Performance Overview
Scores based on quantifiable specification values (1-10 scale)
Detailed Specifications
| Specification | Palo Alto PA-820 Palo Alto | Palo Alto PA-850 Palo Alto |
|---|---|---|
| Key Metrics | ||
| Firewall throughput (App-ID) | 1.5 Gbps | 1.9 Gbps |
| Threat Prevention throughput | 800 Mbps | 900 Mbps |
| IPSec VPN throughput | 1.2 Gbps | 1.6 Gbps |
| Maximum concurrent sessions | 128,000 | 192,000 |
| Form factor | 1U rackmount | 1U rackmount |
| Performance | ||
| App-ID firewall throughput | 1.5 Gbps | 1.9 Gbps |
| Threat Prevention throughput | 800 Mbps | 900 Mbps |
| IPSec VPN throughput | 1.2 Gbps | 1.6 Gbps |
| Concurrent sessions | 128,000 | 192,000 |
| Session capacity uplift vs sibling | Baseline | +50% sessions, +27% throughput |
| Connectivity | ||
| 10/100/1000 RJ45 ports | 12 | 12 |
| 1GbE SFP ports | 4 | 8 |
| 10GbE SFP+ ports | 2 | 4 |
| Total data interfaces | 18 | 24 |
| Dedicated management / HA | MGT + console (standard PA-800 layout) | MGT + console + dedicated HA ports |
| Resilience & Management | ||
| High availability modes | Active/Passive, Active/Active | Active/Passive, Active/Active |
| Redundant power supply | Optional | Included (redundant PSU) |
| Management | PAN-OS, Panorama, CLI, web UI | PAN-OS, Panorama, CLI, web UI |
| Cloud-delivered security services | Threat Prevention, WildFire, URL Filtering, DNS Security (subscription) | Threat Prevention, WildFire, URL Filtering, DNS Security (subscription) |
| Deployment Fit | ||
| Target deployment | Mid-size branch / small datacentre edge | Mid-enterprise campus / regional datacentre |
| Typical user count | Up to ~300 users | Up to ~500 users |
| Suited to SSL inspection at full rate | Limited headroom | Moderate headroom |
Expert Analysis
The practical gap between the PA-820 and PA-850 is modest but real: roughly 27% more App-ID throughput, 50% more concurrent sessions, double the SFP+ count, and redundant power as standard rather than optional. PAN-OS, the security subscriptions (Threat Prevention, WildFire, URL Filtering, DNS Security) and the management experience via Panorama are identical, so the choice is purely a sizing and resilience decision, not a feature one.
The PA-820 is the right pick when the site genuinely fits inside its envelope — typically a UK branch or mid-size office of up to around 300 users with a single uplink and modest SSL decryption requirements. It is the more cost-effective box and gives you the full PAN-OS feature set, but it has limited headroom once you turn on Threat Prevention plus decryption plus logging at peak. Buyers who expect any of those workloads to grow should size up rather than refresh early.
The PA-850 earns its premium in two specific places: session capacity (192k vs 128k matters for sites with lots of short-lived flows, IoT or guest Wi-Fi) and the extra 10GbE SFP+ pair, which is what most UK regional datacentres or HQ edges actually need for dual-uplink resilience to two carriers. Redundant PSU as standard also removes a line item that many procurement teams forget on the 820.
Recommendation: choose the PA-820 for a stable branch with a known user count and a single ISP; choose the PA-850 where you need dual 10GbE uplinks, HA with redundant power, or any prospect of enabling SSL decryption across the user base. Note that both models are end-of-sale from Palo Alto — UK buyers should weigh remaining support life and consider the PA-400 series for new deployments where lifecycle matters under NIS2 and NCSC guidance.
Ready to proceed?
Want to compare different products or add more to this comparison?
Open Interactive Comparison Tool →