The billing issue related to URL Logging is now fixed. To use logging-only functionality, you must now configure the URL filtering profiles to exclusively use custom URL categories, setting the action for these categories to alert to ensure logs are generated. All predefined categories within the profile must have their action set to allow. By following this specific configuration, you can now maintain full visibility of URL traffic, as required for comparison with other firewall services, without the associated Advanced URL Filtering billing, since the URL filtering license is only required for using and enforcing actions on predefined URL categories.

In CNGFW Azure, the firewall may incorrectly allow all traffic, even when Layer 7 Rules (LRS) explicitly restrict specific ports. This occurs because the firewall is not correctly retrieving port information from the LRS, leading it to default to application-default for services instead of the configured allowed ports. Consequently, traffic intended for restricted ports (such as RDP when only port 443 is allowed) is permitted, effectively rendering the firewall unable to enforce granular port-based security policies. This issue happens only when modifying a rule from specific protocol to port to Application default or any.

When deploying CNGFW on Azure, the Standard Load Balancer (SLB) limits SNAT port allocation to 1024 per instance, restricting the scaling with additional public IPs. This change yields 1600 SNAT ports per instance per IP, enabling proper outbound scaling, calculated as (64,000/40)×number of public IPs.

It is observed that invalid rule names could be generated in Local Rulestacks that could cause commit failures.

Rulehit counter DB entries are not deleted after deleting the rule, resulting in old values if a rule is created again with the same name.

If you try to delete a new Cloud NGFW resource before the creation is complete, the deletion fails.

Panorama does not always automatically push content and antivirus updates to newly created Cloud NGFW for Azure resources.

Log forwarding to a Panorama virtual appliance may take a long time to complete.

Device server profiles (for example, LDAP, syslog) erroneously appear disabled in Panorama templates used for CNGFW devices.

In some cases, a license on a VM-Series firewall may be removed from the Panorama virtual appliance.

The CNGFW reaches an unhealthy state and loses connectivity to Panorama when the Cloud Device Group name is changed.

Cloud NGFW resources managed by a Panorama HA pair might show disconnected on the secondary Panorama. However, on the primary Panorama, the Cloud NGFW resource shows connected.