Platform — Network Security

Strata
Network Security Platform

ML-powered next-generation firewalls from branch to data center, managed through a single cloud-native control plane.

Hardware

NGFW Hardware Lineup

Purpose-built appliances for every deployment — from the smallest branch to the largest hyperscale data center. Click any card to explore details.

PA-7500 Quantum-Ready
Flagship · Hyperscale DC
  • FE400 custom ASIC
  • 1.5+ Tbps App-ID performance
  • 400M+ concurrent L7 sessions
  • Quantum-ready architecture
Details
PA-7500 Series FE400 ASIC · Quantum-Ready

Key Specs

MetricValue
FW Throughput (App-ID)>1.5 Tbps
Threat Prevention1,440 Gbps
Max Sessions440 million
Form Factor14U modular chassis
ASICCustom FE400 (5th gen)
Ports (per NPC)8× QSFP-DD (400G) + 12× SFP-DD
HAActive/passive + A/A clustering

Target Deployment

Large enterprise data centers, hyperscale internet gateway, service providers, high-bandwidth network perimeters requiring 400G+ interfaces.

Why Customers Choose This

  • World's first NGFW on the FE400 ASIC — highest performance in the industry
  • Full L7 inspection across all 1.5 Tbps — no bypass
  • Hardware-accelerated PQC: ML-KEM, ML-DSA, SLH-DSA
  • 440M concurrent sessions for carrier/hyperscale scale

Refresh Path

Replaces: PA-7000 Series

PA-7000 EOS: Dec 31, 2025. EoL: Dec 31, 2030. Customers on PA-7050/PA-7080 face end-of-sale now. PA-7500 delivers ~3–4× throughput improvement vs PA-7080. Same PAN-OS policies transfer via Panorama/SCM template migration.

Competitive Notes

vs. Fortinet 7000: Full L7 inspection across all throughput; FortiGate offloads to SPU ASICs, bypassing inspection.

vs. Check Point Quantum: Native ML-based threat prevention at hyperscale; CP requires separate IPS appliances at this throughput.

vs. Cisco Firepower 9300: No single-chassis solution matching 1.5 Tbps with full App-ID.

PA-5500 Quantum-Ready
Enterprise DC · Quantum-Optimized
  • FE400 ASIC
  • Up to 300 Gbps threat performance
  • Post-quantum encrypted traffic visibility
  • Enterprise data center form factor
Details
PA-5500 Series FE400 ASIC · World's First Quantum NGFW

Models & Specs

ModelFWThreatSessions
PA-5540150 Gbps90 Gbps~66M
PA-5550175 Gbps120 Gbps~80M
PA-5560240 Gbps180 Gbps~90M
PA-5570300 Gbps240 Gbps~95M
PA-5580375 Gbps300 Gbps99M

3RU fixed config · PAN-OS 12.1.2+ · Up to 25 vSystems

Target & Selling Motion

High-speed enterprise data centers, internet gateway, service provider edge, large campus segmentation.

  • Only NGFW with hardware-accelerated PQC at 300 Gbps threat throughput
  • Single-pass architecture — no throughput degradation with all CDSS enabled
  • 3RU delivers more throughput-per-rack-unit than modular competitors
  • NGFW clustering (A/A) for scale-out deployments

Refresh Path

Replaces: PA-5200 Series

PA-5200 EOS: Aug 31, 2023. EoL: Aug 31, 2028. PA-5500 vs PA-5280: ~5–8× threat prevention improvement. Quantum compliance mandates (NIST PQC 2024) create urgency. Use the Quantum Readiness Dashboard in SCM to show PQC gaps.

Competitive Notes

vs. Fortinet 4800F: Tops out at ~198 Gbps with fewer PQC algorithms.

vs. Check Point: Single-pass vs multi-pass — no throughput degradation when CDSS enabled.

PA-5450
Hyperscale DC
  • 150 Gbps threat performance
  • Designed for large-scale deployments
  • High-density networking
Details
PA-5450 Series Modular · Expandable

Key Specs

ConfigFWThreatSessions
Single DPC75 Gbps55 Gbps20M
Full (2 NIC + 4 DPC)200 Gbps189 Gbps100M

Modular chassis · Up to 225 vSystems · PAN-OS 10.2+

Target & Why Choose

Hyperscale data center, internet edge, large enterprise campus segmentation. Mid-tier hyperscale between PA-5400 and PA-7500.

  • 189 Gbps threat prevention — 4× the PA-5260
  • Modular design: start small, expand by adding DPC cards
  • New SWG proxy mode support (Aug 2025)
  • Prisma SD-WAN Data Center anchor integration

Positioning

Bridge/complement for customers who need hyperscale but aren't ready for the PA-7500 investment. Ideal upgrade for PA-5200/PA-5000 with growth through 2027. Modular argument resonates with over-provisioning concerns.

PA-5400
High-Performing 2RU
  • PA-5445 delivers 2.5x vs PA-5260
  • Compact 2RU form factor
  • Enterprise DC edge deployment
Details
PA-5400 Series

Key Specs (PA-5440)

MetricValue
FW Throughput (appmix)~96 Gbps
Threat Prevention~80 Gbps
Max Sessions~64M
Form Factor2RU fixed

Models: PA-5410, PA-5420, PA-5430, PA-5440

Target & Selling Motion

Enterprise data centers, internet gateway, campus segmentation. Direct like-for-like 2RU replacement for PA-5220/5250.

  • PA-5440 delivers 2.5× threat prevention vs PA-5260
  • Fixed-form 2RU for customers preferring non-modular
  • Recommended by PAN as PA-5000/5200 replacement

Refresh Path

Replaces: PA-5200 / PA-5000 Series

PA-5200 EOS: Aug 31, 2023. PA-5000 already past EoL (Jan 31, 2024 — critical risk). Strong choice when fixed 2RU is preferred over modular PA-5450.

PA-3400
Mid-Range Enterprise
  • Mid-range enterprise performance
  • Campus and regional DC
  • Full App-ID and threat prevention
Details
PA-3400 Series

Models & Specs

ModelFWThreatSessions
PA-341011.3 Gbps~5 Gbps~5.5M
PA-342016.5 Gbps~7 Gbps~7M
PA-343019.6 Gbps~10 Gbps~9M
PA-344024 Gbps~13 Gbps~11M

1RU · 100G QSFP28 uplinks · 480 GB SSD · Up to 11 vSystems

Target & Why Choose

High-speed internet gateway, mid-enterprise network perimeter, data center aggregation, campus core.

  • 1RU with 100G QSFP28 — Fortinet FortiGate 600G needs 2RU
  • Deep App-ID across all 27.5 Gbps — no bypass
  • BFD and multihop BFD for advanced routing
  • ZTP for zero-touch deployment

Refresh Path

Replaces: PA-3200 / PA-3000 Series

PA-3200 EOS: Aug 31, 2023. EoL: Aug 31, 2028. PA-3000 already past EoL (Jan 2024). Customers on PA-3200s are in active compliance/support risk. PA-3440 delivers significantly higher throughput in 1RU vs PA-3260 in 2RU.

PA-1400
Large Branch / Small Campus
  • PoE support
  • Virtual systems (VSYS)
  • mGig and fiber connectivity
Details
PA-1400 Series

Models & Specs

ModelFWThreatSessions
PA-14108.5 Gbps4.5 Gbps945K
PA-14209.5 Gbps6.2 Gbps1.4M

1RU · PoE 151W budget · 10G SFP+ uplinks · Up to 6 vSystems

Target & Why Choose

Smaller campus, large distributed enterprise branches, midsize businesses.

  • PoE support (151W) for IP phones, cameras, APs
  • UEFI Secure Boot + TPM for key storage
  • Multi-Gig ports up to 10G
  • ZTP via SCM or Panorama

Refresh Path

Replaces: PA-800 Series

PA-820/PA-850 approaching EOL. PA-1400 adds PoE + 10G SFP+ uplinks that PA-800 cannot match. Future-proofing through higher port speed and PAN-OS 12.1 PQC support.

PA-500 New
Enterprise Branch
  • Up to 24 high-speed ports
  • 330W PoE budget
  • ZTP on Strata Cloud Manager
  • Modern enterprise branch deployment
Details
PA-500 Series Brand New — Aug 2025

Full Model Lineup

ModelFWThreatSessions
PA-5051.2 Gbps~0.9 Gbps64K
PA-5101.8 Gbps~1.2 Gbps98K
PA-5202.8 Gbps1.8 Gbps148K
PA-5403.8 Gbps2.2 Gbps248K
PA-545-POE5.0 Gbps3 Gbps298K
PA-5506.5 Gbps~5 Gbps398K
PA-555-POE7.5 Gbps~6 Gbps448K
PA-5608.5 Gbps6 Gbps598K

Desktop/1U · PAN-OS 12.1.2 · PoE models: 181W/330W · A/A HA

Target & Why Choose

Modern enterprise branch, retail, MSPs. Fills the gap between PA-400 and PA-1400.

  • 8 models covering 1.2–8.5 Gbps — no coverage gaps
  • PA-555-POE: 330W PoE — unmatched for branch with cameras/APs
  • Fail-to-wire on select models for critical uptime
  • Full CDSS + Precision AI at the branch, not "lite"
  • ZTP simplifies large-scale branch rollouts

Refresh Path

Replaces: PA-220 / PA-200

PA-220 EOS: Jan 31, 2023. EoL: Jan 31, 2028. Customers on PA-220 are on expired hardware. PA-500 delivers 6–8× throughput while adding PoE, fail-to-wire, and PAN-OS 12.1 features.

Competitive Notes

vs. Fortinet: 8 models covering 1.2–8.5 Gbps vs Fortinet coverage gaps in this range. Full CDSS at branch, not a "lite" tier.

PA-400
Small Branch
  • PA-415-5G with cellular connectivity
  • PA-455 for standard small branch
  • Compact and fanless options
Details
PA-400 Series

Models & Specs

ModelFWThreatSessions
PA-4101.1 Gbps0.68 Gbps64K
PA-4151.2 Gbps0.69 Gbps64K
PA-4402.2 Gbps1.0 Gbps200K
PA-4502.9 Gbps1.6 Gbps300K
PA-4604.4 Gbps2.4 Gbps400K

Desktop · Fanless on PA-410/415 · 5G models: PA-415-5G, PA-455-5G

Target & Why Choose

Distributed enterprise branches, retail, SMB HQ, home-office/satellite sites.

  • 5G models (PA-415-5G, PA-455-5G) for cellular WAN
  • Fanless PA-410/415 for silent open-office use
  • Active/active HA — unique for this form factor
  • ZTP for large-scale deployment automation
  • Full ML-NGFW capabilities inline

Refresh Path

Replaces: PA-200 / PA-220

PA-200 EOL: Dec 31, 2019. PA-220 EOS: Jan 31, 2023. 10× performance increase vs PA-220. 5G models address SD-WAN / cellular backup that PA-220 cannot. Full ML-NGFW vs PA-220's legacy signature-only engine.

VM-Series
Virtualized NGFW
  • Software NGFW for cloud and virtualization
  • AWS, Azure, GCP, private cloud
  • Consistent security policy everywhere
Details
VM-Series

Models & Specs

ModelApp-ID FWUse Case
VM-50/Lite200 MbpsMulti-tenant, minimal
VM-1002 GbpsHybrid cloud, gateway
VM-3004 GbpsHybrid cloud, segment.
VM-5008 GbpsLarge enterprise, NFV
VM-70016 GbpsHyperscale virtual DC

AWS, Azure, GCP, OCI, VMware, KVM, Hyper-V, Nutanix · PAYG + BYOL

Why Choose

  • Identical PAN-OS as hardware — true policy parity
  • Consistent App-ID inspection (vs Fortinet NP7 ASIC bypass in VM deployments)
  • PAYG in cloud marketplaces — low barrier to entry
  • Full CDSS in cloud-native deployments
  • Managed by SCM alongside hardware NGFWs

Competitive Notes

vs. Fortinet VM: Consistent App-ID vs NP7 bypass model. In VM deployments, PAN's consistent inspection is a key advantage.

vs. Check Point CloudGuard: VM-Series runs identical PAN-OS as hardware; CP has feature gaps between hardware and cloud.

vs. Cisco FTDv: Full App-ID, User-ID, Content-ID in the VM; Cisco lacks App-ID equivalence.

CN-Series
Container NGFW
  • Kubernetes-native NGFW
  • Container-level traffic inspection
  • Service mesh integration
Details
CN-Series Kubernetes-Native

Architecture

  • Industry's first ML-Powered NGFW built natively for K8s
  • Deployed as Kubernetes DaemonSet — scales with nodes
  • Full L7 visibility using K8s labels/namespaces
  • Supports GKE, EKS, AKS, OpenShift, on-prem K8s
  • Metadata-driven policy — no IP-based rules needed

Why Choose

Secures east-west traffic between pods, outbound traffic to internet/C2, and encrypted SSL from containers.

  • Fortinet has no native K8s container firewall
  • Calico/Cilium provide no L7 inspection or threat prevention
  • Full CDSS subscriptions available
  • Managed by SCM alongside hardware NGFWs
K2-Series
OT / Industrial
  • Purpose-built for OT/ICS environments
  • Industrial-grade ruggedized hardware
  • OT protocol support and visibility
Details
K2-Series 5G / Telecom

Architecture

  • Purpose-built for mobile network infrastructure (4G/5G, IoT, MEC)
  • Express Mode (high-throughput GTP) or Secure Mode (full NGFW)
  • Natively parses GTP for 5G subscriber identity visibility
  • Per-subscriber policy: IMSI, MSISDN, APN, QoS class
  • 5G N-series interface inspection (Gi/SGi, N3, N6, N4)

Why Choose

Telecom service providers securing 4G/5G core, IoT platforms, multi-access edge computing.

  • Only NGFW with true GTP-level subscriber identity visibility
  • Fortinet/Check Point require external GTP unwrapping appliances
  • Integration with 5G network slicing for per-slice policies
  • Full CDSS for mobile threat prevention

Management

Strata Cloud Manager

AI-powered, unified management and operations for all NGFWs and SASE — the single pane of glass for network security.

Unified Management
Single management plane for all NGFW appliances, VM-Series, CN-Series, and SASE deployments.
Per-Admin Config Push/Revert
Individual administrators can push and revert configuration changes independently — no more shared commit queues.
Panorama Migration Engine
CVE-driven migration planning tool to transition from Panorama to SCM with confidence.
Inline Configuration Checks ("Layer 8 Controls")
Catch misconfigurations before they're deployed with real-time policy validation.
Compliance Centre
Built-in compliance validation against PCI, CIS, and NIST frameworks. Global Configuration search.
ZTP NGFW Activation
Zero-touch provisioning mobile web app for rapid branch deployments — ship, plug in, and go.
NEW

SCM Pro

New Licensing Tier

Strata Cloud Manager now has two licensing tiers: Essentials (free with any NGFW or Prisma Access purchase) and Pro (paid upgrade). SCM Pro unlocks advanced AI-powered operations, ADEM, unlimited logging, and proactive security posture management.

What SCM Pro Adds Over Essentials

Strata Logging Service (1-Year Retention)
Unlimited log storage with centralized logging. Not included in Essentials — requires separate SLS purchase otherwise.
AI-Powered ADEM
Autonomous Digital Experience Management — end-to-end observability that automates IT ops, reduces ticket volume, and shortens MTTR.
ML Policy Analyzer and Optimizer
AI-driven real-time policy analysis with actionable insights. Automatically identifies unused rules, shadowed policies, and optimization opportunities.
AI Canvas
Advanced interactive visualization workspace for security data exploration — only available in Pro.
Proactive Operational Health
Forecasting, anomaly detection, root cause analysis in alerts, capacity analyzer, and upgrade recommendations — all Pro-only.
Custom Compliance and Config Checks
Real-time inline best practices with enforcement, config cleanup, and custom compliance checks beyond the standard BPA.

Essentials vs. Pro — Feature Comparison

Feature Essentials Pro
Cloud Management (NGFW, Prisma Access, SD-WAN)
Best Practices Analysis and On-Demand BPA
Hardware/Software Health Alerts
Strata Copilot (AI Assistant)
Strata Logging Service (1-Year, Unlimited)
Command Center, Activity Insights, Reports SLS req'd
Log Viewer, IOC Search, Log Forwarding SLS req'd
AI-Powered ADEM
ML Policy Analyzer and Optimizer
Forecasting, Anomaly Detection, RCA in Alerts
Capacity Analyzer and Upgrade Recommendations
Custom Config Checks, Compliance, Config Cleanup
Real-time Inline Best Practices with Enforcement
AI Canvas

Selling SCM Pro Today — The EA Angle

What is an EA? Palo Alto offers two Enterprise Agreement programs for PA-Series NGFWs:

  • ELA (Enterprise License Agreement) — Bundles the five core CDSS subscriptions (Advanced Threat Prevention, DNS Security, Advanced URL Filtering, WildFire, and GlobalProtect) into a single agreement. Instead of licensing each sub per-firewall, customers pay one agreement that covers their entire NGFW hardware estate.
  • ESA (Enterprise Support Agreement) — Covers support (e.g., Premium Support) across the entire PA-Series fleet under one agreement. ESA Pro now bundles SCM Pro for NGFW — a single auth code activates both support and SCM Pro.

Why this matters for selling:

  • Customers already on an ESA Pro get SCM Pro included at no additional cost — one auth code, no separate subscription to manage.
  • Existing AIOps for NGFW Premium customers are being automatically migrated to SCM Pro at no cost — their current license just becomes SCM Pro.
  • Even AIOps Free customers get auto-migrated to SCM Essentials — then you can upsell to Pro for the advanced capabilities.
  • For new customers, leading with the ELA + ESA Pro motion means they get the full CDSS suite + SCM Pro + support all under two agreements — massively simplified procurement.

Bottom line: If a customer has or is moving to an Enterprise Agreement, SCM Pro is effectively free. Use this as a differentiator in every Strata conversation — it's built-in value they're already paying for.

Subscriptions

Cloud-delivered Security Subscriptions (CDSS)

Cloud-delivered security services that keep every NGFW up to date with the latest threat intelligence. Click any subscription to explore details.

Advanced Threat Prevention
Advanced Threat Prevention (ATP) Powered by Precision AI

What It Does

The industry's first IPS that blocks zero-day threats inline using deep learning models. Goes beyond signature-based IPS with inline ML for C2 traffic, injection attacks, exploits, and malware — all analyzed on the firewall without cloud queries.

What's New
  • Exfiltration Shield — ML model detects stealthy data exfiltration via DNS relay attacks and HTTP header tunneling
  • Local Deep Learning — Runs DL analysis locally on the firewall, no cloud required
  • 7 advanced ML models in production, cloud-updated without FW upgrades
  • Now available for Prisma Access (Nov 2025 CDSS)

Competitive Edge

Inline deep learning for zero-day C2 blocking vs. signature-only in Fortinet/Check Point. ML verdicts in milliseconds without cloud wait. SQL/command injection ML models in real-time. Cloud-side model updates — no FW upgrade needed.

60%
More zero-days blocked
48%
More evasive C2 caught
Faster detection
WildFire
Advanced WildFire Powered by Precision AI

What It Does

The industry's largest cloud-based malware prevention engine. Combines static analysis, dynamic sandboxing, ML, and deep learning across 40+ file types. Generates and distributes protections within minutes of encountering new malware.

What's New
  • PDF Phishing Detection — CNN-based DL model analyzes visual appearance of embedded URLs in PDFs
  • API Vector Categorization — ML behavioral fingerprinting of API call sequences for fileless attacks
  • Multi-CPU Sandboxing — Defeats malware that evades single-CPU sandbox detection
  • WildFire Dashboard in SCM (March 2026) — manage submissions without leaving SCM

Competitive Edge

CNN visual analysis of PDFs is unique (competitors parse text only). Multi-CPU sandboxing counters modern evasion. WildFire verdicts feed ATP inline models in near real-time. 8 dedicated ML detection engines.

67B+
Samples analyzed
99%
Malware detected
180×
Faster than competition
Advanced URL Filtering
Advanced URL Filtering Powered by Precision AI

What It Does

Real-time, ML-powered protection against phishing, malicious sites, and credential theft. Inline ML analyzes previously unseen URLs in real time — no waiting for database updates.

What's New
  • QR Code Phishing (Quishing) — Inline ML scans and blocks malicious QR codes embedded in web pages
  • Deepfake Content Detection — DL model identifies and blocks deepfake video content
  • New categories: "Compromised website" and "File converter" for granular control

Competitive Edge

Inline ML for unknown URLs vs static lists. QR code phishing protection (no competitor has this). Deepfake video detection. Native NGFW integration — no proxy hop required.

<1s
ML URL verdict
40%
Faster phishing block
11K+
QR threats/day
DNS Security
Advanced DNS Security Powered by Precision AI + ADNSR

What It Does

Inspects every DNS request and response inline, using AI to detect malicious domains, DNS tunneling, C2 callbacks, DGA domains, and DNS hijacking. First vendor to inspect both DNS requests AND responses.

What's New
  • ADNSR (Advanced DNS Security Resolver) — Cloud-delivered DNS resolver extends security to ALL devices, even without NGFW
  • DNS Hijacking Prevention — Detects and blocks DNS hijacking and misconfigurations
  • TDS Protection — Blocks sophisticated traffic distribution system attacks
  • Domain masquerading / typosquatting detection via AI/ML

Competitive Edge

ADNSR extends DNS security to IoT, BYOD, unmanaged endpoints without NGFW routing. Response monitoring catches compromised DNS infrastructure. Deeper ML models than Cisco Umbrella/OpenDNS.

1B+
Domains/day analyzed
~8M
Malicious domains/day
IoT Security
IoT / Device Security AI-Driven Device Discovery

What It Does

AI-driven discovery, profiling, and risk assessment of every device on the network — IoT, OT, medical, BYOD — without additional sensors. Recommends and enforces least-privilege policies and virtual patches.

What's New
  • Device Security X — Full SCM integration; Enterprise, OT, and Medical tiers
  • FedRAMP High — Dec 2025 authorization enables federal/classified deployments
  • Integrations: Siemens Industrial Hub, SentinelOne, Cisco Meraki, NetBox IPAM
  • Inbound Policy Rule Recommendations (PAN-OS 11.1.11)

Competitive Edge

Integrated enforcement in NGFW policy (vs. Claroty/Nozomi detection-only). No 802.1X/NAC required (vs. Cisco ISE). Cloud-delivered, no on-prem appliance (vs. Fortinet FortiNAC).

Use Cases

  • Healthcare: Protect infusion pumps and imaging systems
  • Manufacturing: Virtual patching for Siemens/Schneider PLCs
  • Campus: IoT discovery without separate NAC
Enterprise DLP
Enterprise DLP Cloud-Delivered DLP

What It Does

Cloud-delivered DLP using ML classification, Exact Data Matching, and fingerprinting across web traffic, SaaS apps, cloud email, and endpoint egress. Single policy engine spans all enforcement points.

What's New
  • Granular Data Profiles — Differentiated inline inspection per rule
  • ICAP Integration — Hybrid cloud/on-prem DLP for regulated industries
  • Multi-region EDM for GDPR/data sovereignty compliance
  • SIEM/SOAR audit log forwarding + 90-day retention

Competitive Edge

No on-prem DLP appliance required (vs. Symantec/Forcepoint). Native NGFW inline enforcement. SaaS + network + email unified in single console. Pre-built templates: GDPR, HIPAA, PCI-DSS, SOX, CCPA.

Use Cases

  • Financial: Block PCI data uploads to shadow SaaS
  • Healthcare: Prevent PHI/HIPAA data leakage
  • Insider threat: Alert on unusual data transfers
SaaS Security (CASB)
SaaS Security (Next-Gen CASB)

What It Does

Three integrated layers: (1) Data Security — API scanning of SaaS data at rest, (2) SaaS Inline — real-time policy enforcement through NGFW, (3) SSPM — continuous SaaS misconfiguration monitoring. Covers O365, Google Drive, Box, Slack, Salesforce, 50+ apps.

What's New
  • Identity Threat Detection in SSPM — Human vs non-human identity risk across all SaaS
  • LLM-Powered User Risk Summary — AI-generated narratives for top 0.1% risky users
  • User Session Tracking — Allow corporate accounts, block personal within same tenant
  • App Health Monitoring with real-time status indicators

Competitive Edge

Inline + API dual-mode (vs. Netskope/Zscaler single-mode). Multi-vendor SaaS + NGFW integration (vs. Microsoft MDCA ecosystem lock). SSPM + behavior analytics included (vs. Proofpoint email-focused).

Use Cases

  • Shadow IT discovery and governance
  • Prevent public sharing on Google Drive/OneDrive
  • Detect departing employee mass-downloading
SD-WAN
Advanced SD-WAN Integrated into PAN-OS

What It Does

Unlocks SD-WAN natively within PAN-OS — no separate appliance. Path quality measurement, application-based traffic steering, link failover, ADEM for end-to-end observability. Converged security + SD-WAN in one platform.

What's New
  • NGFW as SD-WAN DC Anchor — PA-5450 serves as data center anchor for Prisma SD-WAN branches
  • GCM Encryption — AES-GCM for authenticated fabric tunnel encryption
  • Cisco TrustSec SGT propagation across SD-WAN fabric
  • Prisma SD-WAN Copilot — GenAI troubleshooting assistant

Competitive Edge

Full NGFW security parity at every branch (vs. Fortinet partial, Cisco separate stack). App-ID for 5000+ apps for path steering (vs. basic app signatures). Unified management in SCM (vs. FortiManager/Meraki separate).

Use Cases

  • Replace SD-WAN appliance + NGFW with single PA-400/500/1400
  • UCaaS QoE optimization (Teams, Zoom, Webex) at branch
  • SASE hybrid: on-prem NGFW SD-WAN + Prisma Access
AIOps
AIOps / Strata Cloud Manager AI-Powered Unified Management

What It Does

SCM is the cloud management platform that absorbed AIOps. Provides unified management, predictive analytics, anomaly detection, ADEM, and Strata Copilot (GenAI assistant). Two tiers: Essentials (free) and Pro (paid).

What's New
  • SCM Essentials + Pro — New licensing replacing AIOps Free/Premium
  • Strata Copilot — Natural language security analytics queries
  • Redesigned UI: Monitor, Investigate, Configure workflows
  • Dynamic Baseline Anomaly Detection reduces alert fatigue

Competitive Edge

Cloud-native (vs. Panorama on-prem). Native AIOps predictive analytics (vs. Fortinet FortiManager lacking this). Single platform for security + SD-WAN + SASE — no competitor has this convergence.

Use Cases

  • Manage 100+ NGFW devices from the cloud
  • Proactive health issue identification before outages
  • NOC/SOC natural language querying via Copilot
GlobalProtect
GlobalProtect Remote Access VPN + ZTNA

What It Does

Secure remote access via SSL/IPsec VPN with full App-ID, User-ID, Content-ID policies — same security for remote users as on-prem. Evolving toward ZTNA with per-app VPN and HIP (Host Information Profile) posture checks.

What's New
  • ZTNA Connector Rolling Upgrade — Zero-disruption software upgrades (March 2026)
  • Zero Trust Posture Center — New continuous posture monitoring dashboard
  • PQC-Enabled VPN — Post-quantum pre-shared key for quantum-safe tunnels
  • Per-App VPN with Intune/JAMF for iOS/Android

Competitive Edge

Full PAN-OS policy on remote traffic (vs. Cisco AnyConnect transport-only). Native NGFW integration (vs. Fortinet FortiClient requiring FortiEMS). Post-quantum VPN — no pure-play VPN vendor can match today.

Use Cases

  • Zero Trust remote access replacing legacy VPN
  • PQC VPN for government/defense PQC compliance
  • Hybrid SASE: GP on-prem + Prisma Access cloud
AI Access Security
AI Access Security Powered by Precision AI

What It Does

Enables safe adoption of generative AI applications with real-time visibility, granular access controls, data protection, and threat prevention. Discovers 2,250+ GenAI apps via App-ID and the AI Correlation Engine (ACE), classifying them as sanctioned, tolerated, or unsanctioned with 60+ risk attributes.

What's New
  • 500+ GenAI App Dictionary — Broadest coverage of GenAI applications with AI-powered categorization and risk scoring
  • 300+ LLM-Powered Data Classifiers — ML-driven detection of sensitive data in prompts, uploads, and GenAI responses
  • Inline Threat Inspection — Scans files, URLs, and code snippets in GenAI responses for malware and malicious content
  • User coaching and real-time notifications to guide safe GenAI usage
  • Managed via Strata Cloud Manager — single pane of glass across all enforcement points

Competitive Edge

Native NGFW + Prisma Access + Prisma Browser enforcement — no separate proxy or CASB bolt-on required. Enterprise DLP integration inspects GenAI traffic inline. Strata Copilot provides AI-recommended actions. Competitors require separate point products for GenAI visibility and control.

Licensing & Deployment

  • Available as standalone subscription or included with CASB-PA / CASB-X
  • Included with Prisma Browser standalone license
  • Requires PAN-OS 11.2.2-h1+ or Prisma Access 5.1 Innovation+
  • Works across NGFW, Prisma Access, and Prisma Browser enforcement points
2,250+
GenAI apps discovered
500+
GenAI app dictionary
300+
LLM data classifiers
Decryption
SSL/TLS Decryption SSL/TLS + SSH Inspection

What It Does

Enables the NGFW to inspect encrypted SSL/TLS and SSH traffic. Without decryption, 85–95% of enterprise traffic is invisible to security. Supports SSL Forward Proxy, SSL Inbound Inspection, SSH Proxy — all single-pass.

What's New
  • PQC TLS Decryption — Inspect TLSv1.3 with ML-KEM, ML-DSA, SLH-DSA (PAN-OS 12.1)
  • PQC Cipher Translation Proxy — Upgrades non-PQC apps transparently to quantum-safe
  • Full TLS 1.3 support including AES-GCM/CHACHA20-POLY1305
  • Configurable PQC algorithm preferences per profile

Competitive Edge

PQC TLS decryption — Fortinet and Check Point do not offer this yet. PQC cipher translation proxy is industry-first. FE400 hardware-accelerated decryption (PA-5500/7500). PA-5500 throughput measured with decryption enabled — competitors often don't disclose.

85-95%
Traffic encrypted
300 Gbps
With decrypt (PA-5580)
★ Partner Opportunity

Enterprise Support Agreement (ESA)

Partners can sell and manage ESA directly — no PAN involvement required. This is a partner-led motion you can take to your customers yourself.

What It Is

A single agreement that covers support for all PA-Series NGFWs — existing assets, projected purchases, and even unplanned acquisitions. One auth code activates Premium Support + Strata Cloud Manager Pro across the entire NGFW deployment.

Why Partners Should Lead

  • You quote and close ESA with your customer — no PAN SE needed
  • Covers every NGFW they own or buy during the term — instant coverage on new devices
  • Predictable cost for the customer — no per-device support SKU math
  • Locks in multi-year support revenue for your practice
  • Customers get 24/7 global Premium Support + SCM Pro at one price

What's Included

  • Premium Support — 24×7×365 phone + online, <1hr Sev-1 response, NBD advance replacement
  • SCM Pro for NGFW — Advanced monitoring, reporting, predictive analytics, and Strata Copilot (included with ESA, no separate purchase)
  • Software & Content Updates — PAN-OS upgrades, App-ID, threat signatures, all CDSS content updates
  • Growth Allowance — Built-in hardware estate cap accommodates projected growth without renegotiation
1 Auth Code
Activates everything
24×7×365
Global Premium Support
SCM Pro
Included at no extra cost
All NGFWs
Current + future devices

Talk to your Palo Partner Architect or PAN channel team about adding ESA to your next customer renewal or net-new deal.

Pre-Sales

Scoping Checklist

Information to gather before any Strata engagement.

Throughput Needs — Required throughput at the network edge (App-ID, threat prevention, SSL decrypt)
Port Density — Number and speed of required interfaces (1G, 10G, 25G, 40G, 100G, 400G)
HA Requirements — Active/passive or active/active clustering needs and failover requirements
Current Firewall Vendor — Existing vendor, model, and contract renewal dates
Management Preference — Panorama vs. Strata Cloud Manager (SCM) for centralized management
Deployment Locations — Data center, campus, branch, cloud, OT/industrial site counts

Conversations

Discovery Questions

Questions to open network security conversations and uncover refresh opportunities.

01 What percentage of your network traffic is encrypted, and are you currently decrypting and inspecting SSL/TLS?
02 How do you currently manage firewall policies across sites — is it centralized or distributed?
03 Are you using App-ID or still relying on port/protocol-based rules for your security policies?
04 What is your current firewall refresh cycle, and when are existing contracts up for renewal?
05 Do you have visibility and security controls for IoT devices on your network today?
06 Are you concerned about quantum computing threats to your encrypted traffic in the near future?

AI Security — Managed via SCM

Prisma AIRS 2.0

AI Runtime Security — the industry's most comprehensive AI security platform. Protects models, agents, and LLM applications across the entire AI lifecycle. Deployed and managed through Strata Cloud Manager.

AI Model Security

Scans AI model files for malicious payloads, backdoors, and tampering across 35+ file types and 25+ threat categories.

AI Red Teaming

Automated adversarial testing with adaptive AI agents. Finds prompt injection, jailbreaks, and data extraction vulnerabilities.

AI Posture Management

Discovers all AI models, datasets, and pipelines. Maps data flows, permissions, dependencies. Identifies shadow AI.

AI Runtime Security

Real-time protection for LLM apps in production. Guards against prompt injection, data leakage, hallucination attacks, and toxic output.

AI Agent Security

Secures autonomous AI agents from identity impersonation, memory manipulation, and tool misuse as agentic AI proliferates.

Protect AI

Completed

$650-700M acquisition. AI model vulnerability scanning and red teaming. Guardian + Recon products form the foundation of AIRS 2.0 Model Security and Red Teaming modules.

Koi Security

Pending

~$400M pending acquisition. Agentic endpoint security — monitoring agent behavior, preventing unauthorized tool access, and enforcing trust boundaries for AI agents.