request App-ID development for new appli-
cations from Palo Alto Networks.
• Identifies all payload data within the application, such as
files and data patterns, to block malicious files and thwart
data exfiltration attempts.
• Creates standard and customized application usage re-
ports, including software-as-a-service (SaaS) reports
that provide insight into all SaaS traffic—sanctioned and
­unsanctioned—on your network.
• Enables safe migration of legacy Layer 4 rule sets to
­App-ID-based rules with built-in Policy Optimizer, giving
you a rule set that is more secure and easier to manage.
Enforces security for users at any location, on
any device, while adapting policy in response
to user activity
• Enables visibility, security policies, reporting, and forensics
based on users and groups—not just IP addresses.
• Easily integrates with a wide range of repositories to lever-
age user information: wireless LAN controllers, VPNs,
­directory servers, SIEMs, proxies, and more.
• Allows you to define Dynamic User Groups (DUGs) on the
firewall to take time-bound security actions without wait-
ing for changes to be applied to user directories.
Strata by Palo Alto Networks | PA-800 Series | Datasheet
• Applies consistent policies irrespective of users’ locations
(office, home, travel, etc.) and devices (iOS and Android®
mobile devices, macOS®, Windows®, Linux desktops, lap-
tops; Citrix and Microsoft VDI and Terminal Servers).
• Prevents corporate credentials from leaking to third-party
websites, and prevents reuse of stolen credentials by enabling
multi-factor authentication (MFA) at the network layer for
any application, without any application changes.
• Provides dynamic security actions based on user behavior
to restrict suspicious or malicious users.
Prevents malicious activity concealed in
­encrypted traffic
• Inspects and applies policy to TLS/SSL-encrypted traffic,
both inbound and outbound, including for traffic that uses
TLS 1.3 and HTTP/2.
• Offers rich visibility into TLS traffic, such as amount of
encrypted traffic, TLS/SSL versions, cipher suites, and
more, without decrypting.
• Enables control over use of legacy TLS protocols, insecure
ciphers, and incorrectly configured certs to mitigate risks.
• Facilitates easy deployment of decryption and lets you use
built-in logs to troubleshoot issues, such as applications
with pinned certs.
• Lets you enable or disable decryption flexibly based on
URL category and source and destination zone, address,
user, user group, device, and port, for privacy and regula-
tory compliance purposes.
• Allows you to create a copy of decrypted traffic from the
firewall (i.e., decryption mirroring) and send it to traffic
collection tools for forensics, historical purposes, or data
loss prevention (DLP).
Extends native protection across all ­attack v
­ ectors
with cloud-delivered security subscriptions
• Threat Prevention—inspects all traffic to automatically
block known vulnerabilities, malware, vulnerability exploits,
spyware, command and control (C2), and custom intrusion
prevention system (IPS) signatures.
• WildFire® malware prevention—unifies inline machine
learning protection with robust cloud-based analysis to
instantly prevent new threats in real time as well as dis-
cover and remediate evasive threats faster than ever.
• URL Filtering—prevents access to malicious sites and
protects users against web-based threats, including
­credential phishing attacks.
• DNS Security—detects and blocks known and unknown
threats over DNS (including data exfiltration via DNS tun­
neling), prevents attackers from bypassing security mea-
sures, and eliminates the need for independent tools or
changes to DNS routing.
• IoT Security—discovers all unmanaged devices in your
network quickly and accurately with ML, without the need
to deploy additional sensors. Identifies risks and vul-
nerabilities, prevents known and unknown threats, pro-
vides risk-based policy recommendations, and automates
­enforcement.
2
Delivers a unique approach to packet processing Enables SD-WAN functionality
with Single-Pass Architecture • Allows you to easily adopt SD-WAN by simply enabling it on
• Performs networking, policy lookup, application and your existing firewalls.
­decoding, and signature matching—for any and all threats • Enables you to safely implement SD-WAN, which is natively
and content—in a single pass. This significantly reduces integrated with our industry-leading security.
the amount of processing overhead required to perform
• Delivers an exceptional end user experience by minimizing
multiple functions in one security device.
latency, jitter, and packet loss.
• Enables consistent and predictable performance when
­security subscriptions are enabled.
• Avoids introducing latency by scanning traffic for all
­signatures in a single pass, using stream-based, uniform
signature matching.

Table 1: PA-800 Series Performance and Capacities* Table 2: PA-800 Series Networking Features (cont.)
PA-850 PA-820 IPv6

Firewall throughput L2, L3, tap, virtual wire (transparent mode)

2.1/2.1 Gbps 1.8/1.6 Gbps
(HTTP/appmix)† Features: App-ID, User-ID, Content-ID, WildFire, and SSL
Threat Prevention 850/900 Decryption
1.0/1.2 Gbps
throughput (HTTP/appmix)‡ Mbps SLAAC
IPsec VPN throughput§ 1.6 Gbps 1.3 Gbps IPsec VPN
New sessions per second|| 13,000 8,600 Key exchange: manual key, IKEv1, and IKEv2 (pre-shared
Max sessions 192,000 128,000 key, certificate-based authentication)
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
* Results were measured on PAN-OS 10.0.
† Firewall throughput is measured with App-ID and logging enabled, using 64 KB Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
HTTP/appmix transactions.
‡ Threat Prevention throughput is measured with App-ID, IPS, ­antivirus, antispyware,
VLANs
WildFire, file blocking, and logging enabled, utilizing 64 KB HTTP/appmix transactions.
802.1Q VLAN tags per device/per interface: 4,094/4,094
§ IPsec VPN throughput is measured with 64 KB HTTP transactions and logging
­enabled.
Aggregate interfaces (802.3ad), LACP
|| New sessions per second is measured with application override ­utilizing 1 byte
HTTP transactions. Network Address Translation
NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port
PA-800 Series ML-Powered NGFWs support a wide range of
(port address translation)
networking features that enable you to more easily integrate
our security features into your existing network. NAT64, NPTv6
Additional NAT features: dynamic IP reservation, tunable
dynamic IP and port oversubscription
Table 2: PA-800 Series Networking Features
High Availability
Interface Modes
L2, L3, tap, virtual wire (transparent mode) Modes: active/active, active/passive
Routing Failure detection: path monitoring, interface monitoring
OSPFv2/v3 with graceful restart, BGP with graceful restart, Zero Touch Provisioning (ZTP)
RIP, static routing
Available with -ZTP SKUs (PA-850-ZTP, PA-820-ZTP)
Policy-based forwarding Requires Panorama 9.1.3 or higher
Point-to-Point Protocol over Ethernet (PPPoE)
Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
SD-WAN
Path quality measurement (jitter, packet loss, latency)
Initial path selection (PBF)
Dynamic path change

Strata by Palo Alto Networks | PA-800 Series | Datasheet 3

 Table 3: PA-800 Series Hardware Specifications Table 3: PA-800 Series Hardware Specifications (cont.)
I/O Rack Mount (Dimensions)
PA-850: 10/100/1000 (4), Gigabit SFP (8) or PA-850: 1U, 19” standard rack (1.75” H x 14.5” D x 17.125” W)
PA-850: 10/100/1000 (4), Gigabit SFP (4), 10 Gigabit SFP+ (4) PA-820: 1U, 19” standard rack (1.75” H x 14” D x 17.125” W)
PA-820: 10/100/1000 (4), Gigabit SFP (8)
Weight (Standalone Device/As Shipped)
Management I/O
PA-850: 13.5 lbs / 21.5 lbs
10/100/1000 out-of-band management port (1) PA-820: 11 lbs / 18 lbs
10/100/1000 high availability (2)
RJ-45 console port (1) Safety
USB port (1) cTUVus, CB
Micro USB console port (1) EMI
Storage Capacity
FCC Class A, CE Class A, VCCI Class A
240 GB SSD
Certifications
Power Supply
See paloaltonetworks.com/company/certifications.html
PA-850: AC 450 W power supplies (2); one is redundant
PA-820: Fixed AC 200 W power supply (1) Environment
Power Consumption Operating temperature: 32° to 104° F, 0° to 40° C
Non-operating temperature: -4° to 158° F, -20° to 70° C
Maximum: PA-850: 240 W; PA-820: 120 W
Average: PA-850: 64 W; PA-820: 41 W Airflow
Max BTU/hr Front to back
256
To learn more about the features and associated capacities of
Input Voltage (Input Frequency) the PA-800 series, please visit paloaltonetworks.com/­network-
100–240 VAC (50–60 Hz) security/next-generation-firewall/pa-800-series.
Max Current Consumption
PA-850: 2.0 A @ 100 VAC, 1.0 A @ 240 VAC
PA-820: 1.0 A @ 100 VAC, 0.5 A @ 240 VAC
Max Inrush Current
PA-850: 1.0 A @ 230 VAC, 1.84 A @ 120 VAC
PA-820: 0.4 A @ 230 VAC, 0.96 A @ 120 VAC

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 pa-800-series-ds-110220
Support: +1.866.898.9087

www.paloaltonetworks.com