The PA-4000 Series is a next-generation firewall that delivers unprecedented visibility and control over applications, users and content on enterprise networks.

The Palo Alto NetworksTM PA-4000 Series is comprised of three high performance platforms, the PA-4020, the PA-4050 and the PA-4060, all of which are targeted at high speed Internet gateway and datacenter deployments. The PA-4000 Series manages multi-Gbps traffic flows using dedicated processing and memory for networking, security, threat prevention and management.

A 10 Gbps backplane smoothes the pathway between dedicated processors, and the physical separation of data and control plane ensures that management access is always available, irrespective of the traffic load. The PA-4050 and PA-4020 each have 24 traffic interfaces while the PA-4060 supports 10 Gbps interfaces. All of the PA-4000 Series platforms have dedicated high availability and out-of-band management interfaces.

The controlling element of the PA-4000 Series next-generation firewalls is PAN-OSTM, a security-specific operating system that tightly integrates three unique identification technologies: App-IDTM, User-ID and Content-ID, with key firewall, networking and management features.

For a complete description of the PA-4000 Series next-generation firewall feature set, please visit www.paloaltonetworks.com/literature.

PA-4000 Series

APPLICATION IDENTIFICATION:• Identifiesmorethan950applications

irrespectiveofport,protocol,SSLencryptionorevasivetacticemployed.

• Enablespositiveenforcementapplicationusagepolicies:allow,deny,schedule,inspect,applytrafficshaping.

• Graphicalvisibilitytoolsenablesimpleandintuitiveviewintoapplicationtraffic.

USER IDENTIFICATION:• Policy-basedvisibilityandcontrolover

whoisusingtheapplicationsthroughseamlessintegrationwithActiveDirectory,LDAP,andeDirectory.

• IdentifiesCitrixandMicrosoftTerminalServicesusers,enablingvisibilityandcontrolovertheirrespectiveapplicationusage.

• Controlnon-Windowshostsviaweb-basedauthentication.

CONTENT IDENTIFICATION:• Blockviruses,spyware,andvulnerability

exploits,limitunauthorizedtransferoffilesandsensitivedatasuchasCC#orSSN,andcontrolnon-workrelatedwebsurfing.

• Singlepasssoftwarearchitectureenablesmulti-gigabitthroughputwithlowlatencywhilescanningcontent.

P A L O A LT O N E T W O R K S : P A - 4 0 0 0 S e r i e s S p e c s h e e t

PA-4050

PA-4060

KEy PERFORmANCE SPECIFICATIONS PA-4020 PA-4050 PA-4060

Firewallthroughput 2Gbps 10Gbps 10GbpsThreatpreventionthroughput 2Gbps 5Gbps 5GbpsIPSecVPNthroughput 1Gbps 2Gbps 2GbpsIPSecVPNtunnels/interfaces 2,000 4,000 4,000SSLVPNconcurrentusers 5,000 10,000 10,000Newsessionspersecond 60,000 60,000 60,000Maxsessions 500,000 2,000,000 2,000,000

PA-4020

P A L O A LT O N E T W O R K S : P A - 4 0 0 0 S e r i e s S p e c s h e e t

PAGE2

Additional PA-4000 Series Specifications and Features

APP-ID

•Identifiesandcontrolsmorethan950applications•SSLdecryption(inboundandoutbound)•Customizeapplicationproperties•CustomHTTPandSSLapplications

FIREwALL

•Policy-basedcontrolbyapplication,applicationcategory,subcategory,technology,riskfactororcharacteristic

•Applicationfunctioncontrol•Fragmentedpacketprotection•Reconnaissancescanprotection•DenialofService(DoS)/DistributedDenialofServices(DDoS)

protection•Maximumnumberofpolicies:(PA-4020)10,000,(PA-4050)20,000,

(PA-4060)20,000

USER-ID

•Visibilityandcontrolbyuser,groupandIPaddress•ActiveDirectory,LDAP,eDirectory,CitrixandMicrosoftTerminal

Services•XMLAPI(externaluserrepositoryintegration)•WMIandNetBiospolling•Maximumconcurrentuser/IPmappings:64,000

DATA FILTERINg

•Controlunauthorizeddatatransfer(socialsecuritynumbers,creditcardnumbers,customdatapatterns)

•Controlunauthorizedtransferofmorethan50filetypes

URL FILTERINg (SUbSCRIPTION REqUIRED)

•76-category,20MURLon-boxdatabase•Custom1MURLcachedatabase(from180MURLdatabase)•CustomblockpagesandURLcategories

IPSEC VPN (SITE-TO-SITE)

•Manualkey,IKEv1•3DES,AES(128-bit,192-bit,256-bit)encryption•SHA1,MD5authentication

SSL VPN (REmOTE ACCESS)

•IPSectransportwithSSLfall-back•EnforceuniquepoliciesforSSLVPNtraffic•Enable/disablesplittunnelingtocontrolclientaccess•LDAP,SecurID,orlocalDBauthentication•ClientOS:WindowsXP,WindowsVista(32and64bit),Windows7(32

and64bit)

HIgH AVAILAbILITy

•Active/Passivefailover•Configurationandsessionsynchronization•Heartbeatchecking•Linkandpathfailuremonitoring

NETwORKINg

•Dynamicrouting(BGP,OSPFandRIPv2)•Tapmode,virtualwire,layer2,layer3•Networkaddresstranslation(NAT)

-Sourceanddestinationaddresstranslation-DynamicIPandportpool:254-DynamicIPpool:16,234

•DHCPserver/DHCPrelay:Upto3servers•802.1QVLANs:4,094•Policy-basedforwarding•802.3adlinkaggregation•Point-to-PointProtocoloverEthernet(PPPoE)•IPv6applicationvisibility,controlandfullcontentinspection(Virtual

wiremodeonly)•Jumboframes•Virtualrouters:(PA-4020)20,(PA-4050)125,(PA-4060)125•Securityzones:(PA-4020)80,(PA-4050)500,(PA-4060)500•Virtualsystems(base/max):(PA-4020)10/20*,(PA-4050)25/125*,

(PA-4060)25/125*

THREAT PREVENTION (SUbSCRIPTION REqUIRED)

•Detectandblockapplicationvulnerabilityexploits(IPS)•Stream-basedprotectionagainstviruses,spywareandworms•HTML/Javascriptvirusprotection•InspectcompressedfilesthatusetheDeflatealgorithm(Zip,Gzip,

etc)•Customvulnerabilityandspywarephonehomesignatures•Contentupdates:daily(malware),weekly(vulnerabilitysignatures),

emergency(all)

qUALITy OF SERVICE (qOS)

•Policy-basedtrafficshapingbyapplication,user,source,destination,interface,IPSecVPNtunnelandmore

•Defineupto8trafficclasseswithguaranteed,maximumandprioritybandwidthparameters

•Real-timebandwidthmonitor•Perpolicydiffservmarking

mANAgEmENT TOOLS

•Integratedwebinterface•Commandlineinterface(CLI)•Role-basedadministration•SyslogandSNMPv2•Customizableadministratorloginbanner•XML-basedRESTAPI•Centralizedmanagement(Panorama)•CentrallymanagePAN-OSandcontentupdates(Panorama)•Sharedpolicies(Panorama)

VISIbILITy AND REPORTINg TOOLS

•Graphicalsummaryofapplications,URLcategories,threatsanddata(ACC)

•View,filter,exporttraffic,threat,URL,anddatafilteringlogs•Fullycustomizablereporting•Tracesessiontool

*Addingvirtualsystemstothebasequantityrequiresaseparatelypurchasedlicense.

P A L O A LT O N E T W O R K S : P A - 4 0 0 0 S e r i e s S p e c s h e e t

HARDwARE SPECIFICATIONS PA-4060 PA-4050/PA-4020

I/O (4)10GigabitXFP+(4)GigabitSFP (16)10/100/1000+(8)GigabitSFPManagementI/O (2)10/100/1000highavailability, (2)10/100/1000highavailability, (1)10/100/1000out-of-bandmanagement, (1)10/100/1000out-of-bandmanagement, (1)DB9consoleport (1)DB9consoleportPowersupply(Avg/maxpowerconsumption) Redundant400WAC(175W/200W)Inputvoltage(Inputfrequency) 100-240Vac(50-60Hz)Maxinputcurrent 50A@230Vac;30A@120VacPowerfactor 0.93to0.95(PA-4060,PA-4050,PA-4020)Safety UL,CUL,CBEMI FCCClassA,CEClassA,VCCIClassA,TUVRackmountable(dimensions) 2U,19”standardrack(3.5”Hx16.5”Dx17.5”W)MTBF 7.18years(PA-4060,PA-4050,PA-4020)

ENVIRONmENT

Operatingtemperature 32°to122°F,0°to50°CNon-operatingtemperature -4°to158°F,-20°to70°C

ORDERINg INFORmATION PA-4060 PA-4050 PA-4020

Platform PAN-PA-4060 PAN-PA-4050 PAN-PA-4020Annualthreatpreventionsubscription PAN-PA-4060-TP PAN-PA-4050-TP PAN-PA-4020-TPAnnualURLfilteringsubscription PAN-PA-4060-URL2 PAN-PA-4050-URL2 PAN-PA-4020-URL2VSYSupgrade(10additional) --- --- PAN-PA-4020-VSYS-10VSYSupgrade(50additional) PAN-PA-4060-VSYS-50 PAN-PA-4050-VSYS-50 ---VSYSupgrade(100additional) PAN-PA-4060-VSYS-100 PAN-PA-4050-VSYS-100 ---

ForadditionalinformationonthePA-4000Seriessoftwarefeatures,pleasevisitwww.paloaltonetworks.com/literature.

Palo Alto Networks232E.JavaDriveSunnyvale,CA.94089Sales866.320.4788 408.738.7700www.paloaltonetworks.com

Copyright ©2010, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN-OS 3.1, March 2010.

840-000002-00D