Cloud NGFW for Azure
Cloud NGFW for Azure Limits and Quotas
Table of Contents
Expand All
|
Collapse All
Cloud NGFW for Azure Docs
Cloud NGFW for Azure Limits and Quotas
Learn the limits and quotas of the Cloud NGFW for Azure.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The following tables list the limits and performance data for your Cloud
NGFW tenant. Unless indicated otherwise, you can request an increase for these
limits.
Use the Cloud NGFW for Azure pricing estimator to
help you determine Azure limits and quotas for your Cloud NGFW subscription.
Native Policy Management (Rulestack)
|
Attribute
|
Maximum Limit per Cloud NGFW Resource
|
Adjustable
|
|---|---|---|
|
Security rules
|
1,000
|
No
|
|
Addresses objects (FQDN list and IP prefix lists)
|
1,000
|
No
|
|
Number of IP prefix lists
|
1,000
|
No
|
|
FQDN objects across all FQDN lists
|
2,000
|
No
|
|
Prefix objects for each IP prefix list
|
2,500
|
No
|
|
URLs across all URL categories
|
25,000
|
No
|
|
Intelligent feeds (including the five predefined feeds)
|
30
|
No
|
|
IP addresses across all feeds
|
50,000
|
No
|
|
Certificate objects
|
100
|
No
|
Panorama Policy Management
|
Attribute
|
Maximum Limit per Cloud NGFW Resource*
|
|---|---|
|
Policy
| |
|
Security rules
|
10,000
|
|
Decryption rules
|
1,000
|
|
Objects
| |
|
Address objects
|
10,000
|
|
Address groups
|
1,000
|
|
Members per address group
|
2,500
|
|
FQDN address groups
|
2,000
|
|
Service objects
|
2,000
|
|
Service Groups
|
500
|
|
Members per Service Group
|
500
|
|
External dynamic list
| |
|
Max number of DNS per domain system
|
500,000
|
|
Max number of IPs per system
|
50,000
|
|
Max number of URLs per system
|
100,000
|
|
Max number of custom lists
|
30
|
|
URL Filtering
| |
|
Total entities for allow list, block list, and custom
categories
|
25,000
|
|
Max custom categories
|
500
|
* The limits on policy and objects specified are unidimensional maximum. Palo Alto
Networks recommends additional testing within your environment to ensure you meet
your policy authoring objectives.
Cloud NGFW for Azure Performance
The following table provides performance information for your
Cloud NGFW for Azure tenant.
The information provided in
the following table assumes a maximum of 40 instances.
|
Attribute
|
Performance Metric
|
|---|---|
|
Firewall throughput (App-ID enabled)
|
Maximum throughput: 100 Gbps; per instance is 2.92 Gbps
Coldstart: 8.55 Gbps
For coldstart traffic, Content
Threat Detection is enabled. Without Content threat
Protection, each firewall instance is capped at 3.00 Gbps
due to the instance type. This is an Azure
limitation. |
|
Threat Prevention throughput
|
Maximum throughput: 92 Gbps; per instance is 2.31 Gbps
|
|
Encrypted Traffic throughput
|
44 Gbps (with Content Threat Detection); per instance is 1.11
Gbps
60 Gbps (without Content Threat Detection); per instance is
1.52 Gbps
|
|
SNAT Ports
|
Per Public IP SNAT port = 64000
CNGFW can scale maximum up to 40 instances behind
the scene hence per instance 1600 SNAT ports are
available.
Total available ports = Number of Public IP *
Number of Instance * 1600
For example: By default, one instance is deployed
in each AZ. If a region has three AZ, and one Public IP is
assigned to firewall, the cold start SNAT port will be
4800.
You can either add more IP addresses to increase
the number or it will auto scale instance if we reach
exhaustion to the scaling threshold.
|
Metrics Integration Limits
Azure Monitoring Metrics Integration has the following service and
platform limitations:
- Data Retention: Firewall metrics are stored for a maximum of 90 days within Application Insights.
- Azure Custom Metrics Limit: The Azure custom metrics ingestion feature is subject to an Azure platform limit of 50,000 total active time series per subscription per region.