Cloud NGFW for Azure Limits and Quotas
Focus
Focus
Cloud NGFW for Azure

Cloud NGFW for Azure Limits and Quotas

Table of Contents

Cloud NGFW for Azure Limits and Quotas

Learn the limits and quotas of the Cloud NGFW for Azure.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for Azure
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Portals (CSP) account
  • Azure Marketplace subscription
The following tables list the limits and performance data for your Cloud NGFW tenant. Unless indicated otherwise, you can request an increase for these limits.
Use the Cloud NGFW for Azure pricing estimator to help you determine Azure limits and quotas for your Cloud NGFW subscription.

Native Policy Management (Rulestack)

Attribute
Maximum Limit per Cloud NGFW Resource
Adjustable
Security rules
1,000
No
Addresses objects (FQDN list and IP prefix lists)
1,000
No
Number of IP prefix lists
1,000
No
FQDN objects across all FQDN lists
2,000
No
Prefix objects for each IP prefix list
2,500
No
URLs across all URL categories
25,000
No
Intelligent feeds (including the five predefined feeds)
30
No
IP addresses across all feeds
50,000
No
Certificate objects
100
No

Panorama Policy Management

Attribute
Maximum Limit per Cloud NGFW Resource*
Policy
Security rules
10,000
Decryption rules
1,000
Objects
Address objects
10,000
Address groups
1,000
Members per address group
2,500
FQDN address groups
2,000
Service objects
2,000
Service Groups
500
Members per Service Group
500
External dynamic list
Max number of DNS per domain system
500,000
Max number of IPs per system
50,000
Max number of URLs per system
100,000
Max number of custom lists
30
URL Filtering
Total entities for allow list, block list, and custom categories
25,000
Max custom categories
500
* The limits on policy and objects specified are unidimensional maximum. Palo Alto Networks recommends additional testing within your environment to ensure you meet your policy authoring objectives.

Cloud NGFW for Azure Performance

The following table provides performance information for your Cloud NGFW for Azure tenant.
The information provided in the following table assumes a maximum of 40 instances.
Attribute
Performance Metric
Firewall throughput (App-ID enabled)
Maximum throughput: 100 Gbps; per instance is 2.92 Gbps
Coldstart: 8.55 Gbps
For coldstart traffic, Content Threat Detection is enabled. Without Content threat Protection, each firewall instance is capped at 3.00 Gbps due to the instance type. This is an Azure limitation.
Threat Prevention throughput
Maximum throughput: 92 Gbps; per instance is 2.31 Gbps
Encrypted Traffic throughput
44 Gbps (with Content Threat Detection); per instance is 1.11 Gbps
60 Gbps (without Content Threat Detection); per instance is 1.52 Gbps
SNAT Ports
Per Public IP SNAT port = 64000
CNGFW can scale maximum up to 40 instances behind the scene hence per instance 1600 SNAT ports are available.
Total available ports = Number of Public IP * Number of Instance * 1600
For example: By default, one instance is deployed in each AZ. If a region has three AZ, and one Public IP is assigned to firewall, the cold start SNAT port will be 4800.
You can either add more IP addresses to increase the number or it will auto scale instance if we reach exhaustion to the scaling threshold.