Cloud NGFW for AWS
Cloud NGFW for AWS Pricing
Table of Contents
Cloud NGFW for AWS Pricing
Cloud NGFW pay-as-you-go (PAYG) pricing.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Cloud NGFW is available as a pay-as-you-go (PAYG) subscription in the AWS Marketplace. With this model, you pay only for what you
use each month, with all charges consolidated on the invoice you receive from AWS. You
can also enjoy AWS Marketplace benefits such as consolidated billing Amazon Web Services Enterprise Discount Program (EDP).
You pay an hourly rate for each Cloud NGFW resource. You also pay for the amount of
traffic, billed by the gigabyte, processed by the NGFW resource. Additionally, you pay
an hourly rate and for the amount of traffic processed by your Cloud NGFW resource when
you configure security services add-ons (such as Threat Prevention, Advanced URL
Filtering, DNS Security, or WildFire) or the centralized management add-on (Panorama
management). The rate charged for the traffic also depends on the aggregate traffic
processed by all NGFWs in the tenant during the month (referred to as tiered traffic
pricing).
Credit Pricing Model
You can procure and associate Cloud NGFW Credits to your tenant by paying an
upfront cost for a long-term contract of one, two, or three years. You purchase these
credits while taking advantage of AWS Marketplace benefits such as consolidated billing,
AWS EDP, and automated or configurable renewals. Cloud NGFW credits allow you to consume
Cloud NGFW resources in your tenant at a lower cost up to a specific capacity until your
contract expires. See Subscribe to Cloud NGFW for AWS to learn how
to add contract credits.
The Cloud NGFW platform manages all credit enforcement as follows:
- The platform ensures a tenant has an active Cloud Marketplace subscription and meters consumption hourly as PAYG units.
- When a customer allocates credits to a tenant, the platform begins to meter that tenant's usage both as hourly PAYG units and equivalent Credit units.
- It continuously validates if the tenant's consumption exceeds the allocated credits.
- If a customer goes over their limit, the platform calculates the overage and sends PAYG metering records to the Cloud Provider’s marketplace metering service.Thus, the platform seamlessly switches between Software NGFW credits and an active Marketplace subscription to ensure uninterrupted service. For example, when credits expire, the tenant automatically reverts to PAYG.
If your monthly average consumption exceeds the purchased
credits, overages are charged at PAYG rates.
If you add Cloud NGFW credits during a free-trial period, your
contract starts immediately and overrides the free trial.
Use the Cloud NGFW for AWS pricing estimator to help
you determine AWS pricing for your Cloud NGFW tenant.
Metering and Billing
Cloud NGFW consumption translates to pay-as-you-go hourly pricing or as Cloud NGFW
credits as described in the tables below.
Base NGFW Resource Consumption
You pay an hourly rate for each Cloud NGFW resource. You also pay for the amount of
traffic, billed by the gigabyte, processed by the NGFW resource.
| Base NGFW Resource | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour | Up to 3 AZs | $ 1.50 | 125.0 | |
| Each additional AZ | $ 0.50 | 41.7 | ||
| Traffic Secured | First 15 TB/month | $ 0.065 | 5.4 | |
| Next 15 TB/month | $ 0.045 | 3.7 | ||
| Above 30 TB/month | $ 0.030 | 2.5 | ||
Usage hour is metered on each NGFW resource
you deploy. Traffic is metered across all NGFW resources deployed in your
Cloud NGFW tenant.
Cloud-Delivered Security Services (CDSS) add-on Consumption
Your security services add-on consumption is metered on each NGFW resource for each hour
you have enabled the add-on and for the amount of traffic processed by that NGFW, when
you configured it. The charged rate for the traffic also depends on the aggregate
traffic processed by all NGFWs in the tenant during the month (referred to as tiered
traffic pricing).
| Threat Prevention add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour* | Up to 3 AZs | $ 0.300 | 25.0 | |
| Each additional AZ | $ 0.100 | 8.3 | ||
| Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
| Next 15 TB/month | $ 0.009 | 0.7 | ||
| Above 30 TB/month | $ 0.006 | 0.5 | ||
| Advanced Threat Prevention add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour* | Up to 3 AZs | $ 0.450 | 0.8 | |
| Each additional AZ | $ 0.150 | 0.3 | ||
| Traffic Secured | First 15 TB/month | $ 0.020 | 1.7 | |
| Next 15 TB/month | $ 0.014 | 1.2 | ||
| Above 30 TB/month | $ 0.009 | 0.7 | ||
| DNS Security add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour* | Up to 3 AZs | $ 0.300 | 25.0 | |
| Each additional AZ | $ 0.100 | 8.3 | ||
| Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
| Next 15 TB/month | $ 0.009 | 0.7 | ||
| Above 30 TB/month | $ 0.006 | 0.5 | ||
| WildFire add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour* | Up to 3 AZs | $ 0.300 | 25.0 | |
| Each additional AZ | $ 0.100 | 8.3 | ||
| Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
| Next 15 TB/month | $ 0.009 | 0.7 | ||
| Above 30 TB/month | $ 0.006 | 0.5 | ||
| Advanced URL Filtering add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour* | Up to 3 AZs | $ 0.450 | 37.5 | |
| Each additional AZ | $ 0.150 | 12.5 | ||
| Traffic Secured | First 15 TB/month | $ 0.020 | 1.7 | |
| Next 15 TB/month | $ 0.014 | 1.2 | ||
| Above 30 TB/month | $ 0.009 | 0.7 | ||
| DLP add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour* | Up to 3 AZs | $ 0.600 | 50.0 | |
| Each additional AZ | $ 0.200 | 16.7 | ||
| Traffic Secured | First 15 TB/month | $ 0.026 | 2.2 | |
| Next 15 TB/month | $ 0.018 | 1.5 | ||
| Above 30 TB/month | $ 0.012 | 1.0 | ||
*Usage hour is metered on each NGFW resource
with CDSS add-on enabled.
Centralized Management add-on Consumption
You can use a Panorama or Strata Cloud Manager to manage policy rules in your Cloud NGFW
resources. In that case, your centralized management add-on consumption is metered on
each NGFW resource for each hour you have associated with a Panorama or Strata Cloud
Manager and for the amount of traffic processed by that NGFW resource, when you
configured it. The rate you’re charged for the traffic also depends on the aggregate
traffic processed by all NGFWs in the tenant during the month (referred to as tiered
traffic pricing).
You don't pay for additional device
licenses for managing policy rules in Cloud NGFW resources. Panorama does not count
these NGFW resources against its managed device license count.
Cloud NGFW sends logs to the same Strata Logging Services
associated with your Panorama or Strata Cloud Manager. You don't pay for additional
storage. When used with Cloud NGFW for AWS, Strata Logging Services automatically
scales along with the Cloud NGFW for AWS resources. As traffic throughput increases
on these Cloud NGFW resources, so does your available storage so that you don't need
to worry about making manual adjustments to storage to save your log
data.
| Palo Alto Networks Centralized Management add-on (Panorama) | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour | Up to 3 AZs | $ 0.300 | 25.0 | |
| Each additional AZ | $ 0.100 | 8.3 | ||
| Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
| Next 15 TB/month | $ 0.009 | 0.7 | ||
| Above 30 TB/month | $ 0.006 | 0.5 | ||
| Palo Alto Networks Centralized Management add-on (Strata Cloud Manager) | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
| Usage Hour | Up to 3 AZs | $ 0.450 | 25.0 | |
| Each additional AZ | $ 0.150 | 8.3 | ||
| Traffic Secured | First 15 TB/month | $ 0.020 | 1.1 | |
| Next 15 TB/month | $ 0.014 | 0.7 | ||
| Above 30 TB/month | $ 0.009 | 0.5 | ||
Usage hour is metered on each NGFW resource
associated with a Panorama or Strata Cloud Manager.
AWS Marketplace Metering Mechanism
Cloud NGFW uses the AWS SaaS subscription pricing model by translating the tenant’s
consumption as Units for multiple Custom dimensions and reports it to AWS
Marketplace as shown in the table below. This mechanism provides the flexibility to
aggregate your entire tenant’s consumption based on a few dimensions. These dimensions
include the deployment hours of all NGFWs, how much traffic they are securing, and how
many security features they use every hour. The Cloud NGFW translates the security
services and centralized management consumption to Cloud NGFW credits and reports it as
add-on units to the AWS Metering service.
| AWS Marketplace | Cloud NGFW SaaS Subscription Price | |
| Base NGFW Usage Hours | $ 1.5/unit | |
| (1 unit = 1 usage hour) up to 3 AZs | ||
| (0.333 units = 1 usage hour) for additional AZs | ||
| Traffic Secured > First 15 TB/month | $ 0.065/unit | |
| (1 unit = 1 GB secured) | ||
| Traffic Secured > Next 15 TB/month | $ 0.045/unit | |
| (1 unit = 1 GB secured) | ||
| Traffic Secured > Above 30 TB/month | $ 0.030/unit | |
| (1 unit = 1 GB secured) | ||
| Add-ons | $ 0.012/unit | |
| (1 unit = 1 Cloud NGFW credit) | ||
| Refer to the add-on tables above. | ||