Cloud Next-Generation Firewall by Palo Alto Networks - an Azure Native ISV Service - is Palo Alto Networks Next-Generation Firewall (NGFW) delivered as a cloud-native service on Azure. You can discover Cloud NGFW in the Azure Marketplace and consume it in your Azure Virtual Networks (VNet) and in Azure Virtual WAN (vWAN). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID and URL filtering based technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures.
What's New
October 2025 | Billing Change for Cloud NGFW on Azure Effective October 2025, Palo Alto Networks is implementing a previously announced change to how Cloud NGFW on Azure costs are billed. When you deploy Cloud NGFW in a Hub vNET, you alse established peering between the your spoke vNETs and the hub VNet and redirected traffic to Cloud NGFW. Until now, Palo Alto Networks temporarily absorbed the cost associated with this peering. This $0.01 per GB charge, which reflects Microsoft Azure's standard peering rate, will now be billed directly to your Marketplace billing account as a Pay-As-You-Go (PAYG) charge, even if you are on a credit consumption plan. For more information, see Cloud NGFW Azure pricing. |
|
September 2025 |
Cloud NGFW now publishes additional metrics in Azure Monitor to help you monitor your Cloud NGFW's health, performance, and usage patterns. Key metrics available include:
For more information, see View Cloud NGFW Metrics in Azure Monitor and Enable and View Cloud NGFW for Azure Monitoring Metrics. Support for Multi-Dimensional Scaling Cloud NGFW for Azure can now automatically scale based on additional metrics such as Source NAT port utilization, session throughput and session count, ensuring greater reliability and performance for diverse workloads. For more information, see Cloud NGFW for Azure Resiliency and Scalability and View Cloud NGFW for Azure Metrics natively in Azure . Strata Logging Service Support for Panorama Managed Cloud NGFW resources You can now enable SLS for existing Panorama-managed Cloud NGFW for Azure resources by simply generating a new registration string from the Panorama plugin and updating it in the Azure portal. For more information, see Enable Strata Logging Service (SLS) for existing Panorama-managed firewalls and View Traffic and Threat Logs in Strata Logging Service. |
|
July 2025 | Additional Azure Regions You can now deploy Cloud NGFW for Azure in the following regions:
For more information, see Cloud NGFW for Azure Supported Regions. SNAT Port Enhancement More SNAT ports are now allocated for each firewall instance. SNAT port allocation will scale based on the front-end IPs configured. |