The Miercom report evaluates how the Palo Alto Networks PA-500 Series—specifically the PA-560 and PA-520—perform as AI-ready next-generation firewalls under realistic, security-on conditions. The testing focused on: - AI and API-heavy traffic: including large language model (LLM) traffic, streaming APIs, intelligent agents, and multi-step AI workflows. - Encrypted traffic: more than 70% of enterprise traffic is now encrypted with TLS 1.2 and 1.3, so the tests emphasized decryption and inspection performance. - Real-world enterprise protocols: SIP, MSSQL, FIX, RDP, SMBv2, and FTP, in addition to standard HTTP/HTTPS. - Security by default: all platforms were tested with core security services enabled, not in a “lab-optimized” or security-off mode. For Palo Alto Networks, the following services were enabled: - Threat Prevention (antivirus, vulnerability protection, anti-spyware, data filtering, basic file blocking) - WildFire - TLS/SSL decryption and inspection - Default application identification policies Fortinet FortiGate FG-201G and FG-71G were tested under the same traffic conditions with equivalent services enabled (Antivirus, IPS, File Filter, Email Filter, and decryption). The primary KPI was Ethernet data rate (Gbps) under load, with tests running until thresholds such as 90% CPU utilization or more than 100 application transaction failures were reached.

The PA-560 and PA-520 consistently delivered higher throughput and more stable behavior than the Fortinet FG-201G and FG-71G across AI, API, and encrypted traffic scenarios. Key data points from the report: 1) Raw TCP throughput (1-byte payloads) - PA-560: 1,520 Mbps - FG-201G: more than 4x lower throughput than PA-560 - PA-520: 377 Mbps - FG-71G: 75 Mbps This shows roughly 4–5x higher throughput for Palo Alto Networks in small-packet TCP traffic. 2) HTTP 1.1 bandwidth with services enabled - 64K payload - PA-560: 10,019 Mbps vs. FG-201G: 4,281 Mbps (about 2.3x higher) - PA-520: 1,842 Mbps vs. FG-71G: 652 Mbps (nearly 3x higher) - 21K payload - PA-560: 6,399 Mbps vs. FG-201G: 2,151 Mbps (about 3x higher) - PA-520: 1,439 Mbps vs. FG-71G: 371 Mbps (almost 4x higher) - 4.5K payload - PA-560: 2,511 Mbps vs. FG-201G: 830 Mbps (more than 3x higher) - PA-520: 552 Mbps vs. FG-71G: 241 Mbps (more than 2x higher) 3) HTTP 1.1 connections per second (CPS) - 64K payload - PA-560: 41,373 CPS vs. FG-201G: 23,004 CPS (~80% higher) - PA-520: 11,731 CPS vs. FG-71G: 6,086 CPS (~48% lower for FG-71G) - 21K payload - PA-560: 47,132 CPS vs. FG-201G: 24,510 CPS (~92% higher) - PA-520: 12,525 CPS vs. FG-71G: 8,335 CPS (~50% lower for FG-71G) - 4.5K payload - PA-560: 48,624 CPS vs. FG-201G: 20,241 CPS (~140% higher) - PA-520: 13,220 CPS vs. FG-71G: 6,750 CPS (nearly 2x higher) 4) AI and LLM traffic performance Across AI-driven replay workloads (Perplexity, Grok, DeepSeek, OpenAI Playground), the report notes: - PA-560 delivered between 2x and more than 8x the throughput of the FG-201G. - PA-520 outperformed the FG-71G in every AI scenario tested. 5) Encrypted traffic (TLS 1.2 and 1.3) With over 70% of enterprise traffic encrypted, the report highlights that Palo Alto Networks platforms: - Sustained substantially and consistently higher throughput in TLS 1.2 and TLS 1.3 decryption scenarios than the Fortinet models. - Maintained performance with security services enabled, rather than requiring features to be turned off. Overall, the data shows that the PA-560 and PA-520 handle modern AI, API, and encrypted traffic with higher throughput and connection capacity than the comparable Fortinet devices under the same, security-on test conditions.

Miercom’s testing highlights two practical considerations for buyers: architectural stability under AI-heavy loads and cost per protected Mbps. 1) Stability under AI and high-connection loads - The PA-560 and PA-520 maintained uninterrupted operational stability across all test conditions, including demanding AI workloads and maximum connection tests. - The Fortinet FG-201G repeatedly entered memory-induced Conserve Mode during: - DeepSeek AI traffic testing - Maximum connections per second tests - Maximum concurrent connections tests - In these cases, memory was exhausted before CPU was fully utilized, which the report characterizes as a design limitation for sustaining modern, security-intensive AI workloads. - Palo Alto Networks devices did not exhibit these memory-related failures under the same conditions. 2) Total cost of ownership (TCO) and cost efficiency Miercom calculated TCO per protected Mbps with security services enabled (Pro Bundle for Palo Alto Networks, UTP Bundle for Fortinet): - PA-560 vs. FG-201G - Throughput: PA-560 is 1.9x better on average with services enabled. - Throughput advantage: 86.2% higher than FG-201G. - TCO: PA-560 TCO per protected Mbps is 1.6x better. - Cost efficiency: PA-560 is 32% more cost-efficient per stable Mbps. - PA-520 vs. FG-71G - Throughput: PA-520 is 2.5x better on average with services enabled. - Throughput advantage: 150% higher than FG-71G. - TCO: PA-520 TCO per protected Mbps is 1.7x better. - Cost efficiency: PA-520 is 70% more cost-efficient per stable Mbps. 3) Practical takeaway for sizing and deployment The report stresses that datasheet numbers often assume minimal security features, which may not reflect real deployments. Miercom: - Tested all devices “as a customer would,” with core security services enabled by default. - Emphasizes proper product sizing based on realistic, security-on performance. In this context, the PA-500 Series (PA-560 and PA-520) is presented as offering: - Stable operation under AI and high-connection loads. - Lower cost per protected Mbps when security services are enabled. Miercom concludes by awarding Palo Alto Networks the “Performance Verified” certification and positioning the PA-500 Series as a future-ready option for organizations that need to secure and scale AI-driven, encrypted enterprise traffic while managing TCO.