The Miercom report evaluates how the Palo Alto Networks PA-500 Series (specifically the PA-560 and PA-520) performs as an AI-ready Next-Generation Firewall under realistic, security-on conditions. Key points: - **Scope of testing:** - Focus on modern enterprise traffic dominated by AI, APIs, and encrypted sessions (TLS 1.2 and 1.3). - Includes AI and LLM workloads (Perplexity, Grok, DeepSeek, OpenAI Playground), streaming APIs, and intelligent agents. - Covers both small business/branch and distributed enterprise use cases. - **Security-by-default setup:** - All devices were tested with core security services **enabled**, not in a lab-optimized “best case.” - For Palo Alto Networks: Threat Prevention (antivirus, vulnerability protection, anti-spyware, data filtering, basic file blocking), WildFire, TLS/SSL decryption, and default App-ID policies. - For Fortinet: Antivirus, IPS, File Filter, Email Filter, TLS/SSL inspection with equivalent default policies. - **Traffic and methodology:** - Realistic traffic generated using Ixia BreakingPoint PerfectStorm (8×10 Gb/s card) with current ATI content. - Mix includes encrypted applications, API-heavy flows, multi-step AI workflows, and traditional enterprise apps (SIP, MSSQL, FIX, RDP, SMBv2, FTP, HTTP/HTTPS). - Primary KPI: **Ethernet data rate in Gbps** under load, with tests run until thresholds such as >100 application transaction failures or 90% CPU utilization. - **Comparative devices:** - Palo Alto Networks: PA-560 and PA-520. - Fortinet: FortiGate FG-201G and FG-71G. The report is designed to give customers a practical view of how these platforms behave in real-world environments where AI traffic, encryption, and full security inspection are the norm, not the exception.

The report shows that the PA-560 and PA-520 consistently deliver higher throughput and better stability than the Fortinet FG-201G and FG-71G when security is enabled, especially for AI and encrypted traffic. **AI and LLM traffic performance** - Across demanding AI replay workloads (Perplexity, Grok, DeepSeek, OpenAI Playground), the **PA-560 delivered roughly 2× to over 8× the throughput** of the FG-201G. - The **PA-520 outperformed the FG-71G in every AI scenario tested**, indicating stronger AI readiness at the branch/SMB tier. - Under DeepSeek AI traffic, the **FG-201G repeatedly entered memory-induced Conserve Mode**, failing the test due to memory exhaustion before CPU was fully utilized. - Under the same AI loads, the **PA-560 and PA-520 maintained operational stability**, indicating more efficient memory and resource management. **Encrypted traffic (TLS 1.2 / TLS 1.3)** - With more than **70% of enterprise traffic encrypted**, the report emphasizes decryption performance. - Palo Alto Networks platforms sustained **substantially higher throughput** than Fortinet in both TLS 1.2 and TLS 1.3 decryption scenarios. - This applied with full inspection enabled, not just pass-through decryption. **Representative HTTP 1.1 performance metrics** With security services enabled: - **Raw TCP throughput (1-byte payload):** - PA-560: **1,520 Mbps**, more than **4×** the FG-201G. - PA-520: **377 Mbps**, more than **5×** the FG-71G (75 Mbps). - **64K HTTP payload – bandwidth:** - PA-560: **10,019 Mbps** vs. FG-201G: **4,281 Mbps** (≈2.3× higher). - PA-520: **1,842 Mbps** vs. FG-71G: **652 Mbps** (≈3× higher). - **64K HTTP payload – connections per second (CPS):** - PA-560: **41,373 CPS** vs. FG-201G: **23,004 CPS** (~80% higher). - PA-520: **11,731 CPS** vs. FG-71G: **6,086 CPS** (~48% higher). - **21K HTTP payload – bandwidth:** - PA-560: **6,399 Mbps** vs. FG-201G: **2,151 Mbps** (≈3× higher). - PA-520: **1,439 Mbps** vs. FG-71G: **371 Mbps** (≈4× higher). - **21K HTTP payload – CPS:** - PA-560: **47,132 CPS** vs. FG-201G: **24,510 CPS** (~92% higher). - PA-520: **12,525 CPS** vs. FG-71G: **8,335 CPS** (~50% higher). - **4.5K HTTP payload – bandwidth:** - PA-560: **2,511 Mbps** vs. FG-201G: **830 Mbps** (>3× higher). - PA-520: **552 Mbps** vs. FG-71G: **241 Mbps** (>2× higher). - **4.5K HTTP payload – CPS:** - PA-560: **48,624 CPS** vs. FG-201G: **20,241 CPS** (~140% higher). - PA-520: **13,220 CPS** vs. FG-71G: **6,750 CPS** (nearly 2× higher). **Stability under load** - PA-560 and PA-520 maintained **uninterrupted stability** across AI and high-connection tests. - FG-201G failed key tests (DeepSeek AI, maximum connections per second, maximum concurrent connections) due to memory constraints. In practical terms, this means the PA-500 Series is better positioned to handle growing AI, API, and encrypted workloads without having to dial back security services.

The report concludes that the PA-560 and PA-520 provide a TCO advantage over the Fortinet FG-201G and FG-71G when you look at **cost per protected Mbps** with security services enabled. **Cost per protected Mbps** - Metrics are based on **average throughput with services enabled** and the respective security bundles (Pro Bundle for Palo Alto Networks, UTP Bundle for Fortinet). - **PA-560 vs. FG-201G:** - Throughput is **1.9× better** for the PA-560. - Overall throughput is **86.2% higher** than FG-201G. - TCO per protected Mbps is **1.6× better**. - The PA-560 is described as **32% more cost-efficient per stable Mbps**. - **PA-520 vs. FG-71G:** - Throughput is **2.5× better** for the PA-520. - Overall throughput is **150% higher** than FG-71G. - TCO per protected Mbps is **1.7× better**. - The PA-520 is described as **70% more cost-efficient per stable Mbps**. **Why this matters for sizing and budgeting** - The report stresses that **datasheet numbers often do not reflect real deployments**, especially once you enable full security services. - Miercom tested each product “as a customer would,” with: - Security services on by default. - Realistic AI, API, and encrypted traffic. - Enterprise application mixes beyond just web browsing. - As a result, the **effective cost per Mbps of protected, stable throughput** is a more realistic way to compare platforms than raw, unprotected throughput claims. **Takeaway for buyers** - For organizations planning for AI-heavy, encrypted, and API-centric environments, the PA-500 Series offers: - Higher usable throughput with security on. - Lower cost per protected Mbps compared to the tested Fortinet models. - Reduced risk of performance-related instability (such as memory-induced conserve modes) under AI and high-connection workloads. Miercom ultimately awarded Palo Alto Networks the **Miercom Performance Verified** certification, noting that the PA-560 and PA-520 delivered strong performance across multiple real-world scenarios while maintaining a favorable TCO profile.