Compete by Solution

NGFW Hardware
Refresh

Turn EoL/EoS refresh cycles into platform expansion opportunities. Defend the installed base against Fortinet, Check Point, and Cisco while driving platformization.

Lifecycle Intelligence

EoL / EoS Timeline

Legacy platforms sorted by urgency. Use this to identify refresh-ready accounts and drive proactive conversations.

Legacy Platform End-of-Sale End-of-Life Last PAN-OS Replacement Status
PA-3000 (3020/3050/3060) Oct 2019 Oct 2024 9.1 PA-3400 PAST EoL
PA-5000 (5020/5050/5060) Jan 2019 Jan 2024 8.1 PA-5400 / PA-5500 PAST EoL
PA-7000 20G-NPC / 20GQ-NPC Jan 2019 Jan 2024 10.0 PA-7000-100G-NPC-A PAST EoL
K2-Series (PA-5280-K2, PA-7050/7080-K2) Feb 2021 Feb 2026 10.1 PA-5445 / PA-7500 JUST PASSED
PA-7050/7080-SMC, PA-7000-LPC Feb 2021 Feb 2026 10.1 PA-7500 / PA-5450 JUST PASSED
PA-7000-20GXM-NPC May 2021 May 2026 10.1 PA-7000-100G-NPC-A 2 MONTHS
PA-220 Jan 2023 Jan 2028 10.2 PA-400 EoL 2028
PA-3200 (3220/3250/3260) Aug 2023 Aug 2028 11.1 PA-3400 EoL 2028
PA-5200 (5220/5250/5260/5280) Aug 2023 Aug 2028 11.2 PA-5400 / PA-5500 EoL 2028
PA-800 (820/850) Aug 2024 Aug 2029 11.1 PA-1400 EoL 2029
PA-7000 Chassis (7050/7080, 100G-NPC-A, DPC-A) Dec 2025 Dec 2030 11.2 PA-7500 / PA-5450 PLAN NOW

Current Portfolio

Current-Gen Hardware Quick Reference

5th-generation Strata portfolio — all models share PAN-OS, SP3 architecture, ML-powered threat prevention, Precision AI, and Strata Cloud Manager support.

Series Use Case FW Throughput Threat Prevention Key Differentiator
PA-400 Branch / SMB Up to 5.2 Gbps Up to 2.3 Gbps Fanless, 5G options, PoE, ZTP
PA-500 Enterprise Branch 2x PA-400 24 high-speed ports, 330W PoE
PA-1400 Small Campus / Large Branch Up to 9.9 Gbps Up to 6.2 Gbps Replaces PA-800; PoE, 24yr MTBF
PA-3400 Internet Edge / Campus Up to 30.2 Gbps Up to 11 Gbps 3x perf vs PA-3200 in same 1RU
PA-5400 Data Center / SP Up to 90 Gbps (PA-5445) 2.5x TP vs PA-5260; 48M sessions
PA-5450 Hyperscale Modular 200 Gbps Up to 189 Gbps Modular cards, 100M sessions
PA-5500 Quantum-Optimized DC Up to 300 Gbps (PA-5580) FE400 ASIC, PQC-ready, 99M sessions
PA-7500 Platinum / Hyperscale Chassis 1.5+ Tbps App-ID FE400 ASIC, 440M sessions, 14U

Competitive Positioning

Defend the Refresh

Competitors will aggressively pitch switching during EoL-driven refresh cycles. Here is the PAN-centric response framework for each.

vs. Fortinet — FortiGate

Fortinet estimates ~650,000 firewall units reaching EoS by late 2026 — they are actively targeting PAN customers at EoL. Their pitch: ASIC-based throughput at lower cost with built-in SD-WAN. The reality: performance degrades sharply with all security services enabled, and switching means a full policy rebuild.

FortiGate NGFW FortiManager FortiGuard Labs FortiSASE

Where PAN Wins

  • 30% higher performance with services enabled: Third-party Miercom testing confirms PAN NGFWs deliver 30% higher throughput across all parameters when security services are enabled. Fortinet's ASIC advantage disappears under real workloads.
  • Real-time zero-day protection: Inline ML and deep learning stops patient-zero threats in seconds. Fortinet has no inline ML/DL on device — threat updates take up to 60 minutes.
  • Migration simplicity: PAN-to-PAN refresh preserves all App-ID rules, security policies, objects, and NAT via Panorama/SCM. Fortinet migration requires a full policy rewrite and team retraining (6–18 month project).
  • True Zero Trust: User-ID, App-ID, Device-ID natively integrated with continuous verification. Fortinet lacks foundational Zero Trust components.
  • AI security (AIRS): Dedicated AI runtime security for LLM/AI workloads. Fortinet has no dedicated AI access/security solutions.
  • Platform continuity: Feature parity across hardware, virtual, container, and SASE. Fortinet features vary by form factor with multiple management modes.

Landmines to Set

  • "Ask Fortinet to demonstrate full-services throughput with AV + IPS + SSL + App Control all enabled simultaneously — using your real traffic profile, not synthetic benchmarks."
  • "Ask Fortinet to detail the migration timeline and cost for rebuilding all your PAN App-ID policies from scratch in FortiOS."
  • "What happens to 15+ years of accumulated WildFire/Precision AI intelligence tailored to your environment when you switch vendors?"

Traps They Set

  • "Fortinet is cheaper" — Counter: Competitive vendors offer aggressive upfront pricing but hide costs in licensing complexity, management overhead, and integration. PAN delivers 30% higher performance with services on, so Fortinet often needs a larger box to match. Forrester TEI: 229% ROI, 7-month payback for PAN NGFW.
  • "Fortinet performs better on benchmarks" — Counter: Ask which benchmarks. ASIC advantage shows in single-service synthetic tests. With all security services enabled, PAN maintains performance via SP3; Fortinet degrades significantly. Request a head-to-head PoC with actual traffic.

vs. Check Point — Quantum NGFW

Check Point claims 99.9% malware prevention (Miercom 2025) and fewer CVEs. Their pitch: stability and security efficacy. The reality: Check Point is a firewall vendor, not a security platform. They lack unified SOC, cloud-native NGFW, and AI workload protection.

Quantum NGFW CloudGuard ThreatCloud AI SmartConsole

Where PAN Wins

  • Platform breadth beyond firewall: Check Point is firewall-first. PAN integrates NGFW + SASE + XSIAM + AIRS + Cortex into a single platform with shared telemetry. Customers consolidating vendors benefit disproportionately.
  • Management modernity: SCM with AI Copilot and predictive analytics vs. SmartConsole + SmartDashboard + CLI. PAN management is cloud-native; Check Point's is mature but on-prem-centric.
  • Cloud-native leadership: PAN leads in Cloud NGFW (AWS, Azure, GCP), containerized CN-Series, and SASE via Prisma Access. Check Point CloudGuard has less cloud-native integration.
  • Gartner validation: PAN named Leader — furthest in Completeness of Vision in inaugural 2025 Gartner Magic Quadrant for Hybrid Mesh Firewall.

Landmines to Set

  • "Check Point claims 99.9% malware prevention in Miercom — ask them to clarify what traffic mix was used and whether inline ML is truly inline or retrospective."
  • "Ask Check Point about their roadmap for unified identity, cloud security, and AI-powered SOC outside of the firewall. Where is the platform?"
  • "Switching from PAN to Check Point means rebuilding policies, retraining teams, and losing accumulated WildFire/Precision AI intelligence — ask for the full migration cost and timeline."

Traps They Set

  • "Check Point has fewer CVEs" — Counter: CVE count alone is misleading. PAN's higher count partly reflects broader product surface area as the market share leader. PAN patches fast with rapid zero-day response. The real question: does Check Point's narrow footprint help when you need SOC, cloud, and identity coverage?
  • "PAN is EOLing things too fast" — Counter: PAN provides a consistent 5-year support tail after EoS. PA-5000 had 5 years (2019 EoS → 2024 EoL). This is announced well in advance. The question isn't lifecycle policy — it's whether you want a hardware swap or a full platform migration to a narrower vendor.

vs. Cisco — Secure Firewall

Cisco leverages deep networking install base to pitch security as an add-on. Their pitch: "stay in the Cisco ecosystem." The reality: Cisco Secure Firewall evolved from ASA/FTD acquisitions — management is fragmented across converging consoles, and the SASE PoP footprint is limited.

Cisco Secure Firewall Catalyst SD-WAN Talos Intelligence Security Cloud Control

Where PAN Wins

  • Security-first architecture: Cisco Secure Firewall evolved from ASA/FTD and networking roots — not purpose-built for security. PAN was purpose-built as a security platform from day one.
  • Management unification: SCM unifies firewalls, Prisma Access, and SD-WAN in one console. Cisco Security Cloud Control is still converging multiple management interfaces (FMC, FDM, CSM, CDO, ASDM).
  • Inline ML (first vendor): PAN was the first NGFW vendor to deploy inline ML on the device. Cisco has no equivalent. SP3 delivers predictable performance vs. Snort branch-off degradation.
  • SASE completeness: Prisma Access has 100+ global PoPs vs. Cisco's 30+. Critical for latency-sensitive global deployments.
  • TLS 1.3 full support: PAN has hardware-accelerated TLS 1.3 decryption. Cisco offers only partial (certificate-only) decryption.

Landmines to Set

  • "Ask Cisco when their management consoles (FMC, CDO, vManage, SSE) will be fully unified into a single pane of glass."
  • "Challenge Cisco's PoP count — 30+ vs. PAN's 100+. How does this affect latency for users in secondary markets?"
  • "Ask Cisco about feature parity across ASA, FTD, and Meraki. Can they deploy the same policy across all form factors?"

Traps They Set

  • "We're already a Cisco shop — it's simpler to stay" — Counter: Cisco security evolved from networking, not security. PAN integrates with Cisco ISE via User-ID. You can keep Cisco for networking while using PAN for security — many of the largest enterprises run exactly this model.
  • "ThousandEyes gives us DEM built-in" — Counter: ThousandEyes at full enterprise tier is a separate license. PAN's ADEM is included in Prisma Access — no add-on required.

Expand the Deal

Bundle Opportunities During Refresh

The hardware refresh is the entry point into platform expansion. Use these bundles to grow every refresh from a hardware swap into a platformization motion.

Strata Cloud Manager Pro

ESA Pro (replacing legacy ESA, EoS Nov 2025) includes SCM with unified visibility across hardware, virtual, and cloud-delivered firewalls. AI-powered policy assessment, 7-day capacity forecasting, and built-in Panorama → SCM migration workflow.

Pitch: "When you refresh to current-gen hardware, you also get SCM Pro as part of your support agreement. Cloud management, AI copilot, and predictive analytics at no incremental cost relative to your legacy ESA."

Prisma SASE Expansion

HQ/DC hardware refresh naturally opens the SASE conversation. Prisma SASE 4.0 includes Prisma Access Browser 2.0, endpoint DLP, and branch app acceleration. Shared config management in SCM bridges NGFW and Prisma Access policies. Forrester TEI for SD-WAN + NGFW: 247% ROI, $28.5M benefits.

Pitch: "Branch offices with separate WAN gear and legacy firewalls can consolidate on PA-400/500 with built-in SD-WAN + SASE agent. Your DC/HQ refresh becomes the on-ramp to Prisma Access for mobile and remote workers."

Cortex XSIAM Telemetry

Current-gen hardware (PAN-OS 11.x/12.x) generates dramatically richer ML-enriched telemetry vs. legacy devices. XSIAM uses NGFWs as telemetry sensors, feeding the AI-native SOC data lake. XSIAM ARR grew >200% YoY; average ARR per client exceeds $1M.

Pitch: "Your current PA-5000 or PA-3000 generates logs — but it can't generate the ML-enriched App-ID telemetry, session context, and threat correlation that XSIAM needs for AI-driven SOC automation. New hardware is the sensor upgrade that makes XSIAM dramatically more effective."

Prisma AIRS

AI Runtime Security protects AI applications, LLM model traffic, and AI workloads. Inspects AI traffic inline via the NGFW — protects against prompt injection, sensitive data leakage, toxic content. Multi-cloud support (AWS, Azure, GCP, private cloud).

Pitch: "Your organization is adopting AI — Copilot, LLMs, custom models. Current-gen hardware running AIRS becomes the enforcement layer for AI traffic safety. Legacy hardware cannot inspect encrypted AI traffic at scale."

Business Case

Financial Justification

Forrester Total Economic Impact study (2024) for PAN NGFW. Composite organization: 50,000 employees, $7B revenue, 400 sites, 1,200 security incidents/week.

229%
3-Year ROI
7 mo
Payback Period
$14.11M
Total Benefits (PV)
$9.82M
Net Present Value
Benefit Category 3-Year PV Key Drivers
End-user productivity gain $5.18M Reduced disruption & downtime; 45% cloud work; 8% time recapture
Data breach risk reduction $2.78M 50% reduction in breach likelihood over 3 years
Security infrastructure cost avoidance $2.54M Legacy firewall retirement; 15% of $8M annual security spend
Security & IT ops efficiency $2.47M Incidents reduced 25%→60%; MTTR 120→96 min; reimaging -50%
Security stack management efficiency $1.13M 50% time reallocation for 15 FTEs via platform consolidation

Cost of NOT Refreshing

  • Data breach on unpatched EoL hardware: Average enterprise breach cost $4.45M+ (IBM 2023). EoL hardware running PAN-OS 8.1 is permanently unpatched and actively targeted.
  • Compliance violations: PCI-DSS, HIPAA, SOC 2, FedRAMP, ISO 27001 all require security updates. EoL firewalls trigger audit findings or disqualification. Fines: $10K–$100K+ per violation.
  • Cyber insurance premium increase: EoL hardware flagged as material risk. Premiums 15–30%+ higher; coverage may be denied for breaches through EoL devices.
  • Performance gap: Encrypted traffic volumes grew 90%+ in 5 years. PA-3000/5000 cannot decrypt at scale — blind spot in 90%+ of internet traffic.
  • Operational overhead: 35% more management time vs. current-gen PAN NGFW. Legacy PAN-OS 8.1 has no ML, no CDSS, no WildFire integration.

Objection Handling

Common Objections

The refresh is too expensive right now.

Response: Forrester data shows 229% ROI with 7-month payback — the economics of staying on legacy hardware are worse than refreshing. Average enterprise breach on unpatched EoL costs $4.45M+. PAN NGFW reduces security incident investigation by 25–60%, MTTR by 20%, and management time by 35%. The refresh pays for itself in OpEx reduction. Plus, customers consolidating onto multiple PAN products (NGFW + SASE or NGFW + XSIAM) receive aggressive bundle discounts, and ELA/flexible financing is available.

Migration is too complex — we'll lose our configs.

Response: PAN provides an automated Panorama → SCM migration workflow built directly into the product at no additional cost. PAN-to-PAN migration preserves all App-ID rules, security policies, objects, and NAT — unlike a cross-vendor migration that requires full rebuild. Start with non-critical devices, validate, then move production. Requires PAN-OS 10.2.3+ on managed devices. Professional Services offer migration packages for complex deployments. Competitors require full policy rebuilds and retraining — PAN refresh is a hardware swap with config preservation.

Fortinet / Check Point is offering us a great deal to switch.

Response: Competitive vendors offer aggressive upfront pricing but hide costs in licensing complexity, management overhead, and 6–18 month cross-vendor migration projects. You'll rebuild all firewall policies, retrain SOC teams, and re-integrate SIEM/SOAR. You also lose years of accumulated WildFire/Precision AI intelligence tailored to your environment — that learning goes to zero. PAN delivers 30% higher performance with services enabled (Miercom), so Fortinet often requires a larger box to match. And PAN platformized customers have 119% net retention — they're getting MORE value over time. A hardware-only competitive deal breaks that compounding platform value.

We'll just extend third-party support on legacy hardware.

Response: Third-party support (e.g., Park Place Technologies) can extend break-fix hardware maintenance, but it cannot provide security patch updates, fix new CVEs, deliver PAN TAC support, or grant access to new software features. Running unpatched EoL hardware with third-party support leaves the device permanently vulnerable to any CVE published after EoL. Compliance frameworks (PCI-DSS, HIPAA, NIST) require patching against known vulnerabilities — third-party hardware support does not satisfy this requirement.

Our security team is burned out on PAN CVEs.

Response: PAN has invested heavily in security hardening in PAN-OS 11.x/12.x — improved secure boot (UEFI), TPM module for key storage, faster patch velocity. Hardware refresh to current-gen gives clean, hardened hardware with no accumulated technical debt. High CVE count partially reflects PAN's market share leadership — more researchers, more scrutiny, more disclosed CVEs. ESA Pro (replacing ESA) includes enhanced SCM-based monitoring and proactive health management.

We're not ready to move off Panorama to SCM.

Response: Panorama is not being deprecated. New hardware (PA-3400, PA-5400, etc.) supports both Panorama and SCM natively. Migration can be phased over time — not required at hardware refresh. However, SCM offers AI-powered Copilot, predictive analytics, unified NGFW + SASE policy management, and automated Panorama-to-SCM migration tooling that Panorama cannot match. Many customers start with hardware refresh on Panorama and migrate to SCM progressively.

Selling Tips

Lead with urgency, not fear: PA-3000 and PA-5000 are already past EoL — any customer on these platforms is operating unpatched, unsupported hardware. PA-7000 legacy components just hit EoL in Feb 2026. Frame the conversation as proactive security modernization, not reactive end-of-life.
SP3 is the performance proof point: Always push for a PoC with all security services enabled. This is where PAN wins every time against Fortinet's synthetic benchmarks. Third-party Miercom data validates 30% higher throughput.
Migration simplicity kills the switching objection: PAN-to-PAN means a hardware swap with config preservation. Cross-vendor means 6–18 months of policy rebuild, retraining, and lost institutional knowledge. The Panorama → SCM migration wizard is a powerful objection killer — demo it in every conversation.
Every refresh is a platform landing: Start with NGFW + SCM Pro. Open the SASE conversation for branches. Add XSIAM as new hardware enriches telemetry. Add AIRS for AI workloads. Move from <$1M ARR to $5M+ platform deal. 1,550 platformized customers with 119% NRR validates this motion.
Use Forrester TEI in procurement: 229% ROI, 7-month payback, $14.11M total benefits. This is third-party validated — powerful against CFO resistance. For SD-WAN + NGFW bundles: 247% ROI, $28.5M benefits.
Quantum readiness is a first-mover advantage: PA-5500 and PA-7500 with FE400 ASIC can process post-quantum cryptography. The Quantum Readiness Dashboard provides visibility into cryptographic risk. Use this with CISOs focused on future-proofing against "harvest now, decrypt later" attacks.
Target the compliance angle: EoL hardware triggers audit findings for PCI-DSS, HIPAA, SOC 2, FedRAMP, ISO 27001. Cyber insurance underwriters increasingly flag EoL as material risk. This creates C-level urgency beyond the security team.
Know the refresh paths: PA-3000 → PA-3400 (3–6x TP gain). PA-5000 → PA-5400/5500 (multi-gen improvement). PA-7000 legacy → PA-7500 (1.5+ Tbps vs ~200 Gbps). PA-800 → PA-1400. PA-220 → PA-400 (6x perf). Quantify the performance gain in every proposal.