The ML-enabled NGFWs of the PA-5400 Series by Palo Alto Networks, which include the models PA-5430, PA-5420, and PA-5410, are perfect for data centers, internet gateways, and service provider deployments in high-speed environments, providing effective protection for all data traffic, including encrypted data. With the first ML-enabled Next-Generation Firewall (NGFW), you can defend against previously unknown threats. You benefit from comprehensive insights and continuous protection for your entire IT environment, including Internet of Things (IoT) devices, and avoid operational errors with automated policy recommendations.

The PA-5400 Series uses the PAN-OS® operating system, like all NGFWs from Palo Alto Networks. PAN-OS natively classifies all network traffic (including all application data, threats, and legitimate content) and then assigns each packet to a user independently of the location or device type. Based on the applications, content, and users (i.e., the factors that are relevant to your business), security policies are then applied. This strengthens security and accelerates effective responses to security incidents.

• The world's first ML-Powered NGFW, this product has been recognized as an eleven-time leader in the Gartner Magic Quadrant for Network Firewalls and a leader in the Forrester Wave: Enterprise Firewalls, Q4 2022. • It delivers predictable performance with security services and simplifies the deployment of a large number of firewalls with the optional Zero Touch Provisioning (ZTP). • The NGFW's native web proxy support also simplifies and consolidates the management of firewall and proxy functionalities. • In addition, the product supports centralized administration with Panorama network security management and extends visibility and security to all devices, including unmanaged IoT devices, without the need to deploy additional sensors. • With support for high availability in active/active and active/passive modes, this product maximizes security investments and prevents business disruptions with AIOp.

Key Security and Connectivity Features
• ML-Powered Next-Generation Firewall

• The firewall's core integrates machine learning (ML) to enable inline signatureless attack prevention for file-based attacks, while also swiftly detecting and halting previously unseen phishing attempts.
   o The PA-5400 series is capable of continuously identifying and categorizing all applications, regardless of the port being used, with full layer 7 inspection.The firewall has the ability to identify applications that are moving through your network, regardless of the port, protocol, evasive techniques, or encryption (TLS/SSL) being used. Additionally, with the SaaS Security subscription, it can automatically discover and control new applications as they emerge to keep pace with the SaaS explosion. This ensures that you have complete visibility and control over the applications being used in your network at all times.

• Enforces Security for Users at Any Location, on Any Device, While Adapting Policy Based on User Activit This solution allows for enhanced visibility, security policies, reporting, and forensics that are based on user and group identities rather than solely relying on IP addresses. Additionally, it seamlessly integrates with various repositories such as wireless LAN controllers, VPNs, directory servers, SIEMs, proxies, and more to leverage user information.

• Prevents Malicious Activity Concealed in Encrypted Traffic
   o The Palo Alto PA-5400 Series is able to inspect and enforce policies on both inbound and outbound TLS/SSL-encrypted traffic, including for traffic that uses TLS 1.3 and HTTP/2. It provides detailed visibility into TLS traffic, such as the amount of encrypted traffic, TLS/SSL versions, cipher suites, and other relevant information, without requiring decryption. Additionally, it enables control over the use of legacy TLS protocols, insecure ciphers, and improperly configured certificates, which helps mitigate potential risks.

• Offers Centralized Management and Visibility
    o Centralized management, configuration, and visibility for multiple Palo Alto Networks NGFWs (regardless of location or scale) can be achieved through Panorama network security management. This provides a unified user interface for all devices, allowing for simplified management and monitoring.

• Native Web Proxy Support for the Next-Generation Firewall
   o Palo Alto NG Firwalls allow for consolidation of both firewall and proxy functionalities onto a single platform, which can be managed through a centralized management platform to create and implement policies.

• Delivers a Unique Approach to Packet Processing with Single-Pass Architecture PA-5400 products uses a stream-based, uniform signature matching approach that allows for scanning traffic for all signatures in a single pass, thereby avoiding any potential latency issues.

• SD-WAN Functionality

• Detects and Prevents Advanced Threats with Cloud-Delivered Security Services
  In today's digital landscape, cyberattacks have become increasingly sophisticated, with the potential to create up to 45,000 variants in a mere 30 minutes using multiple threat vectors and advanced techniques to deliver malicious payloads. Traditional siloed security measures can present significant challenges for organizations, including introducing security gaps, increasing overhead for security teams, and hindering business productivity due to inconsistent access and visibility. By seamlessly integrating with our industry-leading NGFWs, our Cloud-Delivered Security Services take advantage of the network effect of over 80,000 customers to coordinate intelligence and provide comprehensive protection against all threats across all vectors. This eliminates any coverage gaps across your locations, providing you with best-in-class security consistently delivered on a single platform, ensuring protection even against the most advanced and evasive threats.    o Advanced Threat Prevention: Our security solution effectively stops known exploits, malware, spyware, and command-and-control (C2) threats. Additionally, we utilize industry-first prevention methods to tackle zero-day attacks, resulting in preventing up to 60% more unknown injection attacks and 48% more highly evasive command-and-control traffic than traditional IPS solutions.
   o Advanced WildFire: Palo Alto has an automatic protection to ensure that files are safe from known, unknown, and highly evasive malware. With the industry's largest threat intelligence and malware prevention engine, we can prevent such threats 60 times faster.
   o Advanced URL Filtering Our security solution guarantees safe access to the internet and provides real-time prevention of known and unknown threats, resulting in the prevention of 40% more web-based attacks. As a result of our industry-first real-time prevention capabilities, we can stop 88% of malicious URLs at least 48 hours before other vendors, providing superior protection against internet-based threats.
   o DNS Security: Increase your protection against DNS attacks by 40% and thwart the 80% of attacks that exploit DNS for data theft and command-and-control, all without needing any changes to your existing infrastructure.
   o Enterprise DLP: Reduce the likelihood of a data breach, prevent unauthorized data transfers, and maintain compliance throughout your organization with double the coverage of any cloud-based enterprise DLP solution.
   o SaaS Security: Keep up with the rapidly expanding SaaS landscape using our Next-Generation CASB, the only solution in the industry that can automatically discover and secure all applications across every protocol.
   o IoT Security: Protect all your connected devices and deploy Zero Trust security for your devices 20 times faster with the industry's most intelligent security solution designed for smart devices.

PA-5400 Series Performance and Capacities

PA-5410 PA-5420 PA-5430 PA-5440
Firewall throughput (HTTP/appmix)* 52.4/43.5 Gbps 68.0/56.0 Gbps 79.0/61.0 Gbps 93.5/72.0 Gbps
Threat Prevention throughput (HTTP/appmix)† 26.0/26.7 Gbps 33.0/32.0 Gbps 43.0/40.0 Gbps 61.5/52.0 Gbps
IPsec VPN throughput‡ 21 Gbps 28.7 Gbps 42 Gbps 58 Gbps
Max sessions 3.6M 5M 7.2M 12M
New sessions per second§ 270,000 370,000 380,000/td> 390,000
Virtual systems (base/max)|| 10/20 15/65 25/125 25/225

Note: Results were measured on PAN-OS 11.0.
* Firewall throughput is measured with App-ID and logging enabled, utilizing 64 KB HTTP/appmix transactions.
† Threat Prevention throughput is measured with App-ID, IPS, antivirus, antispyware, WildFire, DNS Security, file blocking, and logging enabled, utilizing 64 KB HTTP/appmix transactions.
‡ IPsec VPN throughput is measured with 64 KB HTTP transactions and logging enabled.
§ New sessions per second is measured with application-override, utilizing 1 byte HTTP transactions. || Adding virtual systems over base quantity requires a separately purchased license.

PA-5400 Series Networking Features

Interface Modes
L2, L3, tap, virtual wire (transparent mode)
OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP, static routing
Policy-based forwarding
Point-to-Point Protocol over Ethernet (PPPoE)
Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
Bidirectional Forwarding Detection (BFD)
Path quality measurement (jitter, packet loss, latency)
Initial path selection (PBF)
Key exchange: manual key, IKEv1, and IKEv2 (pre-shared key, certificate-based authentication)
L2, L3, tap, virtual wire (transparent mode)
Features: App-ID, User-ID, Content-ID, WildFire, and SSL Decryption
Key exchange: manual key, IKEv1 and IKEv2 (pre-shared key, certificate-based authentication)
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
802.1Q VLAN tags per device/per interface: 4,094/4,094
Aggregate interfaces (802.3ad), LACP
Network Address Translation
NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation)
NAT64, NPTv6
Additional NAT features: dynamic IP reservation, tunable dynamic IP and port oversubscription
High Availability
Modes: active/active, active/passive, HA clustering
Failure detection: path monitoring, interface monitoring
Mobile Network Infrastructure* (PA-3440 and PA-3430)
5G Security
5G MEC (multi-access edge computing) Security
GTP Security
SCTP Security
Back to Product
Update cookies preferences TermsFeed All-in-one compliance software: Generate Privacy Policy, Terms & Conditions, Cookie Consent Notice Banner, EULA, Disclaimer and more.