Cloud NGFW for Azure Limits and Quotas
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Cloud NGFW for Azure Limits and Quotas
Learn the limits and quotas of the Cloud NGFW for Azure.
The following tables list the limits and performance data for your Cloud
NGFW tenant. Unless indicated otherwise, you can request an increase for these
limits.
Use the Cloud NGFW for Azure pricing estimator to
help you determine Azure limits and quotas for your Cloud NGFW subscription.
Local Rulestack Policy Management
Name
|
Default Limits per Cloud NGFW Tenant
|
Adjustable
|
---|---|---|
Number of Cloud (Azure) accounts in a tenant
|
200
|
No
|
Cloud NGFW Resources in a Tenant
|
50 per account per region
|
No
|
Cloud NGFW Endpoints in a Tenant
|
50 per account per region
|
N/A
|
Cloud NGFW Endpoints for each Cloud NGFW Resource
|
50
|
Yes
|
Outstanding Global Rulestacks not associated with NGFW
Resources
|
10
|
Yes
|
Outstanding Local Rulestacks not associated with NGFW
Resources
|
10
|
No
|
To change any of the adjustable limits listed above, contact Palo Alto Networks
Customer Support.
Native Policy Management (Rulestack)
Attribute
|
Maximum Limit per Cloud NGFW Resource
|
Adjustable
|
---|---|---|
Security rules
|
1,000
|
No
|
Addresses objects (FQDN list and IP prefix lists)
|
1,000
|
No
|
Number of IP prefix list
|
1,000
|
No
|
FQDN objects across all FQDN lists
|
2,000
|
No
|
Prefix objects for each IP prefix list
|
2,500
|
No
|
URLs across all URL categories
|
25,000
|
No
|
Intelligent feeds (including the five predefined feeds)
|
30
|
No
|
IP addresses across all feeds
|
50,000
|
No
|
Certificate objects
|
100
|
No
|
Panorama Policy Management
Attribute
|
Maximum Limit per Cloud NGFW Resource*
|
---|---|
Policy
| |
Security rules
|
10,000
|
Decryption rules
|
1,000
|
Objects
| |
Address objects
|
10,000
|
Address groups
|
1,000
|
Members per address group
|
2,500
|
FQDN address groups
|
2,000
|
Service objects
|
2,000
|
Service groups
|
500
|
Members per service group
|
500
|
EDL
| |
Max number of DNS per domain system
|
500,000
|
Max number of IPs per system
|
50,000
|
Max number of URLs per system
|
100,000
|
Max number of custom lists
|
30
|
URL Filtering
| |
Total entities for allow list, block list and custom
categories
|
25,000
|
Max custom categories
|
500
|
* The limits on policy and objects specified are unidimensional maximum. Palo Alto
Networks recommends additional testing within your environment to ensure you meet
your policy authoring objectives.
Cloud NGFW for Azure Performance
The following table provides performance information for your
Cloud NGFW for Azure tenant.
The information provided in
the following table assumes a maximum of 40 instances.
Attribute
|
Performance metric
|
---|---|
Firewall Throughput (App-ID enabled)
|
Maximum throughput: 100 Gbps; per instance is 2.92 Gbps
Coldstart: 8.55 Gbps
For coldstart traffic, Content
Threat Detection is enabled. Without Content Threat
Protection, each firewall instance is capped at 3.00 Gbps
due to the instance type. This is an Azure
limitation. |
Threat Prevention Throughput
|
Maximum throughput: 92 Gbps; per instance is 2.31 Gbps
|
Encrypted Traffic Throughput
|
44 Gbps (with Content Threat Detection); per instance is 1.11
Gbps
60 Gbps (without Content Threat Detection); per instance is
1.52 Gbps
|