PA-220R

Palo Alto Networks PA-220R ruggedized appliance brings next-generation

capabilities to industrial applications in harsh environments.

Key Security and Connectivity Features

Classifies all applications, on all ports, all the time

• Employs App-IDs for industrial protocols and applications,
such as Modbus, DNP3, IEC 60870-5-104, Siemens S7,
OSIsoft PI®, and more.
PA-220R
• Identifies the application, regardless of port, SSL/SSH
encryption, or evasive technique employed. The PA-220R is a ruggedized next-generation firewall
• Uses the application, not the port, as the basis for all your that secures industrial and defense networks in a range
safe enablement policy decisions: allow, deny, schedule, of harsh environments, such as utility substations, power
inspect, and apply traffic-shaping. plants, manufacturing plants, oil and gas facilities, build-
ing management systems, and healthcare networks.
• Categorizes unidentified applications for policy control,
threat forensics, or App-ID™ technology development. The controlling element of the PA-220R is PAN-OS®,
which natively classifies all traffic, inclusive of applica-
Enforces security policies for any user, at any location tions, threats, and content, and then ties that traffic to
• Deploys consistent policies to local and remote users the user regardless of location or device type. The appli-
running on the Windows®, macOS®, Linux, Android®, or cation, content, and user—in other words, the elements
Apple iOS platforms. that run your business—then serve as the basis of your
• Enables agentless integration with Microsoft Active Directory® security policies, resulting in improved security posture
and Terminal Services, LDAP, Novell eDirectory™, and Citrix. and reduced incident response time.
• Easily integrates your firewall policies with 802.1X wireless,
proxies, network access control, and any other source of Highlights
user identity information. • Extended operating range for temperature.

Prevents known and unknown threats • Certified to IEC 61850-3 and IEEE 1613
• Blocks a range of known general and ICS-specific threats— ­environmental and testing standards for vibration,
including exploits, malware, and spyware—across all ports, temperature, and immunity to electromagnetic
regardless of common evasion tactics employed. ­interference.
• Limits the unauthorized transfer of files and sensitive data. • Dual DC power (12–48V).

• Identifies unknown malware, analyzes it based on hundreds • High availability firewall configuration (active/active
of malicious behaviors, and then automatically creates and and active/passive).
delivers protection. • Fanless design with no moving parts.

Enables SD-WAN functionality • Flexible I/O with support for both copper and optical
via SFP ports.
• Easily adopt SD-WAN by simply enabling it on your existing
firewalls. • Flexible mounting options, including DIN rail, rack,
• Enables you to safely implement SD-WAN, natively integrated and wall mount.
with our industry-leading security. • Simplified remote site deployment via USB-based
• Delivers an exceptional end user experience by minimizing bootstrapping.
latency, jitter, and packet loss.

Palo Alto Networks | PA-220R | Datasheet 1

 Table 1: PA-220R Performance and Capacities Network Address Translation

Firewall throughput (HTTP/appmix)1 500/580 Mbps NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port
(port address translation)
Threat Prevention throughput
240/280 Mbps NAT64, NPTv6
(HTTP/appmix)2
IPsec VPN throughput3 500 Mbps Additional NAT features: dynamic IP reservation, tunable dynamic
IP and port oversubscription
Max sessions 64,000
High Availability
New sessions per second 4
4,200
Modes: active/active, active/passive
1. Firewall throughput is measured with App-ID and logging enabled, using Failure detection: path monitoring, interface monitoring
64 KB HTTP/appmix transactions.
2. Threat Prevention throughput is measured with App-ID, IPS, antivirus, Industrial Protocols and Applications
anti-spyware, WildFire, file blocking, and logging enabled, utilizing 64 KB
https://www.paloaltonetworks.com/resources/whitepapers/
HTTP/appmix transactions.
app-ids-industrial-control-systems-scada-networks
3. IPsec VPN throughput is measured with 64 KB HTTP transactions and
logging enabled.
4. New sessions per second is measured with application-override utilizing Table 3: PA-220R Hardware Specifications
1 byte HTTP transactions.
I/O
The PA-220R supports a wide range of networking features (6) 10/100/1000, (2) SFP
that enable you to more easily integrate our security features Management I/O
into your existing network.
(1) 10/100/1000 out-of-band management port, (1) RJ-45 console port,
(1) USB port, (1) Micro USB console port
Table 2: PA-220R Networking Features
Storage Capacity
Interface Modes
32 GB EMMC
L2, L3, tap, virtual wire (transparent mode)
Power Supply (Avg/Max Power Consumption)
Routing
Optional: dual redundant DC power feeds (13 W/16 W)
OSPFv2/v3 with graceful restart, BGP with graceful restart, RIP,
static routing Max BTU/hr

Policy-based forwarding 55

Point-to-Point Protocol over Ethernet (PPPoE) Input Voltage (Input Frequency)

Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3 12–48 VDC 1.4 A

SD-WAN Max Current Consumption

Path quality measurement (jitter, packet loss, latency) Firewall – 1.4 A @ 12 VDC
Max inrush current 4.9 A @ 12 VDC
Initial path selection (PBF)
Rack Mount (Dimensions)
Dynamic path change
IPv6 2.0” H x 8.66” D x 9.25” W
Flexible mounting options, including DIN rail, rack and wall mount
L2, L3, tap, virtual wire (transparent mode)
Weight (Stand-Alone Device/As Shipped)
Features: App-ID, User-ID, Content-ID, WildFire, and SSL
Decryption 4.5 lbs / 6.0 lbs

SLAAC Safety
IPsec VPN TUV CB report and TUV NRTL
Key exchange: manual key, IKEv1, and IKEv2 (pre-shared key, EMI
­certificate-based authentication)
FCC Class A, CE Class A, VCCI Class A
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit)
Certifications
Authentication: MD5, SHA-1, SHA-256, SHA-384, SHA-512
IEC 61850-3 and IEEE 1613 environmental and testing standards.
VLANs
For more certifications, see:
802.1 Q VLAN tags per device/per interface: 4,094/4,094 https://www.paloaltonetworks.com/company/certifications.html
Environment
To learn more about the features and associated capacities
of the PA-220R, please visit www.paloaltonetworks.com/ Operating temperature: -40° to 158° F, -40° to 70° C
products. Non-operating temperature: -40° to 167° F, -40° to 75° C
Passive cooling

3000 Tannery Way © 2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found
Main: +1.408.753.4000 at https://www.paloaltonetworks.com/company/trademarks.html. All other
Sales: +1.866.320.4788 marks mentioned herein may be trademarks of their respective companies.
Support: +1.866.898.9087 pa-220r-ds-112619

www.paloaltonetworks.com