PA200 sizing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA200 sizing

L2 Linker

Hi all,

would a PA200 fit in such scenario?

lan users: 70-100

wan connectivity: 10Mbps

(so basically 2-zone traffic)

Threat prevention: yes (inbound and outbound traffic)

URL filtering: yes for all users

VPN tunneling: yes (remote access only for few users)

Though being the smallest of its breed, according to data sheets this unit is fairly sized for this conditions, my only concern is regarding 1.000/s limit for new sessions.

What if we have low traffic, in terms of bandwidth, but spread in many short sessions? Think about p2p and all that sort of things that sometimes you don't neither block nor can't predict in advance.

For such reasons, when having to face such scenarios, we often chose to cut short proposing the big brother PA500 to customers, but that's not always feasible.

Thank You

Manuel

4 REPLIES 4

L7 Applicator

You're correct, from a datasheet perspective the PA200 might be able to meet these requirements.  My general rule of thumb has been:

1-40 users = PA200

40-80 users = PA500

(Assuming the bandwidth, # of zones/rules/interfaces all meet the requirements as well). 

Keep in mind that the PA500 supports active/passive high-availability with session synchronization, where the PA200 does a/p HA without session sync. 

There's nothing in the PA200 that will prevent you from using it in a 70 user environment, but I would recommend having your customer evaluate a PA200 in their network before purchasing.  For me, 70-100 users with 10Mbps gets a solid PA500 recommendation.

L3 Networker

PA-200 does not seem like a good fit.

http://media.paloaltonetworks.com/documents/Summary_Specsheet-Nov12.pdf

Here is another thread with similar discussion

https://live.paloaltonetworks.com/message/10952#10952

L6 Presenter

I configured pa200 to similar places with 20mbit WAN no problem occured.

Traffic's packet transaction size is also important.This can change the behaviour.Also physical interface number and HA is limited with pa200.

In my environment 150 AD users and some WiFi users with 10 security zones, 15 subinterfaces PA 200 is good enought.

Known limitation (from life - not technotes Smiley Wink):

- don't even think about SSL decryption - PA200 hasnt dedicated ASICs - its has everything virtualized

- P2P I have blocked on all zones

- upload from trust to untrust is limited to 50Mbit (when you use thread prevention - but who don't use it?) with QoS enabled.

But it depends how many session could generate users, one user could use 100 session, another one more than 1000 ...

Regards

SLawek

  • 2613 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!