This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA200 sizing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA200 sizing

errevisystem
L2 Linker

‎09-27-2013 08:32 AM

Hi all,

would a PA200 fit in such scenario?

lan users: 70-100

wan connectivity: 10Mbps

(so basically 2-zone traffic)

Threat prevention: yes (inbound and outbound traffic)

URL filtering: yes for all users

VPN tunneling: yes (remote access only for few users)

Though being the smallest of its breed, according to data sheets this unit is fairly sized for this conditions, my only concern is regarding 1.000/s limit for new sessions.

What if we have low traffic, in terms of bandwidth, but spread in many short sessions? Think about p2p and all that sort of things that sometimes you don't neither block nor can't predict in advance.

For such reasons, when having to face such scenarios, we often chose to cut short proposing the big brother PA500 to customers, but that's not always feasible.

Thank You

Manuel

0 Likes Likes
4 REPLIES 4

jvalentine
L7 Applicator

‎09-27-2013 09:31 AM

You're correct, from a datasheet perspective the PA200 might be able to meet these requirements.  My general rule of thumb has been:

1-40 users = PA200

40-80 users = PA500

(Assuming the bandwidth, # of zones/rules/interfaces all meet the requirements as well). 

Keep in mind that the PA500 supports active/passive high-availability with session synchronization, where the PA200 does a/p HA without session sync. 

There's nothing in the PA200 that will prevent you from using it in a 70 user environment, but I would recommend having your customer evaluate a PA200 in their network before purchasing.  For me, 70-100 users with 10Mbps gets a solid PA500 recommendation.

0 Likes Likes

ukhapre
L3 Networker

‎09-27-2013 11:35 AM

PA-200 does not seem like a good fit.

http://media.paloaltonetworks.com/documents/Summary_Specsheet-Nov12.pdf

Here is another thread with similar discussion

https://live.paloaltonetworks.com/message/10952#10952

0 Likes Likes

panos
L6 Presenter

‎09-27-2013 01:09 PM

I configured pa200 to similar places with 20mbit WAN no problem occured.

Traffic's packet transaction size is also important.This can change the behaviour.Also physical interface number and HA is limited with pa200.

0 Likes Likes

_slv_
L4 Transporter
In response to panos

‎09-28-2013 09:55 AM

In my environment 150 AD users and some WiFi users with 10 security zones, 15 subinterfaces PA 200 is good enought.

Known limitation (from life - not technotes Smiley Wink):

- don't even think about SSL decryption - PA200 hasnt dedicated ASICs - its has everything virtualized

- P2P I have blocked on all zones

- upload from trust to untrust is limited to 50Mbit (when you use thread prevention - but who don't use it?) with QoS enabled.

But it depends how many session could generate users, one user could use 100 session, another one more than 1000 ...

Regards

SLawek

0 Likes Likes
  • 2615 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks