Address

You can specify an address object to include either IPv4 or IPv6 addresses (a single IP address, a range of addresses, or a subnet), an FQDN, or a wildcard address (IPv4 address followed by a slash and wildcard mask).

Address Groups

You can group specific source or destination addresses that require the same policy enforcement.

—

Regions

You can allow or block traffic from (or to) an IP addresses based on their geographic location such as a county. The region is available as an option when specifying the source and destination for your policy rules. You can choose from a standard list of countries or specify a custom region or geolocation along with its associated IP addresses

Service (Port & Protocol)

You can granularly control VPC traffic session usage to specific ports on your network (in other words, you can define the default port for the application). Cloud NGFW includes two predefined services—service-http and service-https— that use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. You can however create any custom service on any TCP/UDP port of your choice.

Service Groups

You can combine services that have the same security settings into Service Groups to reduce the number of rules in Security policy.

—

External dynamic list

You can granularly control your VPC traffic using a dynamic list of IP addresses, Domains, or URLs. Stored in a file hosted on an external web server. Palo Alto Networks also offers built-in (Bulletproof, High-Risk, Known Malicious, and Tor Exit IP address) EDLs. Additionally, Palo Alto Networks offers a free EDL hosting service that maintains the ever-dynamic list of IP addresses for Microsoft 365, Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). You can use these EDLs to control your VPC Ingress and Egress traffic.

—

Applications

You can granularly control your VPC traffic by using a Palo Alto Networks App-ID traffic classification system that relies on application signatures to accurately identify applications in your network.

Application group

You can group together a set of App-IDs that require the same policy enforcement.

—

Application filters

You can granularly control your VPC traffic by defining an application filter that groups current App-IDs and any future App-IDs that match certain attributes. For example, You can create an application filter by one or more attributes—category, subcategory, technology, risk, characteristics. From now on, whenever a new App-ID is introduced to Cloud NGFW based on a content update, all new applications matching the filter criteria are automatically added to your set.

—

Tags

Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address groups (static and dynamic), applications, zones, services, Service Groups, and to policy rules.

—

Dynamic User Group

Allow you to create a list of users from the local database, an external database, or match criteria and group them.

—

App-ID Cloud

Also known as the device dictionary, this page contains metadata for device objects.

—

—

Certificates Management

Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer.

—

—

Decryption

Cloud NGFW can decrypt, inspect, and reencrypt your VPC Ingress and Egress traffic as a policy-based decision. You can granularly control what VPC traffic is decrypted and what traffic can’t be decrypted and the type of SSL decryption you want to perform on the indicated traffic. To enable decryption, you set up the certificates required to act as a trusted third party to a session.

Security Policy

Security policy protects your VNet traffic from threats and disruptions. Individual Security policy rules determine whether to block or allow a VNet/VNet traffic session based on traffic attributes, such as the source and destination security zone, the source and destination IP address, the application, the user, and the service.

IPS Vulnerability Protection

Vulnerability Protection protects against on inbound threats, where an attacker is attempting to exploit a system vulenrability to breach your network, The system vulnerabilies may be in the form buffer overflows, illegal code execution etc.

—

Anti-spyware

—

File blocking

File blocking allows you to granularly control file types in your VPC traffic in a specified direction (inbound/outbound/both). You can proactively block files known to carry threats or that have no real use case for upload and download.

—

Antivirus

Antivirus detects and protects against malware concealed in compressed files, executables, PDF files, and HTML and JavaScript malware in your VPC traffic

—

WildFire Analysis

Cloud NGFW detects and forwards files and executables in your VPC traffic to WildFire™ cloud service for analysis, and also performs inline ML analysis for certain files. If a threat is detected on the files, WildFire creates protections to block malware, and globally distributes protection for that threat in under five minutes.

—

URL Filtering

URL Filtering analyzes the VPC traffic and controls the URLs accessed by your VPC workloads (in both clear-text and encrypted traffic) by performing inline analysis and comparing against Palo Alto Networks managed URL categories or the custom categories you provide.

—

DNS Security

DNS Security protects outbound DNS requests from your VPCs against threats such as DNS tunneling, Domain Generation Algorithm (DGA) detection, malware domains, etc.

—

Data filtering & Enterprise DLP

Data filtering detects sensitive information in your VPC traffic—such as credit card or social security numbers or internal corporate documents—and prevent this data from leaving your AWS environment.

With Enterprise DLP, you gain the benefit of Advanced data filtering on your VPC traffic with a predefined list of data patterns with the cloud-based analytics.

—

—

Security Profile Groups

A Security Profile Group is a set of Security Profiles treated as a unit and then easily added to security policy rules.

—

Application Override

You can configure Cloud NGFW to override the N/Armal Application Identification (App-ID) of specific traffic passing through the firewall. As soon as the Application Override policy takes effect, all further App-ID inspection of the traffic is stopped and the session is identified with the custom application signatures your provide.

—

NAT

Palo Alto Networks Fiirewalls can enforce Destination NAT on your Ingress vNet traffic and Source NAT your Egress vNet traffic

—

Policy-based forwarding

—

—

Security zones

Security zones are a logical way to group interfaces on the firewall, and Cloud NGFW endpoints to control and log the VPC traffic.

—

—

—

Zone protection

—

XFF

Traffic to your VPC workloads might have passed more than one proxy server (such as CDN or ALB) before it reaches the Cloud NGFW. If there is an existing XFF header, these proxies append its IP address to it or adds the XFF header with its IP address. Therefore, the XFF request header might contain multiple IP addresses separated by commas. Cloud NGFW uses the X-Forwarded-For (XFF) HTTP header field that identifies the original client IP address. Cloud NGFW always uses the most recently added address in the XFF header to enforce the policy.

—

DNS Proxy

When you configure Cloud NGFW as a DNS proxy, it acts as an intermediary between clients and servers and as a DNS server by resolving queries from its DNS cache or forwarding queries to other DNS servers. Use this page to configure the settings that determine how the firewall serves as a DNS proxy.

Interface Management

Palo Alto Networks Firewalls allow you to configure VLANs, virtual wires Link Layer Discovery Protocol, Bidirectional Forwarding Detection (BFD) on its interfaces

—

—

QoS

Palo Alto Networks firewalls allow you to specify traffic that requires preferential treatment or bandwidth limiting. QoS rules allow you to dependably run high-priority applications and traffic under limited network capacity.

—

—

Routing Management

Palo Alto Networks Firewalls allow you to configure Static Routing and Routing Protocols (BGP, BFD, OSPF, OSPFv3, multicast, RIPv2, and filters).

—

—

IPSec Tunnel Management

Palo Alto Networks firewalls terminate IPSec tunnels and inspect tunneled traffic

—

—

GlobalProtect™ Management

Palo Alto Networks firewalls secure mobile workforces by specifying algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway module and client.

—

—

GRE Tunnel Management

Palo Alto Networks firewalls terminate generic routing encapsulation (GRE) tunnels and inspect tunneled traffic.

—

—

SD-WAN Link Management

Palo Alto Networks firewalls bind multiple WAN connections (ADSL/DSL, cable modem, Ethernet, fiber optic, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, Wi-Fi) to a virtual interface and support dynamic, intelligent path selection based on applications and services and the conditions of links that each application or service is allowed to use.

—

—

User-ID based policies

User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to author user- and group-based policies. User-ID provides many mechanisms to collect this User Mapping information. For example, the User-ID agent monitors server logs for login events and listens for syslog messages from authenticating services. leverage user information stored in a wide range of repositories.

N/A

Panorama/Firewall based data redirection

—

—

—

Cloud Identity Engine (CIE) based Identity Redistribution

—

—