We are in the same situation. So if you had no issues with the PA-3020 and the performance limitations (like max sessions and througput) it can be an option to look at the PA-850. But the PA-850 is weaker in some points: New Connections per second: 50.000 (3020) vs. 9.500 (850) - huge difference if you ask me Maximum session: 250.000 (3020) vs. 197.000 (850) - big difference if you ask me Security Rules: 2.500 (3020) vs. 1.500 (850) - big difference if you ask me, i mean 1000 rules more at the PA-3020 And it goes down the hole datasheet. The only points the PA-850 is better, in my opinion, is USER-ID Mapping in the Dataplane and SSL Decryption Performance (except for HSM Support). If you didn't made it yet, take a look: https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3020,pa-850 So if your envirement is in this performance area maybe a PA-850 can work. But as i say, we are in the same situation right now and we are going for the PA-3220. But this is because we need more performance now.
... View more