The PA-7050 protects datacenters and high-speed networks with firewall throughput of up to 120 Gbps and, fullthreat prevention at speeds of up to 100 Gbps. To address the computationally intensive nature of full-stack classification and analysis at speeds of 120 Gbps, more than 400 processors are distributed across networking, security, switch managementand logging functions. The result is that the PA-7050 allows you to deploy next-generation security in your datacenters without compromising performance.
Classify all applications, on all port, all the time with App-ID.
Extend safe application enablement policies to any user, at any location, with User-ID and GlobalProtect.
Protect against all threat—both known and unknown—with Content-ID and Wildfire
The PA-7050 achieves predictable datacenter level protection and performance by applying more than 400 function-specific processors distributed across the following chassis subsystems:
The PA-7050 delivers performance and scalability by intelligently applying all available networking and security processing power to application layer traffic classification and threat protection tasks. Orchestrating this ballet of session management tasks is the First Packet Processor which constantly tracks the shared pool of processing and I/O resources across all of the NPCs. When the FPP determines that additional processing resources are available, traffic is intelligently directed across the high-speed switch fabric to that location, even if it resides on a separate NPC. The FPP is the key to delivering linear scalability to the PA-7050, working in conjunction with each of the network processors on the NPCs to utilize all of the available computing resources as a single, cohesive system. This means that as NPCs are added, no traffic engineering changes are required in order to utilize the added capacity.
The controlling element of the PA-7050 is PAN-OSTM, a securityspecific operating system that natively classifies all traffic, inclusive of applications, threats and content, then ties that traffic to the user, regardless of location or device type. The application, content, and user—the elements that run your business—are then used as the basis of your security policies, resulting in an improved security posture and a reduction in incident response time. All traffic classification, content inspection, policy lookup and execution are performed in a single pass. The single pass software architecture, when combined with the processing power of the PA-7050, ensures that you achieve predictable throughput.
The following Palo Alto Networks subscriptions unlock certain firewall features or enable the firewall to
leverage a Palo Alto Networks cloud-delivered service (or both). Here you can read more about each service
or feature that requires a subscription to work with the firewall. To enable a subscription, you must first
Activate Subscription Licenses; once active, most subscription services can use Dynamic Content Updates
to provide new and updated functionality to the firewall.
|Subscriptions You Can Use With the Firewall|
|Threat Prevention||Threat Prevention provides:
• Antivirus, anti-spyware (command-and-control), and vulnerability
• Built-in external dynamic lists that you can use to secure your
network against malicious hosts.
• Ability to identify infected hosts that try to connect to malicious
• Get Started with Threat Prevention
|DNS Security||Provides enhanced DNS sinkholing capabilities by querying DNS
Security, an extensible cloud-based service capable of generating
DNS signatures using advanced predictive analytics and machine
learning. This service provides full access to the continuously
expanding DNS-based threat intelligence produced by Palo Alto
To set up DNS Security, you must first purchase and install a Threat
• Get Started with DNS Security
|URL Filtering||Provides the ability to not only control web-access, but how users
interact with online content based on dynamic URL categories. You
can also prevent credential theft by controlling the sites to which
users can submit their corporate credentials.
To set up URL Filtering, you must purchase and install a subscription
for one of the supported URL filtering databases: PAN-DB or
BrightCloud. With PAN-DB, you can set up access to the PAN-DB
public cloud or to the PAN-DB private cloud.
• Get Started with URL Filtering
|WildFire||Although basic WildFire® support is included as part of the Threat
Prevention license, the WildFire subscription service provides
enhanced services for organizations that require immediate coverage
for threats, frequent WildFire signature updates, advanced file
type forwarding (APK, PDF, Microsoft Office, and Java Applet), as
well as the ability to upload files using the WildFire API. A WildFire
subscription is also required if your firewalls will be forwarding files
to an on-premise WF-500 appliance.
• Get Started with WildFire
|AutoFocus||Provides a graphical analysis of firewall traffic logs and identifies
potential risks to your network using threat intelligence from the
AutoFocus portal. With an active license, you can also open an
AutoFocus search based on logs recorded on the firewall.
• Get Started with AutoFocus
|Cortex Data Lake
and firewall web
Service in some
in the firewall
|Provides cloud-based, centralized log storage and aggregation. The
Logging Service is required or highly-recommended to support
several other cloud-delivered services, including Magnifier,
GlobalProtect cloud service, and Traps management service.
• Get Started with Cortex Data Lake
|GlobalProtect||Provides mobility solutions and/or large-scale VPN capabilities.
By default, you can deploy GlobalProtect portals and gateways
(without HIP checks) without a license. If you want to use advanced
GlobalProtect features (HIP checks and related content updates,
the GlobalProtect Mobile App, IPv6 connections, or a GlobalProtect
Clientless VPN) you will need a GlobalProtect license (subscription)
for each gateway.
• Get Started with GlobalProtect
|Virtual Systems||This license is required to enable support for multiple virtual systems
on PA-3200 Series firewalls. In addition, you must purchase a
Virtual Systems license if you want to increase the number of virtual
systems beyond the base number provided by default on PA-5200
Series, and PA-7000 Series firewalls (the base number varies by
platform). The PA-800 Series, PA-220, and VM-Series firewalls do
not support virtual systems.
• Get Started with Virtual Systems
|Firewall throughput||380/430 Gbps|
|Threat Protection Throughput||366 Gbps (DSRI enabled), 176/210 Gbps (HTTP/appmix)|
|IPSec VPN throughput||144 Gbps|
|NPC-100G (PA-7000-100G-NPC-A)||(48) SFP/SFP+. (24) QSFP+/QSFP28|
|NPC-20G XM Option 11: (PA-7000-20GQXM-NPC)||(12) QSFP +, (72) SFP+|
|NPC-20G XM Option 21: (PA-7000-20GXM-NPC)||(72) 10/100/1000, (48) SFP, (24) SFP+|
|I/O ports||(2) 10/100/1000, (2) QSFP+ high availability, (1) 10/100/1000 out-of-band management, (1) RJ45 console port|
|Storage||80GB SSD System Drive + 4x1TB HDD on Log Processing Card|
|Mounting||9U, 19” standard rack (15.75” H x 19” W x 24” D)|
|Dimensions Width x Depth x Height (inches)||15.75”H x 19”W x 24”D|
|Weight||187.4 lbs AC / 185 lbs DC (stand-alone device/as shipped)|
|Power supply||75A @ 37.5VDC In|
|AC input voltage||90–264VAC (47–63 Hz)|
|DC input voltage||-40 to -72VDC|
|DC power output||2500 W / power supply|
|Safety||cTUVus, cCSAus, CB|
|Maximum Current||16A @ 180VAC In|
|Power Supplies (Base/Max)||4/4|
|AC Power Supply Output||2500 W @ 240VAC | 1200 W @ 120VAC|
|Mean Time Between Failure (MTBF)||Configuration dependent; contact your Palo Alto Networks representative for MTBF details.|
|EMI||FCC Class A, CE Class A, VCCI Class A|
|Max Inrush Current||50AAC / 75ADC peak|
|Operating Temperature||32° to 122° F, 0° to 50° C|
|Non-operating temperature||-4° to 158° F, -20° to 70° C|
|Certifications||NEBS Level 3|