Upgrading from PA500 to PA220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Upgrading from PA500 to PA220

L3 Networker
Sales team reached out to me recommending that we upgrade our PA500 to the PA220. We are a small company with a data pipe of 100MB. We do not have a lot of settings on the PA500. On an average we have around 1500-2000 sessions per the UI Home page. Looking at the ACC, I set it to 24hours and athe highest is around 22,000 (looks like about an average or 15,000 during business hours). We currently have 14 security policies (including the two intrazone defaults). We do not have NAT setup yet as we are using a Cisco ASA for NAT; however, that will all be moved over this year. The question I have, is there any reason why we should or should not opt to upgrade to the PA220 over the existing PA500? I know the main reason he recommended it is that the PA500 has an extremely slow management commit and he states this was resolved in the PA220. This is something I know others have mentioned regarding the PA500 in the forums. Thanks for any advise. Any one that has also made this move and have any advise, that would be great too.
1 accepted solution

Accepted Solutions

@jharlow,

I abbreviated New session Per Second as NPS, I'm not that sure why honestly; that's what I meant though. Managing a PA-220 is a heck of a lot better than a PA-500, seaking from experiance here. Commit times are much shorter and the reports generate in a timely manner. The only thing that doesn't really decrease a noticable amount of time is boot time, that still takes a while. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@jharlow,

Basically the PA220 is at this point super cheap compared to when you purchased your PA-500, it outperforms your PA-500 on basically every level, and the PA-500 is a seven year old platform. 

Now lets talk about the actuality of your situation. You aren't pushing the PA-500 even close to it's capabilities and everything is running perfectly fine as is (I imagine). You'd gain additional firewall throughput (which you probably don't need), you'd gain additional threat prevention throughput (which you probably don't need), Your NPS rate actually goes down, your max security zones go down, and the max number of policies go down. 

 

Strictly speaking, unless you start seeing issues there really isn't any need to upgrade away from the PA-500 at this point. Yes, the PA-220 is a much better box in my opinion, yes it's a much better management experiance, yes you'll be supported for a much longer period of time. Truth be told though I don't think, from the requirements that you state here, that you are actually a proper canidate for an upgrade at this time. I would start to think about upgrading to the PA-220; I would start to think about how long you expect your PA-500 to last.

The biggest discussion here for me would be more along the lines of when your subscriptions are up if you have any active. I would not recommend any subscription terms over a year on a PA-500; since I personally like to go for 3 years at a time or more I would toss out that PA-500 for a PA-220 the next time my subscriptions were due. 

Thanks for your thorough response. What is NPS rate? The security zones and polices are neither an issue.  

There are two reasons that I am considering the upgrade option. One, our renewals are up (which are annual) and the cost for renewing all of the same services are actually cheaper on the PA220. Second, and to some might not be a big need but the performance with commits are just brutal and as you mentioned, we are not even utilizing this thing. With the plan to move everything over from our ASA to the PA just adds more concern as more will be on the PA which would cause commits to even be slower than they are now. Even the overall management of the device just feels sluggish. Maybe this is due to being a 7 year platform (although we puchased it 4 years ago).   I am hoping that what they say is true and managing the PA220 is a better experience. 

@jharlow,

I abbreviated New session Per Second as NPS, I'm not that sure why honestly; that's what I meant though. Managing a PA-220 is a heck of a lot better than a PA-500, seaking from experiance here. Commit times are much shorter and the reports generate in a timely manner. The only thing that doesn't really decrease a noticable amount of time is boot time, that still takes a while. 

I appreciate your responses. I think we are going to make the move to the PA220. It will also give me a device to finally use to migrate from our current setup (ASA as NAT/VPN and PA for filtering and reporting) When I originally configured the PA, I configured it in virtual wire mode and never wanted to make the switch since it was in production. I can start with the PA220 as an actual L3 device, configure the rules, NAT, VPN etc and then place it in production. Off to discuss this with our vendor. Thanks again. Any other words of wisdom since you have experience both the PA500 and PA220? I know I have to get a rack kit as it is a smaller unit. any other guidance will be appreciated.

Hello,

The 220 is on version 8.0 or above, so if you are running 7.0 or 7.1 there will be a few new features.

 

Regards,

Can you share the average time a commit takes on your PA-220?

@YuvalBenAri,

I'll take a few quick tests later today; just know that like any commit this will be dependant on how large your configuration file actually is. Should be able to give you a rough idea of the time difference though. 

  • 1 accepted solution
  • 6114 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!