Cloud NGFW for Azure

• Minimizes infrastructure management.
• Stops zero-day, web-based threats in real-time.
• Secures applications as they connect to legitimate web-based services.
• Simplifies the native cloud provider experience with simple, consistent firewall policy management across multiple accounts.
• Automates end-to-end workflows with support for API, ARM templates and Terraform.

• Secures traffic while crossing trust boundaries, like Azure VNets and vWANs. The managed service provided by Cloud NGFW blocks attackers from gaining access to resources, and stops data exfiltration and command-and-control (C2) traffic. It is purpose-built to stop unauthorized or east-west lateral movement.
• Is designed with automation in mind. With rulestack configuration and automated security profiles, Cloud NGFW is designed to meet network security requirements easily with an intuitive user interface that simplifies the creation of resilient firewall resources that scale with your network traffic.
• Incorporates an automated cloud firewall model that dynamically scales with your network traffic and meets unpredictable throughput demands with Gateway Load Balancing (GWLB) for on-demand high availability and elastic scaling. You can access as much or as little capacity as you need, and scale up and down as required.
• Integrates security with workflows managed by cloud providers. With Cloud NGFW, the first next-generation firewall to integrate with cloud providers, you can avoid lengthy deployment cycles and get up and running quickly, even when setting up required rulestacks and automated security profiles. You can leverage the security model provided by the chosen cloud provider while integrating with their onboarding, monitoring and logging capabilities. Cloud NGFW provides a unique benefit when integrating with cloud providers. You can take advantage of automatic scaling and high availability with no maintenance requirements. This integration enables consistent firewall policy management across multiple cloud provider accounts.

• The Cloud NGFW. The Cloud NGFW is a managed Azure regional service, available in select key Azure regions.
• NGFW. Palo Alto Networks uses the NGFW as the resource associated with the customer’s vNET or vWAN hub. It provides resiliency, scalability, and lifecycle management. The NGFW manifests as private IP addresses in the NGFW subnet specified by the user. To use the NGFW resource, update VNet UDRs to send traffic through the private IP addresses.
• NGFW rulestack. This resource includes a set of security rules along with associated objects and security profiles to enable advanced access control, using App-ID and URL filtering, and threat prevention features. You can associate a local rulestack with one or more NGFWs.

Inbound traffic refers to any traffic originating outside of your Azure region and bound for resources inside your application VNets, such as servers or load balancers. Cloud NGFW can prevent malware and vulnerabilities from entering your VNet in the inbound traffic allowed by Azure security groups.

Outbound traffic refers to traffic originating within your application VNet and is bound for destinations outside of the Azure region. Cloud NGFW protects outbound traffic flows by ensuring that resources in your application VNet connect to allowed services and allowed URLs while preventing exfiltration of sensitive data and information.

East-West traffic moves within an Azure region. Specifically, traffic between source and destination deployed in two different application VNets or in two different subnets in the same VNet. Cloud NGFW can stop the propagation of malware within your Azure environment.