Cloud NGFW for Azure Limits and Quotas

Table of Contents

Cloud NGFW for Azure Supported Regions and Zones

Cloud NGFW for Azure Limits and Quotas

Learn the limits and quotas of the Cloud NGFW for Azure.

Where Can I Use This?	What Do I Need?
Cloud NGFW for Azure	Cloud NGFW subscription Palo Alto Networks Customer Support Portals (CSP) account Azure Marketplace subscription

The following tables list the limits and performance data for your Cloud NGFW tenant. Unless indicated otherwise, you can request an increase for these limits.

Use the Cloud NGFW for Azure pricing estimator to help you determine Azure limits and quotas for your Cloud NGFW subscription.

Cloud NGFW for Azure offers different SKUs to accommodate varying customer deployment size requirements.

Standard Instance: The foundational tier recommended for cloud-native environments requiring standard policy sets. Includes standard autoscaling to manage peak traffic up to 100 Gbps.
Premium Instance: Ideal for securing highly sensitive applications. Supports much larger policy sets and a faster ramp-up to seamlessly handle massive peak traffic up to 200 Gbps at a higher price.

Native Policy Management (Rulestack)

Attribute	Maximum Limit per Cloud NGFW Resource	Adjustable
Security rules	1,000	No
Addresses objects (FQDN list and IP prefix lists)	1,000	No
Number of IP prefix lists	1,000	No
FQDN objects across all FQDN lists	2,000	No
Prefix objects for each IP prefix list	2,500	No
URLs across all URL categories	25,000	No
Intelligent feeds (including the five predefined feeds)	30	No
IP addresses across all feeds	50,000	No
Certificate objects	100	No

Panorama Policy Management

Attribute	Standard SKU Maximum Limit per Cloud NGFW Resource*	Premium SKU Maximum Limit per Cloud NGFW Resource*
Policy
Security rules	10,000	20,000
Decryption rules	1,000	2,000
Objects
Address objects	20,000	40,000
Address groups	2,500	4,000
Members per address group	2,500	2,500
FQDN address groups	2,000	2,000
Service objects	2,000	5,000
Service Groups	500	500
Members per Service Group	500	500
External dynamic list
Max number of DNS per domain system	2,000,000	2,000,000
Max number of IPs per system	50,000	50,000
Max number of URLs per system	100,000	100,000
Max number of custom lists	30	30
URL Filtering
Total entities for allow list, block list, and custom categories	25,000	25,000
Max custom categories	500	1,000

* The limits on policy and objects specified are unidimensional maximum. Palo Alto Networks recommends additional testing within your environment to ensure you meet your policy authoring objectives.

Cloud NGFW for Azure Performance

The following table provides performance information for your Cloud NGFW for Azure tenant.

The information provided in the following table assumes a maximum of 40 instances.

Attribute	Performance Metric (Standard)	Performance Metric (Premium)
Firewall throughput (App-ID enabled)	Maximum throughput: 100 Gbps; per instance is 2.92 Gbps Coldstart: 8.55 Gbps Coldstart refers to initial, baseline capacity and performance of a newly deployed or idle Cloud NGFW resource before it automatically scales up to handle increased traffic loads. For coldstart traffic, Content Threat Detection is enabled. Without Content Threat Protection, each firewall instance is capped at 3.00 Gbps due to the instance type. This is an Azure limitation.	Maximum throughput: 200 Gbps; per instance is 8.7 Gbps Coldstart: 26.1 Gbps For coldstart traffic, Content Threat Detection is enabled. Without Content Threat Protection, each firewall instance is capped at 12.5 Gbps for Premium instances. This is an Azure limitation.
Threat Prevention throughput	Maximum throughput: 92 Gbps; per instance is 2.31 Gbps	Maximum throughput: 184 Gbps; per instance is 4.6 Gbps
Encrypted Traffic throughput	44 Gbps (with Content Threat Detection); per instance is 1.11 Gbps 60 Gbps (without Content Threat Detection); per instance is 1.52 Gbps	104 Gbps (with Content Threat Detection); per instance is 2.6 Gbps 144 Gbps (without Content Threat Detection); per instance is 3.6 Gbps
SNAT Ports	Per Public IP SNAT port = 64000 CNGFW can scale maximum up to 40 instances behind the scene hence per instance 1600 SNAT ports are available. Total available ports = Number of Public IP * Number of Instance * 1600 For example: By default, one instance is deployed in each AZ. If a region has three AZ, and one Public IP is assigned to firewall, the cold start SNAT port will be 4800. You can either add more IP addresses to increase the number or it will auto scale instance if we reach exhaustion to the scaling threshold.	Per Public IP SNAT port = 64000 CNGFW can scale maximum up to 40 instances behind the scene hence per instance 1600 SNAT ports are available. Total available ports = Number of Public IP * Number of Instance * 1600 For example: By default, one instance is deployed in each AZ. If a region has three AZ, and one Public IP is assigned to firewall, the cold start SNAT port will be 4800. You can either add more IP addresses to increase the number or it will auto scale instance if we reach exhaustion to the scaling threshold.

Metrics Integration Limits

Azure Monitoring Metrics Integration has the following service and platform limitations:

Data Retention: Firewall metrics are stored for a maximum of 90 days within Application Insights.
Azure Custom Metrics Limit: The Azure custom metrics ingestion feature is subject to an Azure platform limit of 50,000 total active time series per subscription per region.

Cloud NGFW Credit Usage Visibility

Cloud NGFW for Azure Supported Regions and Zones

Cloud NGFW for Azure Docs

Cloud NGFW for Azure Limits and Quotas

Cloud NGFW for Azure Docs

Cloud NGFW for Azure Limits and Quotas

Native Policy Management (Rulestack)

Panorama Policy Management

Cloud NGFW for Azure Performance

Metrics Integration Limits

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner