Strata Copilot
    Focus
    1. Home
    Cloud NGFW for Azure

    Cloud Next-Generation Firewall by Palo Alto Networks - an Azure Native ISV Service - is Palo Alto Networks Next-Generation Firewall (NGFW) delivered as a cloud-native service on Azure. You can discover Cloud NGFW in the Azure Marketplace and consume it in your Azure Virtual Networks (VNet) and in Azure Virtual WAN (vWAN). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID and URL filtering based technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures.

    What's New

    October 2025

    Billing Change for Cloud NGFW on Azure

    Effective October 2025, Palo Alto Networks is implementing a previously announced change to how Cloud NGFW on Azure costs are billed. When you deploy Cloud NGFW in a Hub vNET, you alse established peering between the your spoke vNETs and the hub VNet and redirected traffic to Cloud NGFW. Until now, Palo Alto Networks temporarily absorbed the cost associated with this peering. This $0.01 per GB charge, which reflects Microsoft Azure's standard peering rate, will now be billed directly to your Marketplace billing account as a Pay-As-You-Go (PAYG) charge, even if you are on a credit consumption plan. For more information, see Cloud NGFW Azure pricing.
    September 2025


    Azure Monitor Metrics

    Cloud NGFW now publishes additional metrics in Azure Monitor to help you monitor your Cloud NGFW's health, performance, and usage patterns.

    Key metrics available include:

    • Throughput

    • Sessions

    • SNAT Port Utilization

    • Latency

    • Packet counts

    For more information, see View Cloud NGFW Metrics in Azure Monitor and Enable and View Cloud NGFW for Azure Monitoring Metrics.


    Support for Multi-Dimensional Scaling

    Cloud NGFW for Azure can now automatically scale based on additional metrics such as Source NAT port utilization, session throughput and session count, ensuring greater reliability and performance for diverse workloads. For more information, see Cloud NGFW for Azure Resiliency and Scalability and View Cloud NGFW for Azure Metrics natively in Azure .


    Strata Logging Service Support for Panorama Managed Cloud NGFW resources

    You can now enable SLS for existing Panorama-managed Cloud NGFW for Azure resources by simply generating a new registration string from the Panorama plugin and updating it in the Azure portal. For more information, see Enable Strata Logging Service (SLS) for existing Panorama-managed firewalls and View Traffic and Threat Logs in Strata Logging Service.
    July  2025

    Additional Azure Regions

    You can now deploy Cloud NGFW for Azure in the following regions:

    • Spain Central
    • Mexico Central
    • India South

    For more information, see Cloud NGFW for Azure Supported Regions.

    SNAT Port Enhancement

    More SNAT ports are now allocated for each firewall instance. SNAT port allocation will scale based on the front-end IPs configured.

    Get Started

    1. About Cloud NGFW for Azure
    2. Supported Management and Deployment Features
    3. Create a Rulestack on Cloud NGFW for Azure
    4. Create Security Rules on Cloud NGFW for Azure

    Important Resources

    Introducing Cloud NGFW for Azure

    Learn about Cloud NGFW for Azure.

    Getting Started with Cloud NGFW for Azure

    Learn how to get started with Cloud NGFW for Azure.

    Cloud NGFW Credits

    Learn about Cloud NGFW credits.

    Cloud NGFW for Azure SNAT and DNAT

    Learn about SNAT and DNAT deployments.

    © 2025 Palo Alto Networks, Inc. All rights reserved.