Performance Overview
Scores based on quantifiable specification values (1-10 scale)
Detailed Specifications
| Specification | Palo Alto PA-850 Palo Alto | Palo Alto PA-3220 Palo Alto |
|---|---|---|
| Key Metrics | ||
| Firewall throughput (App-ID) | 1.9 Gbps | 4 Gbps |
| Threat Prevention throughput | 900 Mbps | 2.2 Gbps |
| IPSec VPN throughput | 1.6 Gbps | 2.4 Gbps |
| Concurrent sessions | 192,000 | 1,000,000 |
| Form factor | 1U | 2U |
| Throughput & Performance | ||
| Firewall throughput (App-ID) | 1.9 Gbps | 4 Gbps |
| Threat Prevention throughput | 900 Mbps | 2.2 Gbps |
| IPSec VPN throughput | 1.6 Gbps | 2.4 Gbps |
| Hardware acceleration | Shared processing | Dedicated hardware acceleration |
| Sessions & Capacity | ||
| Maximum concurrent sessions | 192,000 | 1,000,000 |
| Sizing tier | Small branch / mid-market | Mid-size enterprise / campus edge |
| Connectivity | ||
| 1GbE copper (RJ45) | 12 | 12 |
| 1GbE SFP | 8 | 4 |
| 10GbE SFP+ | 4 | 4 (combo 1G/10G SFP/SFP+) |
| Total interfaces | 24 | 20 |
| Platform & Management | ||
| Rack height | 1U | 2U |
| Redundant power supplies | Yes | Yes |
| High availability modes | Active/Passive, Active/Active | Active/Passive, Active/Active |
| Management | PAN-OS, Panorama | PAN-OS, Panorama |
Expert Analysis
The headline gap between these two appliances is scale: the PA-3220 delivers roughly 2x the App-ID throughput, 2.4x the Threat Prevention throughput and over 5x the concurrent sessions of the PA-850. That session count is the metric most UK buyers under-weight — a branch with heavy SaaS, CASB decryption and IoT can burn through 192,000 sessions faster than expected, and once you're near the ceiling the PA-850 will start dropping new flows regardless of how much CPU headroom remains.
The PA-850 is still a credible box for a small office or regional site: 1.9 Gbps with App-ID, 900 Mbps with full Threat Prevention, a 1U chassis, dual PSUs and 24 physical interfaces (including four SFP+ cages) make it well-suited to UK sites with sub-gigabit internet and a few hundred users. It is the more space- and power-efficient choice, and on a £/Gbps basis at the lower end of the range it is competitive.
The PA-3220 is the appliance to choose when you need to inspect a full gigabit of internet bandwidth with SSL decryption switched on, or when the site terminates a meaningful number of IPSec tunnels and remote-access users. Dedicated hardware acceleration and the million-session table give it the headroom to run advanced subscriptions (Threat Prevention, WildFire, URL Filtering, DNS Security) concurrently without performance cliffs, and the 2U chassis leaves room for sustained operation under load.
Recommendation framework: pick the PA-850 for branch, retail or smaller HQ deployments under ~250 users with sub-1 Gbps internet and modest VPN concentration. Step up to the PA-3220 for campus edge, data-centre DMZ or any site where SSL inspection at gigabit-plus is non-negotiable, where session counts exceed ~150k, or where you expect to add subscriptions over the appliance's 5-7 year life. If budget allows and you're sizing for growth, the PA-3220 is the safer long-term buy — running a PA-850 hot is a common cause of mid-life refresh pain.
Ready to proceed?
Want to compare different products or add more to this comparison?
Open Interactive Comparison Tool →