New Features - Cloud NGFW for Azure - March 2026

Cloud NGFW on Azure now supports Advanced WildFire (AWF) and Advanced DNS Security (ADNS) for Panorama and Strata Cloud Manager managed firewalls to combat sophisticated threats that evade traditional security measures. Zero-day malware and DNS-based attacks continue to bypass conventional detection methods, leaving cloud environments vulnerable to advanced persistent threats and data exfiltration. With Precision AI-powered detection, you can now stop zero-day malware and sophisticated DNS-based threats in real-time through Cloud Inline Analysis within your Anti-Spyware and WildFire Analysis profiles.

You can enable these advanced capabilities in Panorama or Strata Cloud Manager with seamless billing integration that appears as specific add-ons in your usage metrics at a rate of 30% of the base firewall credits when enabled. This transparent pricing model allows you to understand and control costs while maintaining advanced threat protection. AWF and ADNS are currently available for all new Cloud NGFW for Azure tenants, while existing tenants will gain access following an infrastructure upgrade rolling out automatically starting mid-April 2026.

For more information, see Supported Security Policy Management Features and Cloud NGFW for Azure Pricing.

Cloud NGFW on Azure now supports native Cloud IP Tag integration within Strata Cloud Manager to automate scalable policy enforcement in dynamic cloud environments without manual updates. Managing security policies with static IP addresses becomes increasingly complex as your Azure workloads scale and change, requiring constant manual updates to maintain accurate security postures. With Cloud IP Tags, you can enforce security policies based on Azure resource tags instead of static IP addresses, significantly simplifying security management by eliminating the need for manual updates as workloads change.

By creating monitoring definitions in Strata Cloud Manager, the firewall automatically polls your Azure environment to discover existing tags and detect modifications, ensuring consistent security across your network workloads. This automation reduces operational overhead and minimizes the risk of security gaps that can occur when policies don't keep pace with infrastructure changes.

For more information, see Cloud IP Tags for Cloud NGFW for Azure.

Cloud NGFW for Azure now migrates to PAN-OS 11.2 to deliver enhanced security capabilities and performance improvements across all deployments. Managing multiple PAN-OS versions across cloud environments creates complexity and increases the risk of security gaps, making it difficult to maintain consistent protection standards. Starting March 18, 2026, all new Cloud NGFW for Azure tenants will have PAN-OS 11.2 enabled by default, ensuring you benefit from the latest threat prevention capabilities from day one.

For existing customers, upgrades begin mid-April 2026. To prepare for the mandatory upgrade, you should ensure your Panorama is running version 11.2.x (with 11.2.7-h4 being TAC preferred) or if using Panorama 12.x, version 12.1.5 or higher. You also need Azure Panorama Plugin 5.2.3 or higher. For Strata Cloud Manager and Strata Logging Service managed tenants, no additional action is required, making the transition seamless for cloud-managed environments.

For more information, see Panorama Integration Prerequisites.

Cloud NGFW on Azure now supports port ranges in DNAT rules to address the operational complexity of managing applications that require multiple sequential ports. Configuring individual DNAT rules for applications using multiple ports creates excessive rule entries, increases configuration errors, and makes policy management unwieldy as your cloud infrastructure scales. With port range support, you can now specify an entire range in a single DNAT rule, simplifying configuration for applications using multiple ports and improving rule scalability.

This enhancement allows you to define port ranges such as 8000-8100 in one rule entry instead of creating 101 separate rules, dramatically reducing configuration overhead and minimizing the potential for misconfigurations. You can now manage complex port mappings more efficiently while maintaining clear, readable security policies that are easier to audit and troubleshoot.

For more information, see Configure a Source and Destination NAT Rule.