The problem provides several constraints and design requirements that must be carefully
considered:
Bandwidth Requirement:
The customer needs an NGFW capable of handling a total throughput of 72 Gbps.
The PA-5445 is specifically designed for high-throughput environments and supports up to 81.3 Gbps
Threat Prevention throughput (as per the latest hardware performance specifications). This ensures
the throughput needs are fully met with some room for growth.
Interface Compatibility:
The customer mentions that their core switches support up to 40 Gbps interfaces. The design must
include aggregate links to meet the overall bandwidth while aligning with the 40 Gbps interface
limitations.
The PA-5445 supports 40Gbps QSFP+ interfaces, making it a suitable option for the hardware
requirement.
No Change to IP Address Structure:
Since the customer cannot modify their IP address structure, deploying the NGFW in Layer-2 or
Virtual Wire mode is ideal.
Virtual Wire mode allows the firewall to inspect traffic transparently between two Layer-2 devices
without modifying the existing IP structure. Similarly, Layer-2 mode allows the firewall to behave like
a switch at Layer-2 while still applying security policies.
Threat Prevention, DNS, and Sandboxing Requirements:
The customer requires advanced security features like Threat Prevention and potentially sandboxing
(WildFire). The PA-5445 is equipped to handle these functionalities with its dedicated hardware-
based architecture for content inspection and processing.
Aggregate Interface Groups:
The architecture should include aggregate interface groups to distribute traffic across multiple
physical interfaces to support the high throughput requirement.
By aggregating 2 x 40Gbps interfaces on both sides of the path in Virtual Wire or Layer-2 mode, the
design ensures sufficient bandwidth (up to 80 Gbps per side).
Why PA-5445 in Layer-2 or Virtual Wire mode is the Best Option:
Option A satisfies all the customer’s requirements:
The PA-5445 meets the 72 Gbps throughput requirement.
2 x 40 Gbps interfaces can be aggregated to handle traffic flow between the core switches and the
NGFW.
Virtual Wire or Layer-2 mode preserves the IP address structure, while still allowing full threat
prevention and DNS inspection capabilities.
The PA-5445 also supports sandboxing (WildFire) for advanced file-based threat detection.
Why Not Other Options:
Option B:
The PA-5430 is insufficient for the throughput requirement (72 Gbps). Its maximum Threat
Prevention throughput is 60.3 Gbps, which does not provide the necessary capacity.
Option C:
While the PA-5445 is appropriate, deploying it in Layer-3 mode would require changes to the IP
address structure, which the customer explicitly stated is not an option.
Option D:
The PA-5430 does not meet the throughput requirement. Although Layer-2 or Virtual Wire mode
preserves the IP structure, the throughput capacity of the PA-5430 is a limiting factor.
Reference from Palo Alto Networks Documentation:
Palo Alto Networks PA-5400 Series Datasheet (latest version)
Specifies the performance capabilities of the PA-5445 and PA-5430 models.
Palo Alto Networks Virtual Wire Deployment Guide
Explains how Virtual Wire mode can be used to transparently inspect traffic without changing the
existing IP structure.
Aggregated Ethernet Interface Documentation
Details the configuration and use of aggregate interface groups for high throughput.
