PA-3200 Series

Palo Alto Networks PA-3200 Series

ML-Powered NGFWs—comprising the
PA-3260, PA-3250, and PA-3220—
target high-speed internet gateway PA-3260
deployments. PA-3200 Series appliances
secure all traffic, including encrypted
traffic, using dedicated processing and
memory for networking, security, threat
PA-3250 PA-3220
prevention, and management.
The controlling element of the PA-3200 Series
ML-Powered Next-Generation Firewalls (NGFW) is­
PAN-OS®, which natively classifies all traffic, inclusive
of applications, threats, and content, and then ties that
traffic to the user regardless of location or device type.
The application, content, and user—in other words, the
elements that run your business—then serve as the basis
of your security policies, resulting in improved security
posture and reduced incident response time.

Strata by Palo Alto Networks | PA-3200 Series | Datasheet 1

Key Security and Connectivity • Easily integrates your firewall policies with 802.1X wire-

­Features
less, proxies, network access control, and any other
source of user identity information.

Classifies all applications, on all ports, all the time Extends native protection across all attack ­vectors
with cloud-delivered security subscriptions
• Identifies the application, regardless of port, SSL/SSH en-
cryption, or evasive technique employed. • Threat Prevention—inspects all traffic to automatically
block known vulnerabilities, malware, vulnerability ex-
• Uses the application, not the port, as the basis for all your
ploits, spyware, command and control (C2), and custom
safe enablement policy decisions: allow, deny, schedule,
intrusion prevention system (IPS) signatures.
inspect, and apply traffic-shaping.
• WildFire® malware prevention—protects against unknown
• Categorizes unidentified applications for policy control,
file-based threats, automatically delivering protections in
threat forensics, or App-ID™ technology development.
seconds or less for most new threats across networks, end-
• Provides full visibility into the details of all TLS-encrypted points, and clouds.
connections and stops threats hidden in encrypted traffic,
• URL Filtering—prevents access to malicious sites and pro-
including traffic that uses TLS 1.3 and HTTP/2 protocols.
tects users against web-based threats.
Enforces security policies for any user, anywhere • DNS Security—detects and blocks known and unknown
• Deploys consistent policies to local and remote users run- threats over DNS while predictive analytics disrupt attacks
ning on Windows®, macOS®, Linux, Android®, or Apple iOS using DNS for C2 or data theft.
platforms. • IoT Security—discovers all unmanaged devices in your
• Enables agentless integration with Microsoft Active network, identifies risks and vulnerabilities, and automates
­Directory® and Terminal Services, LDAP, Novell ­eDirectory™, enforcement policies for your ML-Powered NGFW using a
and Citrix. new Device-ID™ policy construct.

Table 1: PA-3200 Series Performance and Capacities1

PA-3260 PA-3250 PA-3220
Firewall throughput (HTTP/appmix)2 7.9/10 Gbps 5.3/6.6 Gbps 4.3/5.0 Gbps
Threat Prevention throughput (HTTP/­appmix)3 3.6/4.4 Gbps 2.4/3.0 Gbps 2.0/2.4 Gbps
IPsec VPN throughput4 4.8 Gbps 3.2 Gbps 2.7 Gbps
Max sessions 3M 2M 1M
New sessions per second 5
114,000 82,000 57,000
Virtual systems (base/max) 6
1/6 1/6 1/6

1. Results were measured on PAN-OS 9.1.

2. Firewall throughput is measured with App-ID and logging enabled, utilizing 64 KB HTTP/appmix transactions.
3. Threat Prevention throughput is measured with App-ID, IPS, antivirus, anti-spyware, WildFire, file blocking, and logging enabled, utilizing 64 KB HTTP/appmix transactions.
4. IPsec VPN throughput is measured with 64 KB HTTP transactions and logging enabled.
5. New sessions per second is measured with application-override, utilizing 1 byte HTTP transactions.
6. Adding virtual systems over base quantity requires a separately purchased license.

Table 2: PA-3200 Series Networking Features Table 2: PA-3200 Series Networking Features (continued)
Interface Modes IPv6
L2, L3, tap, virtual wire (transparent mode)
L2, L3, tap, virtual wire (transparent mode)
Routing Features: App-ID, User-ID, Content-ID, WildFire,
and SSL Decryption
OSPFv2/v3 with graceful restart, BGP with graceful restart,
RIP, static routing SLAAC
IPsec VPN
Policy-based forwarding
Key exchange: manual key, IKEv1, and IKEv2
Point-to-Point Protocol over Ethernet (PPPoE) (pre-shared key, ­certificate-based authentication)
Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3 Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
SD-WAN Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
Path quality measurement (jitter, packet loss, latency) VLANs
Initial path selection (PBF) 802.1Q VLAN tags per device/per interface: 4,094/4,094
Dynamic path change Aggregate interfaces (802.3ad), LACP

Strata by Palo Alto Networks | PA-3200 Series | Datasheet 2

Table 2: PA-3200 Series Networking Features (continued) Table 3: PA-3200 Series Hardware Specs. (cont.)

Network Address Translation Input Voltage (Input Frequency)

AC: 100–240 VAC (50–60 Hz)
NAT modes (IPv4): static IP, dynamic IP, dynamic IP and
port (port address translation) DC: -48 V @ 4.7 A, -60 V @ 3.8 A
NAT64, NPTv6 Max Current Consumption
Additional NAT features: dynamic IP reservation, tunable
AC: 2.3 A @ 100 VAC, 1.0 A @ 240 VAC
dynamic IP and port oversubscription
High Availability DC: -48 V @ 4.7 A, -60 V @ 3.8 A
Mean Time Between Failure (MTBF)
Modes: active/active, active/passive, HA clustering
14 years
Failure detection: path monitoring, interface monitoring
Rack Mount Dimensions
Zero Touch Provisioning (ZTP)
2U, 19” standard rack (3.5” H x 20.53” D x 17.34” W)
Available with -ZTP SKUs (PA-3260-ZTP, PA-3250-ZTP, Weight (Standalone Device/As Shipped)
PA-3220-ZTP)
Requires Panorama 9.1.3 or higher 29 lbs / 41.5 lbs
Safety

TUV CB report and TUV NRTL

Table 3: PA-3200 Series Hardware Specifications
EMI
I/O
FCC Class A, CE Class A, VCCI Class A
PA-3260: 10/100/1000 (12), 1G/10G SFP/SFP+ (8), 40G QSFP+ (4)
Certifications
PA-3250: 10/100/1000 (12), 1G/10G SFP/SFP+ (8)
See https://www.paloaltonetworks.com/company/
PA-3220: 10/100/1000 (12), 1G SFP (4), 1G/10G SFP/SFP+ (4) certifications.html
Management I/O Environment
10/100/1000 out-of-band management port (1), Operating temperature: 32° to 122° F, 0° to 50° C
10/100/1000 high availability (2), 10G SFP+ high availability (1),
RJ-45 console port (1), Micro USB (1) Non-operating temperature: -4° to 158° F, -20° to 70° C
Storage Capacity Humidity tolerance: 10% to 90%
240 GB SSD Maximum altitude: 10,000 ft / 3,048 m
Power Supply (Avg/Max Power Consumption) Airflow: front to back
Redundant 650-watt AC or DC (180/240)
Max BTU/hr To view additional information about the features and
associated capacities of the ­
­ PA-3200 Series, please visit
819 www.­paloaltonetworks.com/products.

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 strata-pa-3200-series-ds-061220
Support: +1.866.898.9087

www.paloaltonetworks.com