The ML-enabled NGFWs of the PA-5400 Series by Palo Alto Networks, which include the models PA-5430, PA-5420, and PA-5410, are perfect for data centers, internet gateways, and service provider deployments in high-speed environments, providing effective protection for all data traffic, including encrypted data. With the first ML-enabled Next-Generation Firewall (NGFW), you can defend against previously unknown threats. You benefit from comprehensive insights and continuous protection for your entire IT environment, including Internet of Things (IoT) devices, and avoid operational errors with automated policy recommendations. The PA-5400 Series uses the PAN-OS® operating system, like all NGFWs from Palo Alto Networks. PAN-OS natively classifies all network traffic (including all application data, threats, and legitimate content) and then assigns each packet to a user independently of the location or device type. Based on the applications, content, and users (i.e., the factors that are relevant to your business), security policies are then applied. This strengthens security and accelerates effective responses to security incidents.
Highlights• The world's first ML-Powered NGFW, this product has been recognized as an eleven-time leader in the Gartner Magic Quadrant for Network Firewalls and a leader in the Forrester Wave: Enterprise Firewalls, Q4 2022. • It delivers predictable performance with security services and simplifies the deployment of a large number of firewalls with the optional Zero Touch Provisioning (ZTP). • The NGFW's native web proxy support also simplifies and consolidates the management of firewall and proxy functionalities. • In addition, the product supports centralized administration with Panorama network security management and extends visibility and security to all devices, including unmanaged IoT devices, without the need to deploy additional sensors. • With support for high availability in active/active and active/passive modes, this product maximizes security investments and prevents business disruptions with AIOp.
Key Security and Connectivity Features• ML-Powered Next-Generation Firewall • The firewall's core integrates machine learning (ML) to enable inline signatureless attack prevention for file-based attacks, while also swiftly detecting and halting previously unseen phishing attempts. o The PA-5400 series is capable of continuously identifying and categorizing all applications, regardless of the port being used, with full layer 7 inspection.The firewall has the ability to identify applications that are moving through your network, regardless of the port, protocol, evasive techniques, or encryption (TLS/SSL) being used. Additionally, with the SaaS Security subscription, it can automatically discover and control new applications as they emerge to keep pace with the SaaS explosion. This ensures that you have complete visibility and control over the applications being used in your network at all times. • Enforces Security for Users at Any Location, on Any Device, While Adapting Policy Based on User Activit This solution allows for enhanced visibility, security policies, reporting, and forensics that are based on user and group identities rather than solely relying on IP addresses. Additionally, it seamlessly integrates with various repositories such as wireless LAN controllers, VPNs, directory servers, SIEMs, proxies, and more to leverage user information. • Prevents Malicious Activity Concealed in Encrypted Traffic o The Palo Alto PA-5400 Series is able to inspect and enforce policies on both inbound and outbound TLS/SSL-encrypted traffic, including for traffic that uses TLS 1.3 and HTTP/2. It provides detailed visibility into TLS traffic, such as the amount of encrypted traffic, TLS/SSL versions, cipher suites, and other relevant information, without requiring decryption. Additionally, it enables control over the use of legacy TLS protocols, insecure ciphers, and improperly configured certificates, which helps mitigate potential risks. • Offers Centralized Management and Visibility o Centralized management, configuration, and visibility for multiple Palo Alto Networks NGFWs (regardless of location or scale) can be achieved through Panorama network security management. This provides a unified user interface for all devices, allowing for simplified management and monitoring. • Native Web Proxy Support for the Next-Generation Firewall o Palo Alto NG Firwalls allow for consolidation of both firewall and proxy functionalities onto a single platform, which can be managed through a centralized management platform to create and implement policies. • Delivers a Unique Approach to Packet Processing with Single-Pass Architecture PA-5400 products uses a stream-based, uniform signature matching approach that allows for scanning traffic for all signatures in a single pass, thereby avoiding any potential latency issues. • SD-WAN Functionality • Detects and Prevents Advanced Threats with Cloud-Delivered Security Services In today's digital landscape, cyberattacks have become increasingly sophisticated, with the potential to create up to 45,000 variants in a mere 30 minutes using multiple threat vectors and advanced techniques to deliver malicious payloads. Traditional siloed security measures can present significant challenges for organizations, including introducing security gaps, increasing overhead for security teams, and hindering business productivity due to inconsistent access and visibility. By seamlessly integrating with our industry-leading NGFWs, our Cloud-Delivered Security Services take advantage of the network effect of over 80,000 customers to coordinate intelligence and provide comprehensive protection against all threats across all vectors. This eliminates any coverage gaps across your locations, providing you with best-in-class security consistently delivered on a single platform, ensuring protection even against the most advanced and evasive threats. o Advanced Threat Prevention: Our security solution effectively stops known exploits, malware, spyware, and command-and-control (C2) threats. Additionally, we utilize industry-first prevention methods to tackle zero-day attacks, resulting in preventing up to 60% more unknown injection attacks and 48% more highly evasive command-and-control traffic than traditional IPS solutions. o Advanced WildFire: Palo Alto has an automatic protection to ensure that files are safe from known, unknown, and highly evasive malware. With the industry's largest threat intelligence and malware prevention engine, we can prevent such threats 60 times faster. o Advanced URL Filtering Our security solution guarantees safe access to the internet and provides real-time prevention of known and unknown threats, resulting in the prevention of 40% more web-based attacks. As a result of our industry-first real-time prevention capabilities, we can stop 88% of malicious URLs at least 48 hours before other vendors, providing superior protection against internet-based threats. o DNS Security: Increase your protection against DNS attacks by 40% and thwart the 80% of attacks that exploit DNS for data theft and command-and-control, all without needing any changes to your existing infrastructure. o Enterprise DLP: Reduce the likelihood of a data breach, prevent unauthorized data transfers, and maintain compliance throughout your organization with double the coverage of any cloud-based enterprise DLP solution. o SaaS Security: Keep up with the rapidly expanding SaaS landscape using our Next-Generation CASB, the only solution in the industry that can automatically discover and secure all applications across every protocol. o IoT Security: Protect all your connected devices and deploy Zero Trust security for your devices 20 times faster with the industry's most intelligent security solution designed for smart devices.
PA-5400 Series Performance and Capacities
|Firewall throughput (HTTP/appmix)*
|Threat Prevention throughput (HTTP/appmix)†
|IPsec VPN throughput‡
|New sessions per second§
|Virtual systems (base/max)||
Note: Results were measured on PAN-OS 11.0. * Firewall throughput is measured with App-ID and logging enabled, utilizing 64 KB HTTP/appmix transactions. † Threat Prevention throughput is measured with App-ID, IPS, antivirus, antispyware, WildFire, DNS Security, file blocking, and logging enabled, utilizing 64 KB HTTP/appmix transactions. ‡ IPsec VPN throughput is measured with 64 KB HTTP transactions and logging enabled. § New sessions per second is measured with application-override, utilizing 1 byte HTTP transactions. || Adding virtual systems over base quantity requires a separately purchased license.
PA-5400 Series Networking Features
|L2, L3, tap, virtual wire (transparent mode)
|OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP, static routing
|Point-to-Point Protocol over Ethernet (PPPoE)
|Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
|Bidirectional Forwarding Detection (BFD)
|Path quality measurement (jitter, packet loss, latency)
|Initial path selection (PBF)
|Key exchange: manual key, IKEv1, and IKEv2 (pre-shared key, certificate-based authentication)
|L2, L3, tap, virtual wire (transparent mode)
|Features: App-ID, User-ID, Content-ID, WildFire, and SSL Decryption
|Key exchange: manual key, IKEv1 and IKEv2 (pre-shared key, certificate-based authentication)
|Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
|Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
|802.1Q VLAN tags per device/per interface: 4,094/4,094
|Aggregate interfaces (802.3ad), LACP
|Network Address Translation
|NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation)
|Additional NAT features: dynamic IP reservation, tunable dynamic IP and port oversubscription
|Modes: active/active, active/passive, HA clustering
|Failure detection: path monitoring, interface monitoring
|Mobile Network Infrastructure* (PA-3440 and PA-3430)
|5G MEC (multi-access edge computing) Security