Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-27-2013 08:32 AM
Hi all,
would a PA200 fit in such scenario?
lan users: 70-100
wan connectivity: 10Mbps
(so basically 2-zone traffic)
Threat prevention: yes (inbound and outbound traffic)
URL filtering: yes for all users
VPN tunneling: yes (remote access only for few users)
Though being the smallest of its breed, according to data sheets this unit is fairly sized for this conditions, my only concern is regarding 1.000/s limit for new sessions.
What if we have low traffic, in terms of bandwidth, but spread in many short sessions? Think about p2p and all that sort of things that sometimes you don't neither block nor can't predict in advance.
For such reasons, when having to face such scenarios, we often chose to cut short proposing the big brother PA500 to customers, but that's not always feasible.
Thank You
Manuel
09-27-2013 09:31 AM
You're correct, from a datasheet perspective the PA200 might be able to meet these requirements. My general rule of thumb has been:
1-40 users = PA200
40-80 users = PA500
(Assuming the bandwidth, # of zones/rules/interfaces all meet the requirements as well).
Keep in mind that the PA500 supports active/passive high-availability with session synchronization, where the PA200 does a/p HA without session sync.
There's nothing in the PA200 that will prevent you from using it in a 70 user environment, but I would recommend having your customer evaluate a PA200 in their network before purchasing. For me, 70-100 users with 10Mbps gets a solid PA500 recommendation.
09-27-2013 11:35 AM
PA-200 does not seem like a good fit.
http://media.paloaltonetworks.com/documents/Summary_Specsheet-Nov12.pdf
Here is another thread with similar discussion
09-27-2013 01:09 PM
I configured pa200 to similar places with 20mbit WAN no problem occured.
Traffic's packet transaction size is also important.This can change the behaviour.Also physical interface number and HA is limited with pa200.
09-28-2013 09:55 AM
In my environment 150 AD users and some WiFi users with 10 security zones, 15 subinterfaces PA 200 is good enought.
Known limitation (from life - not technotes 
):
- don't even think about SSL decryption - PA200 hasnt dedicated ASICs - its has everything virtualized
- P2P I have blocked on all zones
- upload from trust to untrust is limited to 50Mbit (when you use thread prevention - but who don't use it?) with QoS enabled.
But it depends how many session could generate users, one user could use 100 session, another one more than 1000 ...
Regards
SLawek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
