PA-3000 Series
Hardware Reference Guide
Contact Information
http://www.paloaltonetworks.com/contact/contact/
About this Guide
This guide describes the PA-3000 Series (PA-3020, PA-3050, and PA-3060) firewall hardware,
provides instructions on installing the hardware, describes how to perform maintenance procedures, and
provides product specifications. This guide is intended for system admini strators responsible for
installing and maintaining the PA-3000 Series firewall.
All PA-3000 Series devices run PAN-OS, a purpose-built operating system with extensive
functionality. For additional information, refer to the following resources:
• For information on the additional capabilities and for instructions on configuring the features on
the firewall, refer to
• For access to the knowledge base, complete documentation set, discussion forums, and videos,
refer to
https://live.paloaltonetworks.com.
• For contacting support, for information on the support programs, or to manage your account or
devices, refer to
• For the latest release notes, go to the software downloads page at
https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
https://www.paloaltonetworks.com/documentation.
https://support.paloaltonetworks.com.
• For capacity and performance information for all Palo Alto Networks firewalls, refer to
https://www.paloaltonetworks.com/products/product-selection.html.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2013 Palo Alto Networks. All rights reserved.
Palo Alto Networks and PAN-OS are trademarks of Palo Alto Networks, Inc.
Part number: 810-000112-00D
March 17, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL
Table of Contents
Chapter 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
PA-3020 and PA-3050 Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
PA-3060 Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
PA-3020 and PA-3050 Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
PA-3060 Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2
Install the Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tamper Proof Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Equipment Rack Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Connect Cables to the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Connect Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3
Maintaining the Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cautions and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Interpret the Device LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Interpret the Port LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Replace a PA-3060 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5
11
17
Chapter 4
Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Interface Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Electrical Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Palo Alto Networks Table of Contents • 3
21
Chapter 5
Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VCCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
BSMI EMC Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
25
4 • Table of Contents Palo Alto Networks
March 17, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 1
Overview
This section describes the front and back panels of the PA-3000 Series (PA-3020, PA-3050, and
PA-3060) firewalls:
• “Front Panel” on page 6
• “Back Panel” on page 8
Note: The port configuration on the PA-3020 and PA-3050 firewalls is
identical; the differences between the devices are based on performance and
capacity. The PA-3060 firewall differs from other devices in the series in
port configuration, power supply configuration, and airflow.
Palo Alto Networks Overview • 5
Front Panel
Front Panel
This section describes the front panel of the PA-3000 Series firewalls.
• “PA-3020 and PA-3050 Front Panel” on page 6
• “PA-3060 Front Panel” on page 7
PA-3020 and PA-3050 Front Panel
Figure 1 shows the front panel of the PA-3020 and PA-3050 firewalls and Table 1 describes the
front-panel features.
Figure 1. PA-3020 and PA-3050 Front Panel
Ethernet
ports
SFP
ports
HA
ports
HA1
HA2
Management
port
MGT
Console
port
Status
LEDs
PA-3050
USB
port
Table 1. PA-3020 and PA-3050 Front-Panel Features
Item Description
Ethernet ports Twelve RJ-45 10/100/1000 ports for network traffic.
SFP ports Eight Small Form-Factor Pluggable (SFP) 1 Gbit/s ports for network
traffic.
High-availability (HA) ports Two RJ-45 ports for high-availability (HA) control and
synchronization.
Management port One RJ-45 port to access the device management interfaces through
an Ethernet interface.
Console port One RJ-45 port for connecting a serial console.
USB port One USB port for future use.
Status LEDs Six LEDs indicating system status. Refer to “Interpret the Device
6 • Overview Palo Alto Networks
LEDs” on page 18 for LED definitions.
PA-3060 Front Panel
Ethernet
ports
SFP
ports
HA
ports
Management
port
Console
port
USB
port
Status
LEDs
SFP+
ports
This section describes the front panel of the PA-3000 Series firewalls.
Figure 2 shows the front panel of the PA-3060 firewall and Table 2 describes the front-panel
features.
Figure 2. PA-3060 Font Panel
Table 2. PA-3060 Front-Panel Features
Front Panel
Item Description
Ethernet ports Eight RJ-45 10/100/1000 ports for network traffic.
SFP ports Eight Small Form-Factor Pluggable (SFP) 1 Gbit/s ports for
network traffic.
SFP+ ports Two Enhanced Small Form-Factor Pluggable Plus (SFP+)
10 Gbit/s ports for network traffic.
High-availability (HA) ports Two RJ-45 ports for high-availability (HA) control and
synchronization.
Management port One RJ-45 port to access the device management interfaces through
an Ethernet interface.
Console port One RJ-45 port for connecting a serial console.
USB port One USB port for future use.
Status LEDs Six LEDs indicating system status. Refer to “Interpret the Device
LEDs” on page 18 for LED definitions.
Palo Alto Networks Overview • 7
Back Panel
AC Power
Inlet
Grounding
Lug
Power Supply
Exhaust
Back Panel
This section describes the back panel of the PA-3000 Series firewalls.
• “PA-3020 and PA-3050 Front Panel” on page 6
• “PA-3060 Front Panel” on page 7
PA-3020 and PA-3050 Back Panel
Figure 3 shows the back panel of the PA-3020 and PA-3050 firewalls and Table 3 describes the
back-panel features.
Figure 3. PA-3020 and PA-3050 Back Panel
Table 3. PA-3020 and PA-3050 Back-Panel Features
Item Description
AC power inlet and power
supply
Grounding lug To ground the system, use a grounding wire of at least 14 American
Power inlet for device power.
Note: The power supply is not customer serviceable.
Wire Gauge (AWG). Attach the 14 AWG wire to an agencyapproved crimp connector (Tyco 34120 or certified Lug), crimped
with the proper crimping tool and attached to the protective
grounding lug. Use a size #8-32 nut and a star washer (supplied) to
secure the grounding lug to the chassis and connect he other end to
the building ground. Toque the nut to 15 in-lbs. Do not over tighten.
8 • Overview Palo Alto Networks
PA-3060 Back Panel
Figure 4 shows the back panel of the PA-3060 firewall and Table 4 describes the back-panel
features.
Figure 4. PA-3060 Back Panel
Grounding Lug
Back Panel
Power Supplies
Exhaust Fans
Table 4. PA-3060 Back-Panel Features
Item Description
Power supplies Two redundant, hot-swappable power supplies.
Grounding lug To ground the system, use a grounding wire of at least 14 American
Wire Gauge (AWG). Attach the 14 AWG wire to an agencyapproved crimp connector (Tyco 34120 or certified Lug), crimped
with the proper crimping tool and attached to the protective
grounding lug. Use a size #8-32 nut and a star washer (supplied) to
secure the grounding lug to the chassis and connect he other end to
the building ground. Toque the nut to 15 in-lbs. Do not over tighten.
Exhaust fans Four exhaust fans that provide front-to-back ventilation and cooling
for the device.
Palo Alto Networks Overview • 9
Back Panel
10 • Overview Palo Alto Networks
March 17, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 2
Install the Hardware
This chapter describes how to install the PA-3000 Series firewalls.
• “Tamper Proof Statement” on page 11
• “Before You Begin” on page 11
• “Equipment Rack Installation” on page 13
• “Connect Cables to the Device” on page 15
• “Connect Power” on page 16
Tamper Proof Statement
To ensure that products purchased from Palo Alto Networks have not been tampered with
during shipping, verify the following upon receipt of each product:
• The tracking number provided to you electronically when ordering the product matches
the tracking number that is physically labelled on the box or crate.
• The integrity of the tamper-proof tape used to seal the box or crate has not been
compromised.
• The warranty seals on the device itself do not show evidence of tampering.
Before You Begin
• It is recommended that two people be available to mount the PA-3000 Series firewall in a
19-inch rack.
• Have a Phillips-head screwdriver available.
• Verify that the intended location has adequate air circulation and meets the temperature
requirements. Refer to the
• Unpack the device.
Palo Alto Networks Install the Hardware • 11
“Environmental Specifications” on page 24.
Before You Begin
• Verify that power is not connected to the firewall.
• On the PA-3020 and PA-3050 firewalls, allow clear space on both sides of the firewall for
side-to-side airflow. On the PA-3060 firewall, leave clear space on the front and back of the
firewall for front-to-back airflow.
12 • Install the Hardware Palo Alto Networks
Equipment Rack Installation
The following safety guidelines apply to rack installation:
• Elevated ambient operating temperature—If the PA-3000 Series firewall is installed in a
closed or multi-unit rack assembly, the ambient operating temperature of the rack
environment may be greater than the ambient room temperature. Verify that the ambient
temperature of the rack assembly meets the maximum rated ambient temperature
requirements listed in the
• Reduced airflow—Ensure that the airflow required for safe device operation is not
compromised by the rack installation.
• Mechanical loading—Ensure that the rack mounted device does not cause hazardous
conditions due to uneven mechanical loading.
• Circuit overloading—Ensure that the circuit that supplies power to the device is
sufficiently rated to avoid circuit overloading or excess load on supply wiring. Refer to
“Electrical Specifications” on page 23.
the
• Reliable earthing—Maintain reliable earthing of rack mounted equipment. Pay special
attention to supply connections other than direct connections to the branch circuit (such
as the use of power strips).
“Environmental Specifications” on page 24.
Equipment Rack Installation
To install the PA-3000 Series firewall in a grounded 19-inch rack:
Note: The brackets on the PA-3000 Series firewalls can be installed in a frontmount position or a mid-mount position.
1. Screw the rack mounting brackets onto the front of the device using a Phillips-head
screwdriver.
PA-3050 firewalls and Figure 6 shows how the brackets attach to the PA-3060 firewall.
2. Using two people, lift the device and position it in the rack.
3. Align the mounting holes on the attached rack mounting brackets with holes in the rack
rail. Ensure that the bracket and rack holes align, so the device is level.
4. Insert mounting screws into the aligned holes. Tighten with a Phillips screwdriver.
Figure 5 shows how the rack mounting brackets attach to the PA-3020 and
Note: When installing the rack brackets on the PA-3060 firewall, first insert all
four screws (per bracket) and partially tighten. After all screws are inserted, then
torque each screw to 7 in. lbs to fully tighten.
Palo Alto Networks Install the Hardware • 13
Equipment Rack Installation
Mid-mount
position
Front-mount
position
Figure 5. PA-3020 and PA-3050 Rack-Mount Brackets
Mid-mount
position
Front-mount
position
Figure 6. PA-3060 Rack-Mount Brackets
3
HA2
HA1
14 • Install the Hardware Palo Alto Networks
Connect Cables to the Device
Figure 7 shows the PA-3050 firewall cable connections. The PA-3020 and PA-3050 firewalls
each have eight SFP ports and twelve copper Ethernet ports. The PA-3060 firewall has eight
SFP+ ports and eight copper Ethernet ports. Refer to “Front Panel” on page 6 for descriptions
of the front-panel interfaces.
CAUTION: Shielded interface cables that are grounded shall be used to ensure
agency compliance with electromagnetic emissions (EMC).
CAUTION: Fiber transceivers that are installed by the user shall be Class I and
CDRH certified.
Figure 7. PA-3020 and PA-3050 Cable Connections
Connect Cables to the Device
PA-3050
Network
SFP
HA1
MGT
HA2
Console
HA1 HA2
Management
Palo Alto Networks Install the Hardware • 15
Connect Power
Circuit A Circuit B
Connect Power
To power the PA-3020 and PA-3050 firewalls, attach a power cable to the device AC power
inlet and plug the other end into a grounded wall outlet and the device will power on. For the
PA-3060, do the same, but use two power cables on different circuits for redundancy. Figure 8
shows the power connection for a PA-3060.
Figure 8. PA-3060 Power Connection
16 • Install the Hardware Palo Alto Networks
March 17, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 3
Maintaining the Hardware
This chapter describes how to interpret LEDs and troubleshoot hardware problems.
• “Cautions and Warnings” in the next section
• “Interpret the Port LEDs” on page 19
• “Replace a PA-3060 Power Supply” on page 19
Cautions and Warnings
CAUTION: Disconnect all power cords before servicing the PA-3000 Series firewalls.
CAUTION: This product complies with 21 CFR 1040.10 and 1040.11.
French Translation:
CE PRODUIT EST CONFORME AUX NORMES 21 CFR 1040.10 ET 1040.11.
CAUTION: Laser radiation exposure should be avoided. Cover any unused fiber optical ports. Do not
look directly at exposed fiber optical transmitters or cables.
WARNING: Risk of explosion if battery is replaced by an incorrect type. Dispose of used batteries
according to the instructions (Cl. 1.7.15).
French Translation:
ATTENTION: RISQUE D'EXPLOSION SI LA BATTERIE EST REMPLACÉE PAR UN
MODÈLE DE TYPE INCORRECT. METTEZ AU REBUT LES BATTERIES USAGÉES
CONFORMÉMENT AUX INSTRUCTIONS (CL.1.7.15)
WARNING: Removal of equipment top cover is to be done only by Palo Alto Networks trained
service person(s).
WARNING: To reduce the risk of electric shock, disconnect all power supply cords before servicing
the unit (the unit may have more than one).
French Translation:
Pour réduire le risque de choc électrique, débranchez tous les cordons d'alimentation avant
d'intervenir sur l'appareil (l'appareil peut avoir plus d'un).
Palo Alto Networks Maintaining the Hardware • 17
Interpret the Device LEDs
Interpret the Device LEDs
Figure 9 shows the status LEDs on the front panel of the PA-3000 Series firewalls and Table 5
describes the LED functions and states.
Figure 9. Front-Panel LEDs
Table 5. Status LED Functions and States
Interface State Description
PWR
(Power)
STS
(Status)
FAN Green All fans are operating normally.
HA Green The device is active in an active/passive configuration, or is the
ALM
(Alarm)
TEMP Green The temperature is normal.
Green The device is powered.
Off The device is not powered or an error has occurred with the
internal power complex (not within tolerance levels).
Green The device is operating normally.
Yellow The device is booting up.
Red One or more fans have failed.
active-primary or active-secondary in an active/active
configuration.
Yellow The device is currently in the passive state.
Off High availability is not enabled on this device, the status is
unknown, or the device is suspended or non-functional.
If the device is in a non-functional or tentative state, the ALM
(Alarm) LED will change to red.
Red There is a hardware failure, which may include fan failure, power
supply failure, HA failover, or temperature above the high
temperature threshold.
Off The device is operating normally.
Yellow The temperature is outside the normal tolerance.
18 • Maintaining the Hardware Palo Alto Networks
Interpret the Port LEDs
Table 6 describes the Ethernet port LEDs for the PA-3000 Series firewalls.
Table 6. PA-3000 Series Ethernet Port LEDs
LED Position Description
Left Shows solid green if there is a network link.
Right Blinks green if there is network activity.
Table 7 describes the HA and Management port LEDs for the PA-3000 Series firewalls.
Table 7. PA-3000 Series Management and HA Port LEDs
LED Position Description
Left Shows solid green if there is a network link.
Right Blinks green if there is network activity.
Interpret the Port LEDs
Replace a PA-3060 Power Supply
Before servicing the hardware, read the information in “Cautions and Warnings” on page 17.
To replace a PA-3060 AC power supply:
1. While the PA-3060 is running, unplug the power cord from the failed power supply.
2. Grasp the handle on the failed power supply. Simultaneously push down on the release lever and
then pull the power supply outward to remove the power supply.
and install a power supply.
3. Slide a replacement power supply into the device and ensure that the release lever clicks into place.
4. Connect one end of the AC power cable to the power supply and connect the other end to a
grounded AC power source.
Figure 10 show how to remove
Palo Alto Networks Maintaining the Hardware • 19
Replace a PA-3060 Power Supply
Figure 10. PA-3060 Power Supply Replacement
20 • Maintaining the Hardware Palo Alto Networks
March 17, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 4
Specifications
This chapter provides specifications for the PA-3000 Series firewalls.
• “Physical Specifications” in the next section
• “Interface Specifications” on page 23
• “Electrical Specifications” on page 23
• “Environmental Specifications” on page 24
Palo Alto Networks Specifications • 21
Physical Specifications
Physical Specifications
Table 8 lists the physical specifications for the PA-3000 Series firewalls.
Table 8. Physical Specifications
Specification Description
Height PA-3020/PA-3050—1.75 inches (4.445 cm) (1 RU)
Depth PA-3020/PA-3050—17 inches (43.18 cm)
Width PA-3020/PA-3050—17 inches (43.18 cm)
Weight PA-3020/PA-3050—15 lb (6.80 kg)
Mounting Standard 19-inch rack
Fans Four fans
PA-3060—2.6 inches (6.6 cm) (1.5 RU)
Note: The PA-3060 firewall is physically 2.6 inches or
approximately 1.5 RU tall. If a single device is installed, it will
consume 2 RU. If you install two devices together using the
provided brackets, only 3 RU will be consumed.
PA-3060—14 inches (35.56 cm)
PA-3060—17.5 inches (44.45 cm)
PA-3060—18 lb (8.16 kg)
22 • Specifications Palo Alto Networks
Interface Specifications
Table 9 describes the interfaces for the PA-3000 Series firewalls.
Table 9. PA-3000 Series Interface Specifications
Specification Description
Ethernet ports PA-3020/PA-3050—Twelve RJ-45 10/100/1000 ports for network
Small Form-Factor Pluggable
(SFP) ports
Management port One RJ-45 port to access the device management interfaces through
Console port One RJ-45 port for connecting a serial console. Use the following
Interface Specifications
traffic.
PA-3060—Eight RJ-45 10/100/1000 ports for network traffic.
PA-3020/PA-3050—Eight SFP ports for network traffic.
PA-3060—Eight SFP and 2 SFP+ ports for network traffic.
an Ethernet interface.
settings:
• Data rate: 9600
• Data bits: 8
• Parity: none
• Stop bits: 1
• Flow control: none
USB port One USB port for future use.
Electrical Specifications
Table 10 lists the electrical specifications for the PA-3000 Series firewalls.
Table 10. PA-3000 Series Electrical Specifications
Specification Description
Maximum internal power dissipation PA-3020/PA-3050/PA-3060—250W AC
AC voltage 100-240 VAC
Palo Alto Networks Specifications • 23
Environmental Specifications
Environmental Specifications
Table 11 lists the environmental specifications for the PA-3000 Series.
Table 11. PA-3000 Series Environmental Specifications
Specification Description
Operating temperature range 32°F to 122°F (0° to 50°C)
Storage temperature range -4°F to 158°F (-20° to 70°C)
System airflow PA-3020/PA-3050—Side-to-side (While facing the front of the
firewall, the air enters from the right and exits on the left)
PA-3060—Front-to-back
24 • Specifications Palo Alto Networks
March 17, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 5
Compliance Statements
This section lists the following hardware compliance statements:
• “VCCI” in the next section
• “BSMI EMC Statement” on page 25
VCCI
This section provides the compliance statement for the Voluntary Control Council for
Interference by Information Technology Equipment (VCCI), which governs radio frequency
emissions in Japan.
The following information is in accordance to VCCI Class A requirements
Translation: This is a Class A product. In a domestic environment this product may cause
radio interference, in which case the user may be required to take corrective actions.
BSMI EMC Statement
User warning: This is a Class A product, when used in a residential environment it may cause radio
interference. In this case, the user will be required to take adequate measures.
Manufacturer: Flextronics International
Country of Origin: Made in the USA with parts of domestic and foreign origin.
Input Frequency: 50-60 Hertz (Hz)
Input Voltage (AC): 100 to 240 Volts
Palo Alto Networks Compliance Statements • 25
BSMI EMC Statement
BSMI EMC 聲明
警告使用者 :
這是甲類的資訊產品 , 在居住的環境中使用時 , 可能會造成射頻干擾 ,
在這種情況下 , 使用者會被要求採取某些適當的對策
製造商:偉創力國際
原產地:美國 / 部份零組件產地為美國及其它國家。
輸入頻率:50-60 赫茲(Hz)
輸入電壓(AC):100 〜 240 伏特
26 • Compliance Statements Palo Alto Networks
Loading...