Mobile Network Infrastructure Getting Started
    : Express Mode and Secure Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. Service Providers
    3. Mobile Network Infrastructure Getting Started
    4. 5G-Ready K2 Next-Generation Firewalls
    5. Express Mode and Secure Mode
    Download PDF

    Mobile Network Infrastructure Getting Started

    Express Mode and Secure Mode

    Table of Contents
    End-of-Life (EoL)

    Express Mode and Secure Mode

    Palo Alto Networks firewall models with a K2-designated SKU are for service providers and support express mode (prioritizing highest throughput) and secure mode (providing full security functionality).
    The Palo Alto Networks® family of 5G-ready next-generation firewalls is available in physical and virtual form factors:
    • PA-5220, PA-5250, and PA-5260 firewalls are 5G-ready.
    • All VM-Series firewalls are 5G-ready.
    • PA-5280 firewall and PA-7000 Series firewalls (that have a PA-7000-100G-NPC and PA-7050-SMC-B or PA-7080-SMC-B card and PA-7000-LFC-A card) are available several ways:
      • Those with regular SKUs and those with K2 secure mode SKUs (which function in secure mode) are 5G-ready. They provide security with full Layer 7 application, user, threat, and content visibility and enforcement. Support is also available for EDL.
      • Those with K2 express mode SKUs function in express mode. They are optimized for the highest throughput configuration, for when you decide that basic port- and protocol-based security controls on your firewall are sufficient. No Layer 7 application, user, threat, or content visibility or enforcement is available in this mode. You can, however, deploy Security policy based on source and destination IP address, FQDN, or geo-IP; service (port); source user; and source and destination zone; and you can use IP-only external dynamic lists (EDLs). Traffic logs indicate all applications simply as express-mode. There are no logs for threat, URL filtering, WildFire® submission, data filtering, tunnel inspection, GTP or SCTP.
      If you purchase a firewall in express mode and later decide you want full Layer 7 application, user, threat, and content visibility and enforcement, purchase a secure mode upgrade to seamlessly transition to the 5G-ready next-generation firewall capabilities. For example:
      • To upgrade a PA-5280 firewall from express mode to secure mode, purchase a PAN-PA-5280-SEC-K2-UPG upgrade license.
      • To upgrade a PA-7000 Series (PA-7050 or PA-7080) firewall from express mode to secure mode, purchase an upgrade license for each Network Processing Card (NPC) on the firewall that was purchased as an Express Mode NPC. (NPCs purchased as Secure Mode need not be upgraded.) For example, a PA-7080 firewall with six Express Mode NPCs and two Secure Mode NPCs would require six PAN-PA-7000-100G-SEC-K2-UPG upgrade licenses. All NPCs in the firewall must have been either purchased as Secure Mode NPCs or upgraded to Secure Mode before the chassis is configured in Secure Mode.
      If you accidentally change a firewall from express mode to secure mode, you can Restore Express Mode.

    © 2024 Palo Alto Networks, Inc. All rights reserved.