Palo Alto Networks Enterprise Firewall PA-5540
Maximum security for enterprise branches and small offices

Post-Quantum Cryptography Optimizations

PA-5500 Series is a post-quantum cryptography-ready device that helps you achieve quantum-safe security in hardware and software with PAN-OS 12.1. PA-5500 Series NGFWs support:

• Post-quantum cryptography (PQC) for PQC SSL/TLS decryption, PQC VPN site-to-site, PQC SSL/ TLS Cipher Translation Proxy, and PQC SSL/TLS Service Profile for Management Access to the firewall.
• PQC algorithms, including NIST standards, like ML-KEM, ML-DSA, and SLH-DSA, as well as experimental PQCs, like Classic McEliece, BIKE, HQC, Frodo-KEM, and NTRU-Prime.
• A newly introduced PCIe slot for the future addition of post-quantum capabilities.

Prevention of Malicious Activity Concealed in Encrypted Traffic

PA-5500 Series NGFWs provide the ability to:

• Inspect and apply policies to SSL/TLS-encrypted traffic (both inbound and outbound), traffic that uses SSLv3, TLSv1.1, TLSv1.2, and TLSv1.3, as well as application protocols SMTP, WebSocket, gRPC, HTTP/1.0, HTTP/1.1, and HTTP/2.
• Decrypt and inspect SSL/TLS sessions with the classical key exchange algorithms RSA, ECDHE, DHE, and post-quantum key exchange standards ML-KEM, HQC, as well as experimental BIKE and Frodo-KEM.
• Gather metrics into TLS traffic, such as the amount of encrypted traffic, SSL/TLS versions, and ciphers.
• Support such suites as classic key exchanges RSA, ECDHE, and DHE, as well as post-quantum key exchanges ML-KEM and HQC—without needing decryption—bringing added visibility to cryptographic information from all SSL/TLS sessions passing through the firewall.
• Enable control over the use of legacy TLS protocols, insecure and deprecated ciphers, and misconfigured certificates, including a mismatched Server Name Indicator (SNI) to certificate Common Name (CN), to mitigate risks.
• Facilitate easy deployment of decryption and let you use enhanced built-in logs to troubleshoot issues across both client-side and server-side sessions independently for a seamless troubleshooting experience, whether it’s missing intermediate certificates or pinned certificates.
• Let you enable or disable decryption flexibly—based on URL category, source and destination zone, address, user, user group, device, and port—for privacy and regulatory compliance purposes.

Application Identification and Categorization with Full Layer 7 Inspection

App-ID™ identifies and categorizes all applications, on all ports, all the time, with full Layer 7 inspection, supporting the following capabilities:

• Uses advanced techniques, such as protocol decoding, heuristics, and signature matching, to accurately identify applications across the network, regardless of the port, protocol, or encryption methods used. The optional App-ID Cloud Engine (ACE) service provides on-demand App-IDs for SaaS applications.
• Provides a comprehensive understanding of the risks and values associated with various applications, which aids in informed decision-making about network security policies.
• Allows for the effective enforcement of security policies tailored to specific applications, by centralizing the identification and control of applications at the firewall level.
• Identifies and manages evasive or custom applications that typically bypass traditional security measures
• Continuously updates its application identifications, ensuring it stays effective against the latest application trends and tactics.
• Uses cutting-edge AI techniques to enhance precision in identifying and categorizing AI-powered applications. These techniques ensure that even the most advanced and dynamic applications are accurately recognized and appropriately managed within the network.

User Security Enforcement

PA-5500 Series NGFWs enforce security for users at any location, on any device, while adapting policies based on their activity. They include the ability to:

• Enable visibility, security policies, reporting, and forensics based on users, groups, and IP addresses
• Apply consistent policies regardless of users’ locations (office, home, travel, etc.) and devices. Such devices include iOS and Android mobile devices; macOS, Windows, and Linux desktops and laptops; Citrix and Microsoft VDI; and terminal servers.
• Leverage IP geolocation to automatically enforce security policies based on geographic location, enabling you to reduce the attack surface, meet compliance requirements, and control application access by blocking traffic to and from specific countries or regions
• Consistently authenticate and authorize your users, regardless of location and where user identity is stored (cloud and on-premises directories or both), to move quickly toward a zero trust security posture with Cloud Identity Engine—a cloud-based architecture for identity-based security
• Secure all applications with passwordless authentication, whether on-premises, SaaS, or hybrid.
• Provide dynamic security actions based on user behavior to restrict suspicious or malicious users by defining Cloud Dynamic User Groups (CDUGs) on the firewall to take risk-based, time-bound security actions without waiting to apply changes to user directories.
• Prevent both corporate credentials from leaking to third-party websites and the reuse of stolen credentials by enabling multifactor authentication (MFA) at the network layer for any application without changes.
• Easily integrate with a wide range of repositories to work with user information, including wireless LAN controllers, VPNs, directory servers, and security information and event management (SIEM) tools.
• Automate policy recommendations that save time and reduce the chance of human error.

Unique Approach to Packet Processing

PA-5500 Series NGFWs process packets by using a single-pass architecture. Using this approach, the NGFWs are able to:

• Perform networking, policy lookup, application and decoding, and signature matching—for all threats and content—in a single pass. This significantly reduces the amount of processing overhead required to perform multiple functions in one security device
• Avoid introducing latency by scanning traffic for all signatures in a single pass, using stream-based, uniform signature matching.

AI-Powered Unified Management and Operations with Strata Cloud Manager

Manage your PA-500 Series NGFWs with Strata Cloud Manager, which enables you to:

• Gain complete visibility across your network security estate: Achieve real-time, comprehensive visibility of your entire network security landscape, including all users, applications, devices, and the most critical threats that need attention through a unified interface.
• Enable simple and consistent network security lifecycle management: Manage configuration and policy management across all enforcement points, including SASE, hardware and software firewalls, as well as all security services to ensure consistency and reduce operational overhead.
• Strengthen security posture in real time: Leverage AI-powered analysis to detect, resolve, and optimize policy anomalies like shadow and redundant policies and overly permissive or unused rules. Improve your security posture with integrated best practice recommendations and maintain compliance with industry and InfoSec standards.
• Proactively resolve network disruptions and enhance user experience: Predict, diagnose, and resolve network health issues—such as user experience problems, capacity bottlenecks, CVE vulnerabilities, service connection issues, and 130 other categories of issues—up to 90 days in advance to ensure smooth operations.
• Resolve issues fast with instant knowledge at your fingertips: With Strata Copilot™, our AIpowered assistant features a natural language interface so you can quickly find, understand, and address security and operational challenges before they escalate. Plus, with its streamlined case creation capabilities, you get rapid support when you need it most.

Best-in-Class Cloud-Delivered Security Services Powered by Precision AI

PA-500 Series NGFWs provide best-in-class security with Cloud-Delivered Security Services (CDSS). At the heart of our CDSS is Precision AI. Unlike traditional reactive tools, Precision AI empowers your defenses with proactive threat detection, inline prevention, and automated response—stopping even the most evasive, never-before-seen attacks before they cause damage. Backed by threat intelligence from our over 70,000 customers globally, our cloud-delivered services continuously learn, adapt, and evolve. Integrated seamlessly with our NGFW and SASE platforms, CDSS delivers unified protection across web, DNS, email, applications, and more—no matter where your users or data reside.

Whether you’re navigating hybrid work, embracing cloud transformation, or defending against sophisticated adversaries, CDSS powered by Precision AI gives you the visibility, automation, and confidence to stay ahead.

Advanced Threat Prevention

Analyze up to 673 million new sessions daily and proactively block 28.2 billion threats in real time— including zero-day exploits, malware, command-and-control (C2) traffic, and evasive techniques—to deliver cutting-edge security at unprecedented scale.

Advanced WildFire

Proactively stop up to 450,000 new threats every day with the industry’s most powerful malware prevention engines. Advanced WildFire® identifies and blocks a wide range of advanced threats, including zero-day malware, ransomware, remote access Trojans (RATs), weaponized documents, and other evasive attack techniques—before they impact your organization.

Advanced URL Filtering

Safeguard web access by blocking up to 151 million threats inline every day, while analyzing 3.8 billion new URLs daily. Advanced URL Filtering protects against phishing, malware, ransomware, C2 communications, and evasive web-based attacks.

Advanced DNS Security

Advanced DNS Security delivers real-time protection that instantly blocks sophisticated DNS request and response-based threats—including DNS hijacking, domain generation algorithms (DGA), DNS tunneling, and C2 callbacks. It analyzes over 1.1 billion new domains daily and identifies up to 7.7 million newly malicious domains, preventing more than 2 billion threats inline. This powerful first line of defense identifies and stops threats at the DNS layer—whether they originate from outside or within the network.

Device Security

Secure every connected device with a solution tailored to the industry (including manufacturing, retail, healthcare, high tech, and general enterprise), and achieve a 90% device discovery rate within 48 hours—providing prioritized vulnerability and risk assessments. Also, identify anomalies, get leastprivileged access control security policy recommendations, and virtually patch vulnerabilities all in one single NetSec platform.

SaaS Security

Discover and control all SaaS consumption with visibility into over 75,000 SaaS apps and DLP controls for more than 150 SaaS apps. Prevent SaaS misconfigurations with posture management for over 117 SaaS apps, as well as SaaS inline tenancy control for 39 apps.

AI Access Security

Enable the safe use of GenAI with real-time visibility into GenAI apps, user access controls, data protection, and continuous risk monitoring. AI Access Security™ provides an industry-leading catalog of over 2,500 GenAI apps, including over 15 GenAI-specific application attributes to accurately identify and mitigate risk. It includes posture management for more than 13 GenAI apps and SaaS inline tenancy control for 11 apps.

Advanced SD-WAN

Easily adopt SD-WAN by simply enabling it on your existing firewalls with integrated security. Get an exceptional end-user experience and ensure SLAs by using SD-WAN path measurements and application steering capabilities to intelligently steer applications to the best performing paths.

PA-5500 Series Specifications:

Note: Results were measured on PAN-OS 12.1.
* Firewall throughput is measured with App-ID and logging enabled using appmix transactions.
† Threat Prevention throughput is measured with App-ID, IPS, antivirus, antispyware, WildFire, file blocking, and logging enabled using appmix transactions.
‡ IPsec VPN throughput is measured with 64 KB HTTP transactions and logging enabled.
§ Maximum concurrent sessions are measured using HTTP transactions.
|| New sessions per second is measured with application override using 1-byte HTTP transactions.
# Adding virtual systems over the base requires a separately purchased license.

* Not supported with NGFW clustering.
† Requires a GlobalProtect license.
‡ Future release.
§ See ML-Powered NGFWs for 5G datasheet.

Documentation:

Download the Palo Alto Networks PA 5500 Series Firewall Overview Datasheet (PDF).

Download the Palo Alto Networks PA-200 Specification Datasheet (PDF).