New Features - Cloud NGFW for AWS - May 2025

Cloud NGFW for AWS now publishes Config Memory Utilization custom metrics in AWS CloudWatch to address the challenge of tracking configuration capacity limits before they impact firewall operations. Organizations managing complex security policies through local rulestacks, Panorama, or Strata Cloud Manager previously lacked visibility into how much configuration memory remained available, risking policy commit failures or degraded performance when approaching capacity limits. With Config Memory Utilization metrics, you can now track how much memory your Cloud NGFW resource has available for configurations, enabling proactive capacity planning and preventing operational issues caused by configuration memory exhaustion.

These custom CloudWatch metrics provide real-time visibility into configuration capacity consumption, allowing you to set up automated alerts when utilization reaches threshold levels. You can now monitor configuration memory alongside other operational metrics, identifying trends that indicate when you may need to optimize policies or provision additional resources. This proactive monitoring prevents scenarios where policy updates fail due to insufficient configuration memory, ensuring your security posture remains current and effective.

For more information, see Publish and View Custom Metrics in AWS CloudWatch.

Preventing known malware from transferring while real-time signature lookups are underway often introduces a window of risk. If you have an active WildFire® or Advanced WildFire license, Prisma® Access now supports WildFire Hold Mode to immediately address this risk. Hold Mode enables you to configure Prisma® Access to hold the transfer of a sample file while the real-time signature cloud performs a signature lookup. When the lookup completes, Prisma Access releases the file to the requesting client (or blocks it, based on your organization's security policy for specific WildFire verdicts, preventing the initial transfer of known malware. You can configure Hold Mode on a per antivirus profile basis and apply a global setting for the signature lookup timeout and the associated action.