Palo Alto PA-3220 Review: A Detailed Guide
Welcome to my review of the Palo Alto PA-3220 Next Generation Firewall. It provides a succinct guide to my overall experience using this machine.
In the world today, cyber threats are ever-evolving, and there is always the need for robust solutions to these threats. The digital world continues to advance and so it is with the types and complexities of threats. The Palo Alto PA-3220 NGF as well as other Palo Alto Firewalls are machines that provide Sophistication, High Performance, Advanced Threat Detection, Operational Efficiency, and Scalability; It may just be what you are looking for.
The Palo Alto PA-3220 NGF is a machine that is manufactured for High-Speed Internet Gateways, Antivirus & Anti-spyware Scanning and Detection, URL Filtering & Content Inspection, Granular Application Visibility & Control. Above perimeter defenses, the Palo Alto PA-3220 NGF features Intrusion Detection and Prevention to take down known and unknown threats. It monitors all traffic and secures them while providing Encrypted Communications, as well as dedicated memory processing to cater to your overall Network Infrastructure, redundancy, management, and its own protection.
As I walk you through my review of this Palo Alto PA-3220 Next Generation Firewall, you will get to see the Architecture of the PA-3220, its High-Availability Configurations, its integration with LDAP and Active Directory, Automation, VPN, Logs and Reports, and other tasks that this machine enables you as an Administrator to perform.
Let’s get started.
The Palo Alto PA-3220 Front Panel
The picture above shows what the Palo Alto PA-3220 and its front panel look like, and I particularly like the distinctive blue color of the machine. So, looking at the front panel from the left side to the right side, there are Twelve RJ-45 Ethernet Ports with 10Mbps/100Mpbs/1Gbps capability, and Auto Negotiate Only. Next, you find SFP Ports from number Thirteen to Twenty. Within this number, Thirteen to Sixteen are capable of 1Gbps, then Seventeen to Twenty are SFP and SFP+ capable (10Gbps) depending on the transceiver you install. Next, you have a High-Speed Chassis Interconnect Port (HSCI) to enable the connection of High Availablity Session Traffic.
Still on the Front Panel of the Palo Alto PA-3220 NGF, you will find the HA1-A, HA1-B, MGT, and Console Ports. The first two are dedicated ports that are to be used to connect two PA-3220 Firewalls together, and in this type of deployment, you can set them up as Active/Passive machines or Active/Active machines. It is worth mentioning that with the Palo Alto PA-3220 NGF, there are two other models (the PA-3260 & PA-3250) and they all make up the Palo Alto PA-3200 Series Next-Generation Firewalls.
The MGT Port is used to manage the Firewall. You can manage the PA-3220 via its GUI by connecting one end of an Ethernet cable to the MGT Port, and the other end to your PC. Then, the Console Port you have on the front of the PA-3220 enables you to connect via a Terminal Application.
Still on the front panel of the PA-3220, you have a USB Port to attach a Drive that carries a Palo Alto Bootstrap PAN-OS Bundle Configuration so that you can set up and license the PA-3220 without an internet connection. Next, the Micro USB Port in front allows you to use a standard Type-A to Micro USB Cable for connecting to the Firewall and to your PC. Lastly on this, there are 8 Status LEDs that indicate different states of the Firewall. The Power LED, Status LED, High Availability LED, Temperature LED, Alarm LED, Fans LED, Power 1 and Power 2 LEDs, Ethernet LEDs, SFP, SFP+, and QSFP LEDs.
The Palo Alto PA-3220 Back Panel
Looking at the back panel, there are two power supplies for redundancy, as well as fan trays, and LEDs. The Power Input LED is at the top and it shows a Solid Green when the voltage supply is within the required specifications, it blinks when there is an Overvoltage or Undervoltage, and when the LED is OFF, it means there is no Power or Overvoltage and Undervoltage conditions have been exceeded. The Output LED displays Solid Green when there are no faults, it blinks Green when Standby Output is enabled, it blinks Yellow when a power supply warning has been detected, and it shows a Solid Yellow when there is a fault with the power supply. For the Fan Tray LED, you see a Green light when all three fans are operational, and a Red light indicates that at least one fan or multiple fans have failed.
PA-3220 Package Components and Accessories
When you receive the Palo Alto PA-3220 NGF, you get velcro straps, rack mount brackets (Two-Post Mount), and depending on what you’ve added to your order, it may come with a Four-Post rack mount also. Then, you have AC Power Cables, DB-9 female to male RJ-45 Console Cable, a CAT6 Ethernet Cable, a Standard Type-A USB to micro USB Console Cable, and rack-mount bracket screws which are #8–32 x 5/16 inch, #10–32 x 3/4 inch, and #12–24 x 1/2. In addition, you have EULA and RoHS documentation.
Palo Alto PA-3220 Setup and Integration
Firstly, you can choose to power up the Palo Alto PA-3220 and integrate it into your network, before rack mounting on either a Two-Post or Four-Post. Alternatively, you can rack mount, connect all cables, and access the Firewall with its default IP Address of 192.168.1.1/24, Username and Password are admin respectively. Logging on to the Palo Alto PA-3220 the first time requires a password change, and you can now change to a more secure password. You also would have to change the default IP Address of the Firewall to another IP Address for your LAN. If you are not sure how to go about this, simply plug one end of your Cat6 Ethernet Cable to your computer’s LAN Port, and the other end of the cable to the PA-3220’s Management Port. Now, you need an IP Address that is in the same subnet as the default IP Address of the PA-3220, like 192.168.1.3/24. So, go to the Properties of your PC’s Ethernet Adapter and assign this IP Address to it. You can also ping the IP Address of the PA-3220 to test reachability and if this is successful, open a browser and type the default IP Address of the Firewall. You will initially see ‘’This Page is not Secure’’ but click on continue and you will be presented with the Palo Alto PA-3220’s Graphical User Interface as shown below.
Performance Expectations of the PA-3220 Next-Generation Firewall
Firstly, the GUI provides you with a vast array of features, several features that you can configure for your network architecture. As an Administrator of your network infrastructure, you have Real-Time statistics on traffic patterns, network activity, application usage, and you can instantly take actions when you observe abnormal situations or network performance issues. This machine is an extremely versatile device and is suitable for any size of network while delivering Advanced Threat Detection and Prevention capabilities. I have summarized key features and performance expectations of the PA-3220 in the following points:
(1) Performance
The Palo Alto PA-3220 is a Next Generation Firewall and has satisfactory throughput capabilities. If you have a very large network, you can be rest assured that this machine will handle the volumes of traffic out of your network without sacrificing performance, as it is built for bandwidth-demanding applications.
(2) Machine Learning
The PA-3220 is designed with algorithms that enable it carry out behavioral analytics and machine learning. With these, it learns behavioral patterns on your network and with this predictive mechanism, it detects potential threats and mitigates against attacks.
(3) Segmentation by Multiple-Zones
Being able to create different Security Zones to cater to every part of your network architecture is very beneficial, and you can do this with the Palo Alto PA-3200 Series NGFs. With segmentation, you will be able to separate and isolate VLANs for example, and when there are security issues, any form of lateral movement is blocked.
(4) Filtering
As expected of a Next Generation Firewall, the PA-3220 provides URL Filtering and Content Inspection. You have Access Control and Policies scrutinizing requests to websites and applications, internet usage, et cetera.
(5) GlobalProtect VPN
Your Network Infrastructure most certainly would cater to mobile users and applications that must access the traditional network perimeter from outside. The GlobalProtect VPN feature of the PA-3220 enables you to set up secure and encrypted remote access to protect your mobile workforce regardless of their location.
(6) Access Control by Roles
The Role-Based Access Control feature empowers you as an Administrator to enhance security governance by managing user account privileges. As the one with the Superuser Account, you can reduce the power of accounts like configuring Read-Only access. With this feature, you can ensure that only authorized access is permitted on the Firewall.
(7) Policies by Geolocation
As already mentioned and seen so far, this Firewall provides you with more than enough settings and policies to configure. On this, you can configure security policies on traffic based on the geographic origin.
(8) Panorama
Palo Alto Panorama gives you a streamlined and centralized approach to ensuring consistency in Policy Enforcement, Reporting, Monitoring, et cetera.
(9) Custom Application Signatures
In its operations dealing with threats, the Firewall combines signature-based and signature-less techniques. You also have the option of creating Custom Application Signatures so that the Firewall’s Application Layer Controls conform to your specific use case.
(10) Reports
Reports and Logs are very important and you get more than enough of them with the PA-3220. With these, you have detailed insights into your security architecture, network health, data for forensic purposes, and post-event analysis.
(11) Growth Considerations
The complexities of threats in the world today are ever-increasing. With Palo Alto Firewalls and as expected from a Top-Tier Security Provider, you have constant security updates, firmware updates, threat intelligence, and patches. With these, you can build your security infrastructure with a Palo Alto Firewall.
Conclusion
In concluding, I am glad to have been able to provide these thoughts on the Palo Alto PA-3220 Next Generation Firewall as this is a machine that just anyone wouldn’t come by easily to write a review of. Having said that, you can get the Palo Alto PA-3220 here on Alibaba or here on Newegg along with Fortinet’s FortiGate 100F, or Cisco Firepower 1140. And for all categories of Administrators and Organizations looking into Security with Palo Alto, be rest assured that there is a lot to benefit from security-wise.
[Affiliate Disclosure]
Some of my links are Affiliate Links, when you click on them, I may get compensation at no cost to you, and this does not change my unbiased reviews.
