The PA-1400 Series ML-Powered Next-Generation Firewalls by Palo Alto Networks, which consist of the PA-1420 and PA-1410 models, have been specifically designed to provide secure connectivity for branch offices and midsize businesses. These firewalls are powered by PAN OS, the same software that runs all Palo Alto Networks NGFWs, and are capable of natively classifying all traffic, including applications, threats, and content, while also linking that traffic to the user regardless of their location or device type. By utilizing the application, content, and user as the foundation of your security policies, which are the essential elements that drive your business, the PA-1400 Series can help enhance your security posture and reduce incident response time.
Highlights• The world's first ML-Powered NGFW, this product has been recognized as an eleven-time leader in the Gartner Magic Quadrant for Network Firewalls and a leader in the Forrester Wave: Enterprise Firewalls, Q4 2022. • It delivers predictable performance with security services and simplifies the deployment of a large number of firewalls with the optional Zero Touch Provisioning (ZTP). • The NGFW's native web proxy support also simplifies and consolidates the management of firewall and proxy functionalities. • In addition, the product supports centralized administration with Panorama network security management and extends visibility and security to all devices, including unmanaged IoT devices, without the need to deploy additional sensors. • With support for high availability in active/active and active/passive modes, this product maximizes security investments and prevents business disruptions with AIOp.
Key Security and Connectivity Features• ML-Powered Next-Generation Firewall • The firewall's core integrates machine learning (ML) to enable inline signatureless attack prevention for file-based attacks, while also swiftly detecting and halting previously unseen phishing attempts. o The PA-1400 series is capable of continuously identifying and categorizing all applications, regardless of the port being used, with full layer 7 inspection.The firewall has the ability to identify applications that are moving through your network, regardless of the port, protocol, evasive techniques, or encryption (TLS/SSL) being used. Additionally, with the SaaS Security subscription, it can automatically discover and control new applications as they emerge to keep pace with the SaaS explosion. This ensures that you have complete visibility and control over the applications being used in your network at all times. • Enforces Security for Users at Any Location, on Any Device, While Adapting Policy Based on User Activit This solution allows for enhanced visibility, security policies, reporting, and forensics that are based on user and group identities rather than solely relying on IP addresses. Additionally, it seamlessly integrates with various repositories such as wireless LAN controllers, VPNs, directory servers, SIEMs, proxies, and more to leverage user information. • Prevents Malicious Activity Concealed in Encrypted Traffic o The Palo Alto PA-1400 Series is able to inspect and enforce policies on both inbound and outbound TLS/SSL-encrypted traffic, including for traffic that uses TLS 1.3 and HTTP/2. It provides detailed visibility into TLS traffic, such as the amount of encrypted traffic, TLS/SSL versions, cipher suites, and other relevant information, without requiring decryption. Additionally, it enables control over the use of legacy TLS protocols, insecure ciphers, and improperly configured certificates, which helps mitigate potential risks. • Offers Centralized Management and Visibility o Centralized management, configuration, and visibility for multiple Palo Alto Networks NGFWs (regardless of location or scale) can be achieved through Panorama network security management. This provides a unified user interface for all devices, allowing for simplified management and monitoring. • Native Web Proxy Support for the Next-Generation Firewall o Palo Alto NG Firwalls allow for consolidation of both firewall and proxy functionalities onto a single platform, which can be managed through a centralized management platform to create and implement policies. • Delivers a Unique Approach to Packet Processing with Single-Pass Architecture PA-1400 products uses a stream-based, uniform signature matching approach that allows for scanning traffic for all signatures in a single pass, thereby avoiding any potential latency issues. • SD-WAN Functionality • Detects and Prevents Advanced Threats with Cloud-Delivered Security Services In today's digital landscape, cyberattacks have become increasingly sophisticated, with the potential to create up to 45,000 variants in a mere 30 minutes using multiple threat vectors and advanced techniques to deliver malicious payloads. Traditional siloed security measures can present significant challenges for organizations, including introducing security gaps, increasing overhead for security teams, and hindering business productivity due to inconsistent access and visibility. By seamlessly integrating with our industry-leading NGFWs, our Cloud-Delivered Security Services take advantage of the network effect of over 80,000 customers to coordinate intelligence and provide comprehensive protection against all threats across all vectors. This eliminates any coverage gaps across your locations, providing you with best-in-class security consistently delivered on a single platform, ensuring protection even against the most advanced and evasive threats. o Advanced Threat Prevention: Our security solution effectively stops known exploits, malware, spyware, and command-and-control (C2) threats. Additionally, we utilize industry-first prevention methods to tackle zero-day attacks, resulting in preventing up to 60% more unknown injection attacks and 48% more highly evasive command-and-control traffic than traditional IPS solutions. o Advanced WildFire: Palo Alto has an automatic protection to ensure that files are safe from known, unknown, and highly evasive malware. With the industry's largest threat intelligence and malware prevention engine, we can prevent such threats 60 times faster. o Advanced URL Filtering Our security solution guarantees safe access to the internet and provides real-time prevention of known and unknown threats, resulting in the prevention of 40% more web-based attacks. As a result of our industry-first real-time prevention capabilities, we can stop 88% of malicious URLs at least 48 hours before other vendors, providing superior protection against internet-based threats. o DNS Security: Increase your protection against DNS attacks by 40% and thwart the 80% of attacks that exploit DNS for data theft and command-and-control, all without needing any changes to your existing infrastructure. o Enterprise DLP: Reduce the likelihood of a data breach, prevent unauthorized data transfers, and maintain compliance throughout your organization with double the coverage of any cloud-based enterprise DLP solution. o SaaS Security: Keep up with the rapidly expanding SaaS landscape using our Next-Generation CASB, the only solution in the industry that can automatically discover and secure all applications across every protocol. o IoT Security: Protect all your connected devices and deploy Zero Trust security for your devices 20 times faster with the industry's most intelligent security solution designed for smart devices.
PA-1400 Series Performance and Capacities
|Firewall throughput (HTTP/appmix)*||8.9/6.8 Gbps||9.9/9.5 Gbps|
|Threat Prevention throughput (HTTP/appmix)†||3.3/3.2 Gbps||5.0/4.8 Gbps|
|IPsec VPN throughput‡||4.6 Gbps||6.5 Gbps|
|New sessions per second§||100,000||140,000|
|Virtual systems (base/max)||||1/6||1/6|
Note: Results were measured on PAN-OS 11.0.* Firewall throughput is measured with App-ID and logging enabled, using 64KB HTTP/appmix transactions. † Threat Prevention throughput is measured with App-ID, IPS, antivirus, antispyware, WildFire, DNS Security, file blocking, and logging enabled, utilizing 64KB HTTP/appmix transactions. ‡ IPsec VPN throughput is measured with 64KB HTTP transactions and logging enabled. § New sessions per second is measured with application-override, utilizing 1 byte HTTP transactions. || Adding virtual systems over base quantity requires a separately purchased license.
PA-1400 Series Networking Features
|L2, L3, tap, virtual wire (transparent mode)|
|OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP, static routing|
|Point-to-Point Protocol over Ethernet (PPPoE)|
|Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3|
|Path quality measurement (jitter, packet loss, latency)|
|Initial path selection (PBF)|
|Dynamic path change|
|L2, L3, tap, virtual wire (transparent mode)|
|Features: App-ID, User-ID, Content-ID, WildFire, and SSL Decryption|
|Key exchange: manual key, IKEv1 and IKEv2 (pre-shared key, certificate-based authentication)|
|Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)|
|Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512|
|802.1Q VLAN tags per device/per interface: 4,094/4,094|
|Aggregate interfaces (802.3ad), LACP|
|Network Address Translation|
|NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation)|
|Additional NAT features: dynamic IP reservation, tunable dynamic IP and port oversubscription|
|Modes: active/active, active/passive|
|Failure detection: path monitoring, interface monitoring|
|Zero Touch Provisioning (ZTP)|
|Requires Panorama 9.1.3 or higher that is managing PA-1400 Series with PAN-OS 11.0 or higher|