PA3020 Replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA3020 Replacement

L1 Bithead

I am planning to replace my HA pair of 3020 with PA-460s...what are you thoughts on this? I feel like the 460s are for branch offices and not data center although the specs are better or similar to 3020...they don't support LACP and they don't have dedicated HA ports...thoughts?

PA-460

  • 5.2/4.7 Gbps firewall throughput (HTTP/appmix)
  • 2.4/2.6 Gbps threat prevention throughput
  • 3.1 Gbps IPSec VPN throughput
  • 400,000 max sessions
  • 74,000 new sessions per second

PA-3020

  • 2 Gbps firewall throughput
    (App-ID enabled)
  • 1 Gbps Threat Prevention throughput
  • 500 Mbps IPsec VPN throughput
  • 250,000 max sessions
  • 50,000 new sessions per second
  • 3,000 IPsec VPN tunnels/tunnel interfaces
  • 1,000 SSL VPN users
  • 10 virtual routers
  • 1/6 virtual systems (base/max5)
  • 40 security zones
  • 2,500 max number of policies
7 REPLIES 7

Cyber Elite
Cyber Elite

@Anees10 

Let me ask you this, does the PA-460 meet your existing and expected feature requirements? Do you have a need for anything bigger than 1Gb interfaces? Keeping in mind the port requirements if you want to do HA, does it have the number of interfaces you would actually need in your deployment (keeping in mind you only have 1Gb interfaces)?  

 

The PA-400 series is a really good value compared to larger platforms like the PA-800 and PA-3200, but it was designed with branch and SMB in mind more than anything else. If it meets your requirements and you've properly planned for any future requirements to ensure it will fit your business needs long-term, then that's great. 

Just like any other business hardware purchase you should have your list of requirements and purchase the device that best meets those needs. If that's the PA-460 and you don't have to go with a larger more expensive device then that's great. 

Cyber Elite
Cyber Elite

Hi @Anees10 ,

 

The Product Selection Tool says that the PA-460/50/40 support up to 4 aggregate interfaces.  I think LACP is supported.  https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-460,pa-450,pa-440

 

 You can save a LOT of money with the PA-400 Series, especially with the subscription bundles.  https://www.paloaltonetworks.com/blog/network-security/the-pa-400-subscription-bundles-security-cons...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

One thing I would add is future growth/expansion that might be needed. Is the company growing or will it grow within the next few years? If the answer is yes, then the 3200 series might be a better option. One thing I also do when purchasing, is making sure that total utilization CPU/Memory/ETC. will be less than 40%. That gives me room for growth.

 

Just my thoughts....

my only concern is layer-3 processing...we use a router on a stick model,so all layer 3 processing is handled by the firewall...i am not sure it can do the job...

my only concern is layer-3 processing...we use a "router on a stick" model, so all layer 3 processing is handled by the firewall...i am not sure it can do the job!

my only concern is layer-3 processing...we use a "router on a stick" model, so all layer 3 processing is handled by the firewall...i am not sure it can do the job!!

Cyber Elite
Cyber Elite

Hello,

How much traffic will 'flow' through the firewall? Once you have that number, make sure the new firewall will be sized accordingly. When swapping out hardware. I try to make sure my current load will be less than 40% on the new hardware. This allows for future growth.

Regards,

  • 5098 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!