Palo Alto PA-800 Series Application guide
PA-800 Series Next-Gen Firewall
Hardware Reference
paloaltonetworks.com/documentation
2 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE |
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation
• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2019-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 8, 2019
TABLE OF CONTENTS iii
Table of Contents
Before You Begin................................................................................................5
Tamper Proof Statement...........................................................................................................................7
Third-Party Component Support.............................................................................................................8
Product Safety Warnings.......................................................................................................................... 9
PA-800 Firewall Overview............................................................................. 13
PA-800 Front Panel................................................................................................................................. 15
PA-800 Back-Panel...................................................................................................................................18
Install the PA-800 Series Firewall................................................................ 19
Install the PA-800 Series Firewall in a Two-Post 19-inch Equipment Rack............................... 21
Install the PA-800 Series Firewall in a Four-Post 19-inch Equipment Rack...............................22
Connect Power to a PA-800 Series Firewall Overview...........................25
Connect Power to a PA-800 Series Firewall..................................................................................... 27
Service the PA-800 Series Firewall Hardware...........................................29
Interpret the LEDs on a PA-800 Series Firewall...............................................................................31
Replace a Power Supply on a PA-850 Firewall.................................................................................33
PA-800 Series Firewall Specifications......................................................... 35
PA-800 Series Physical Specifications.................................................................................................37
PA-800 Series Electrical Specifications...............................................................................................38
PA-800 Series Environmental Specifications..................................................................................... 39
PA-800 Series Miscellaneous Specifications......................................................................................40
PA-800 Series Firewall Compliance Statements Overview.................... 41
PA-800 Series Firewall Compliance Statements...............................................................................43
iv TABLE OF CONTENTS
5
Before You Begin
Read the following topics before you install or service a Palo Alto Networks® next-generation
firewall or appliance. The following topics apply to all Palo Alto Networks firewalls and
appliances except where noted.
> Tamper Proof Statement
> Third-Party Component Support
> Product Safety Warnings
6 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Before You Begin
© 2019 Palo Alto Networks, Inc.
PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Before You Begin 7
© 2019 Palo Alto Networks, Inc.
Tamper Proof Statement
To ensure that products purchased from Palo Alto Networks were not tampered with during shipping, verify
the following upon receipt of each product:
• The tracking number provided to you electronically when ordering the product matches the tracking
number that is physically labeled on the box or crate.
• The integrity of the tamper-proof tape used to seal the box or crate is not compromised.
• The integrity of the warranty label on the firewall or appliance is not compromised.
(PA-7000 Series firewalls only) PA-7000 Series firewalls are modular systems and therefore
do not include a warranty label on the firewall.
PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Before You Begin 9
© 2019 Palo Alto Networks, Inc.
Product Safety Warnings
To avoid personal injury or death for yourself and others and to avoid damage to your Palo Alto Networks
hardware, be sure you understand and prepare for the following warnings before you install or service the
hardware. You will also see warning messages throughout the hardware reference where potential hazards
exist.
All Palo Alto Networks products with laser-based optical interfaces comply with 21 CFR
1040.10 and 1040.11.
The following safety warnings apply to all Palo Alto Networks firewalls and appliances, unless a specific
hardware model is specified.
• When installing or servicing a Palo Alto Networks firewall or appliance hardware component that has
exposed circuits, ensure that you wear an electrostatic discharge (ESD) strap. Before handling the
component, make sure the metal contact on the wrist strap is touching your skin and that the other end
of the strap is connected to earth ground.
French Translation: Lorsque vous installez ou que vous intervenez sur un composant matériel de
pare-feu ou de dispositif Palo Alto Networks qui présente des circuits exposés, veillez à porter un
bracelet antistatique. Avant de manipuler le composant, vérifiez que le contact métallique du bracelet
antistatique est en contact avec votre peau et que l’autre extrémité du bracelet est raccordée à la terre.
• Use grounded and shielded Ethernet cables to ensure agency compliance with electromagnetic
compliance (EMC) regulations.
French Translation: D es câbles Ethernet blindés reliés à la terre doivent être utilisés pour garantir la
conformité de l'organisme aux émissions électromagnétiques (CEM).
• (PA-220 firewalls only) The PA-220 firewall meets the requirements of IEC 61000-4-5 surge immunity
test. To prevent damage from electrical surges on Ethernet ports, we recommend that you use an
Ethernet surge protection device with the following specifications:
• Rated for Gigabit Ethernet up to category 5E and minimum 1Gbps.
• Protection provided on all eight signal leads.
• Both line-to-line and line-to-ground/shield are provided.
• Protection device must be connected to earth ground and use shielded category 5E or higher
Ethernet cable.
Technical Specifications:
• Protective circuit complies with IEC test classifications B2, C1, C2, C3, and D1.
• Normal discharge current (core to earth ground) is 2kA per signal pair.
• Normal discharge current (core to core) is 100A.
• Total discharge current is 10kA.
•French Translation: (PA-220 uniquement) Les pare-feux PA-220 sont conformes aux exigences du test
d’immunité aux surtensions IEC 61000-4-5. Pour éviter les dommages résultant de surtension électrique
sur les ports Ethernet, il est recommandé d’utiliser un dispositif de protection contre les surtensions aux
caractéristiques suivantes:
• Gigabit Ethernet jusqu’à la catégorie 5E, débit 1 Go/s minimum.
• Protection sur les huit câbles signal.
• Le blindage et la mise à la terre “ligne à ligne” et “ligne à la terre” sont fournis.
• Le dispositif de protection doit être raccordé à la terre et un câble Ethernet blindé de catégorie 5E ou
supérieure doit être utilisé.
Caractéristiques techniques:
10 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Before You Begin
© 2019 Palo Alto Networks, Inc.
• Le circuit de protection est conforme aux classifications de test IEC B2, C1, C2, C3, et D1.
• Le courant de décharge normal (cœur vers terre) est de 2kA par paire de signal.
• Le courant de décharge normal (cœur vers cœur) est de 100 A.
• Le courant de décharge total est de 10kA.
• Do not connect a supply voltage that exceeds the input range of the firewall or appliance. For details
on the electrical range, refer to electrical specifications in the hardware reference for your firewall or
appliance.
French Translation: Veillez à ce que la tension d’alimentation ne dépasse pas la plage d’entrée du
pare-feu ou du dispositif. Pour plus d’informations sur la mesure électrique, consulter la rubrique des
caractéristiques électriques dans la documentation de votre matériel de pare-feu ou votre dispositif.
• Do not replace a battery with an incorrect battery type; doing so can cause the replacement battery to
explode. Dispose of used batteries according to local regulations.
French Translation: Ne remplacez pas la batterie par une batterie de type non adapté, cette dernière
risquerait d’exploser. Mettez au rebut les batteries usagées conformément aux instructions.
• (All firewalls with two or more power supplies) Disconnect all power cords (AC or DC) from the power
inputs to fully de-energize the hardware.
French Translation: (Tous les pare-feux avec au moins deux sources d’alimentation) Débranchez tous les
cordons d’alimentation (c.a. ou c.c.) des entrées d’alimentation et mettez le matériel hors tension.
• (PA-7000 Series firewalls only) When removing a fan tray from a PA-7000 Series firewall, first pull the
fan tray out about 1 inch (2.5cm) and then wait a minimum of 10 seconds before extracting the entire
fan tray. This allows the fans to stop spinning and helps you avoid serious injury when removing the
fan tray. You can replace a fan tray while the firewall is powered on but you must replace it within 45
seconds and you can only replace one fan tray at a time to prevent the thermal protection circuit from
shutting down the firewall.
French Translation: (Pare-feu PA-7000 uniquement) Lors du retrait d’un tiroir de ventilation d’un pare-
feu PA-7000, retirez tout d’abord le tiroir sur 2,5 cm, puis patientez au moins 10 secondes avant de
retirer complètement le tiroir de ventilation. Cela permet aux ventilateurs d’arrêter de tourner et permet
d’éviter des blessures graves lors du retrait du tiroir. Vous pouvez remplacer un tiroir de ventilation
lors de la mise sous tension du pare-feu. Toutefois, vous devez le faire dans les 45 secondes et vous ne
pouvez remplacer qu’un tiroir à la fois, sinon le circuit de protection thermique arrêtera le pare-feu.
• (All firewalls with two or more power supplies) Disconnect all power cords (AC or DC) from the power
inputs to fully de-energize the hardware.
French Translation: (Tous les pare-feux avec au moins deux sources d’alimentation) Débranchez tous les
cordons d’alimentation (c.a. ou c.c.) des entrées d’alimentation et mettez le matériel hors tension.
The following applies only to Palo Alto Networks firewalls that support a direct current (DC) power source:
French Translation: Les instructions suivantes s’appliquent uniquement aux pare-feux de Palo Alto
Networks prenant en charge une source d’alimentation en courant continu (c.c.):
• Do not connect or disconnect energized DC wires to the power supply.
French Translation: Ne raccordez ni débranchez de câbles c.c. sous tension à la source d’alimentation.
• The DC system must be earthed at a single (central) location.
French Translation: Le système c.c. doit être mis à la terre à un seul emplacement (central).
• The DC supply source must be located within the same premises as the firewall.
French Translation: La source d’alimentation c.c. doit se trouver dans les mêmes locaux que ce pare-feu.
• The DC battery return wiring on the firewall must be connected as an isolated DC (DC-I) return.
French Translation: Le câblage de retour de batterie c.c. sur le pare-feu doit être raccordé en tant que
retour c.c. isolé (CC-I).
PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Before You Begin 11
© 2019 Palo Alto Networks, Inc.
• The firewall must be connected either directly to the DC supply system earthing electrode conductor
or to a bonding jumper from an earthing terminal bar or bus to which the DC supply system earthing
electrode conductor is connected.
French Translation: Ce pare-feu doit être branché directement sur le conducteur à électrode de mise à
la terre du système d’alimentation c.c. ou sur le connecteur d'une barrette/d'un bus à bornes de mise à la
terre auquel le conducteur à électrode de mise à la terre du système d'alimentation c.c. est raccordé.
• The firewall must be in the same immediate area (such as adjacent cabinets) as any other equipment that
has a connection between the earthing conductor of the DC supply circuit and the earthing of the DC
system.
French Translation: Le pare-feu doit se trouver dans la même zone immédiate (des armoires adjacentes
par exemple) que tout autre équipement doté d’un raccordement entre le conducteur de mise à la terre
du même circuit d’alimentation c.c. et la mise à la terre du système c.c.
• Do not disconnect the firewall in the earthed circuit conductor between the DC source and the point of
connection of the earthing electrode conductor.
French Translation: Ne débranchez pas le pare-feu du conducteur du circuit de mise à la terre entre la
source d'alimentation c.c. et le point de raccordement du conducteur à électrode de mise à la terre.
• Install all firewalls that use DC power in restricted access areas only. A restricted access area is where
access is granted only to craft (service) personnel using a special tool, lock and key, or other means of
security, and that is controlled by the authority responsible for the location.
French Translation: Tous les pare-feux utilisant une alimentation c.c. sont conçus pour être installés
dans des zones à accès limité uniquement. Une zone à accès limité correspond à une zone dans laquelle
l’accès n’est autorisé au personnel (de service) qu'à l'aide d'un outil spécial, cadenas ou clé, ou autre
dispositif de sécurité, et qui est contrôlée par l'autorité responsable du site.
• Install the firewall DC ground cable only as described in the power connection procedure for the firewall
that you are installing. You must use the American wire gauge (AWG) cable specified and torque all nuts
to the torque value specified in the installation procedure for your firewall.
French Translation: Installez le câble de mise à la terre c.c. du pare-feu comme indiqué dans la procédure
de raccordement à l’alimentation pour le pare-feu que vous installez. Utilisez le câble American wire
gauge (AWG) indiqué et serrez les écrous au couple indiqué dans la procédure d’installation de votre
pare-feu pare-feu.
• The firewall permits the connection of the earthed conductor of the DC supply circuit to the earthing
conductor at the equipment as described in the installation procedure for your firewall.
French Translation: Ce pare-feu permet de raccorder le conducteur de mise à la terre du circuit
d’alimentation c.c. au conducteur de mise à la terre de l’équipement comme indiqué dans la procédure
d’installation du pare-feu.
• A suitably-rated DC mains disconnect device must be provided as part of the building installation.
French Translation: Un interrupteur d'isolement suffisant doit être fourni pendant l'installation du
bâtiment.
12 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Before You Begin
13
PA-800 Firewall Overview
The Palo Alto Networks® PA-800 Series next-generation firewalls are designed for data center
and internet gateway deployments. This series is comprised of PA-820 and PA-850 firewalls.
These models provide flexibility in performance and redundancy to help you meet your
deployment requirements. All models in this series provide next-generation security features
to help you secure your organization through advanced visibility and control of applications,
users, and content.
First Supported Software Release: PAN-OS® 8.0
The following topics describe the hardware features of the PA-800 Series firewalls. To view or
compare performance and capacity information, refer to the Product Selection tool.
> PA-800 Front Panel
> PA-800 Back-Panel
14 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | PA-800 Firewall Overview
© 2019 Palo Alto Networks, Inc.
PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | PA-800 Firewall Overview 15
© 2019 Palo Alto Networks, Inc.
PA-800 Front Panel
The following image shows the front panel of the PA-800 Series firewall and the table describes each front
panel component. The only differences between the PA-820 (shown) and PA-850 front panel is the model
name and the Ethernet port speeds as described in the table.
Item Component Description
1 Ethernet ports 1 through 4 Four RJ-45 10/100/1000Mbps ports for network traffic.
You can set the link speed and duplex or choose auto-
negotiate.
2 SFP ports 5 through 8 Four small form-factor pluggable (SFP) ports for network
traffic.
3 SFP/SFP+ ports 9 through 12 These ports are for network traffic and their speed varies
depending on your firewall and configuration.
PA-820 Firewalls
Four 1Gbps SFP ports; you cannot reconfigure these
ports.
PA-850 Firewalls
Four 1Gbps SFP ports or four 10Gbps SFP+ ports
(default); you can specify which you want to use but you
cannot mix the two.
You can install up to 4 of the same type transceivers (SFP
or SFP+) as needed but if you install SFP transceivers,
then you also need to reconfigure ports 9 through 12 (as a
group) to SFP using the command line interface (CLI).
To confirm the current settings for these four ports, run
the following command:
admin@PA-850> show system setting
ports-9-12-speedDevice Ports 9-12 mode:
sfp+
The output shows that the ports are set to SFP+. If the
firewall is not already set to the correct port type for your
transceivers, use the set system setting ports-9-12-speed
command. For example, if the output shows that these
ports are set to SFP+ and you are using SFP transceivers,
then run the following commands to change the port type
from SFP+ to SFP and then restart the firewall to apply
the change:
16 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | PA-800 Firewall Overview
© 2019 Palo Alto Networks, Inc.
Item Component Description
admin@PA-850> set system setting
ports-9-12-speed sfp
admin@PA-850> request restart system
4 HA1 and HA2 ports Two RJ-45 10/100/1000Mbps ports for high-availability
control (HA1) and synchronization (HA2).
5 MGT port Use this Ethernet 10/100/1000Mbps port to access the
management web interface and perform administrative
tasks. The firewall also uses this port for management
services, such as retrieving licenses and updating the
threat and application signatures.
6 CONSOLE port (RJ-45) Use this port to connect a management computer to the
firewall using a 9-pin serial to RJ-45 cable and terminal
emulation software.
The console connection provides access to firewall boot
messages, the Maintenance Recovery Tool (MRT), and the
command line interface (CLI).
If your management computer does not
have a serial port, use a USB-to-serial
converter.
Use the following settings to configure your terminal
emulation software to connect to the console port:
• Data rate: 9600
• Data bits: 8
• Parity: none
• Stop bits: 1
• Flow control: None
7 USB port Use the USB port to bootstrap the firewall.
Bootstrapping enables you to provision the firewall with
a specific PAN-OS configuration and then license it and
make it operational on your network.
8 CONSOLE port (Micro USB) Use this port to connect a management computer to the
firewall using a standard Type-A USB-to-micro USB cable.
The console connection provides access to firewall boot
messages, the Maintenance Recovery Tool (MRT), and the
command line interface (CLI).
Refer to Micro USB Console Port for more information
and to download the Windows driver or to learn how to
connect from a Mac or Linux computer.
18 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | PA-800 Firewall Overview
PA-800 Back-Panel
The following images show the back panel of the PA-820 and PA-850 Series firewall and the table describes
each back panel component. The only difference between the back panels of the two firewalls is that the
PA-820 has one fixed power supply and the PA-850 firewall has two hot-swappable power supplies (the
second power supply is for redundancy).
Figure 1: PA-820 Back Panel
Figure 2: PA-850 Back Panel
Item Component Description
1 Power inputs Use the power supply input(s) to connect power to the firewall.
• PA-820 firewall—Single fixed AC power supply and power
input.
• PA-850 firewall—Two AC power supplies and power inputs.
2 Ground stud Use the single post ground stud to connect the firewall to earth
ground (ground cable not included).
3 Cooling fans Fans that provide ventilation and cooling for the firewall.
19
Install the PA-800 Series Firewall
The PA-800 Series next-generation firewall ships with two rack-mount brackets for installation
in a two-post 19” equipment rack. If you install the firewall in a four-post rack, purchase and
install the four-post rack kit (PAN-PA-1RU-RACK4) to secure the firewall to the back rack-
posts.
> Install the PA-800 Series Firewall in a Two-Post 19-inch Equipment Rack
> Install the PA-800 Series Firewall in a Four-Post 19-inch Equipment Rack
20 PA-800 SERIES NEXT-GEN FIREWALL HARDWARE REFERENCE | Install the PA-800 Series Firewall
© 2019 Palo Alto Networks, Inc.
This manual suits for next models
2
Table of contents
Other Palo Alto Firewall manuals
Popular Firewall manuals by other brands
Norman
Norman Network Protection Quick setup guide
8e6 Technologies
8e6 Technologies Enterprise Filter Authentication R3000 user guide
finjan
finjan NG-8000 user manual
Forcepoint
Forcepoint NGFW quick start guide
NETGEAR
NETGEAR ProSafe FVS318v3 Reference manual
Panasonic
Panasonic WJMPU955A - CENTRAL PROCESSING UNIT installation guide