Any new Azure tenant deploying Cloud NGFW for Azure, will now be on PAN-OS version 11.2.

New Customers: Starting March 18, 2026, all new Cloud NGFW for Azure tenants will have PAN-OS 11.2 enabled by default.

Existing Customers: Upgrades start mid-April 2026. To prepare for the mandatory upgrade or to request an early upgrade via TAC, please ensure:

• Panorama Version: 11.2.x (11.2.7-h4 is TAC preferred).
  If your Panorama is on 12.x, use version 12.1.5 or higher.
• Azure Panorama Plugin: 5.2.3 or higher version.

For more information, see Panorama Integration Prerequisites.

AWF and ADNS are currently available for all new Cloud NGFW for Azure tenants. For existing tenants, AWF and ADNS will be available following an infrastructure upgrade. The infrastructure upgrades will be rolled out automatically starting in mid-April, 2026. If you require an early access to these capabilities, reach out to Palo Alto Networks Support.

You can now specify port ranges in DNAT rules. This enhancement simplifies configuration for applications using multiple ports and improves rule scalability by allowing a single entry for an entire range. For more information, see Configure a Source and Destination NAT Rule.

You can now deploy Cloud NGFW for Azure in New Zealand North region.

For more information, see Cloud NGFW for Azure Supported Regions.

Effective October 2025, Palo Alto Networks is implementing a previously announced change to how Cloud NGFW on Azure costs are billed. When you deploy Cloud NGFW in a Hub vNET, you also established peering between the your spoke vNETs and the hub VNet and redirected traffic to Cloud NGFW. Until now, Palo Alto Networks temporarily absorbed the cost associated with this peering. This $0.01 per GB charge, which reflects Microsoft Azure's standard peering rate, will now be billed directly to your Marketplace billing account as a Pay-As-You-Go (PAYG) charge, even if you are on a credit consumption plan. For more information, see Cloud NGFW Azure pricing.

Cloud NGFW now publishes additional metrics in Azure Monitor to help you monitor your Cloud NGFW's health, performance, and usage patterns.

Key metrics available include:

For more information, see View Cloud NGFW for Azure Monitoring Metrics.

Cloud NGFW for Azure can now automatically scale based on additional metrics such as Source NAT port utilization, session throughput and session count, ensuring greater reliability and performance for diverse workloads. For more information, see Cloud NGFW for Azure Resiliency and Scalability and View Cloud NGFW for Azure Metrics natively in Azure .

You can now deploy Cloud NGFW for Azure in the following regions:

For more information, see Cloud NGFW for Azure Supported Regions.

You can now use Strata Cloud Manager to manage security policies in your Cloud NGFW resources. In that case, your centralized management add-on consumption is metered on each NGFW resource for each hour associated with a Strata Cloud Manager, as well as for the amount of traffic processed by that NGFW resource. For more information, see Cloud NGFW for Azure Pricing.

You no longer need to pay for additional device licenses to manage policy rules in Cloud NGFW for Azure resources. Panorama (version 11.2.6 or above) does not count these NGFW resources against its managed device license count.

You can now use the Cloud NGFW Credits Management Console to gain greater visibility into how your Cloud NGFW credits are used. You can now analyze your usage at different periods at a summary level for your tenant and NGFW resources. You can also analyze your usage at a granular level for each Cloud NGFW resource, for the traffic secured, for the Cloud-Delivered Security Services (CDSS) and for Centralized Management (Panorama, Strata Cloud Manager, and Strata Logging Services). For more information, see Credit Usage Visibility.

You can register your Cloud NGFW resources with an existing Strata Cloud Manager, which you had previously activated based on Prisma Access (SCM Essentials), or Strata Cloud Manager Pro/Essential licenses. If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW for Azure. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.

Cloud NGFW Credits (Video)

Cloud NGFW for Azure Sentinel Integration (Blog)

Palo Alto Cloud NGFW Overview, Use cases and Demo (Part 1) (Video)

When managing Cloud NGFW resources with Panorama, you can now stream the logs to the Strata logging service. You can then use Strata Logging Service to perform Explore/Log Viewer queries to view logs generated by specific Cloud NGFW for Azure resources. When used with Cloud NGFW for Azure, Strata Logging Service automatically scales. As traffic throughput increases on these Cloud NGFW resources, so does your available Strata Logging Service storage so that you don't need to worry about making manual adjustments to storage to save your log data. For more information, see View Traffic and Threat Logs in Strata Logging Service.

You can now register your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management. With this feature, you can use a single Strata Cloud Manager (SaaS instance) to centrally manage a shared set of security rules on Cloud NGFW resources alongside your physical and virtual firewall appliances.

See Strata Cloud Manager Policy Management for more information.

Cloud NGFW for Azure changes the pricing structure to provide more flexibility. See the Pricing page for more information.

You can now configure up to 120 DNAT rules in Front-end settings in Cloud NGFW resources. Additionally, you can associate up to 120 Public IP addresses with each Cloud NGFW resource. Refer to the Step 3 in the documentation here.

Cloud NGFW is now a Payment Card Industry Data Security Standard (PCI DSS) compliant service. Additionally, Cloud NGFW complies with SOC2 HIPAA, ISO ( ISO 27001, ISO 27017, ISO 27018, ISO 27701), CSA STAR, IRAP, and Germany C5 standards. To learn more, visit Cloud NGFW for Azure Certifications.

Cloud Native Security: Revolutionizing Cloud Environments with Cloud NGFW Blog

You can now use the Cloud NGFW credits to fund both Cloud NGFW resources in AWS and Azure and all related CDSS services you would like to use with it. Use the credits for Panorama, Strata Cloud Manager, or the Strata Logging Service. For more information, see Cloud NGFW Credit Distribution and Management.

Cloud NGFW Credits Video

Cloud NGFW for Azure is now available in the following Azure regions:

• Japan West (Osaka)
• Sweden Central (Gavle)
• Italy North (Milan)
• South Africa North (Johannesburg)
• Israel Central
• West Central US (Wyoming)
• UAE North (Dubai)

See Supported Regions and Zones for the complete list of supported regions.

Your Cloud NGFW for Azure can now use an IP address in an X-Forwarded-For (XFF) header to enforce security policy created on Panorama.

Cloud NGFW for Azure is now available in the following Azure regions:

• Canada East

See Supported Regions and Zones for the complete list of supported regions.

Cloud NGFW for Azure is now available in the following Azure regions:

• Norway East
• Germany West Central
• Central India
• Switzerland North

See Supported Regions and Zones for the complete list of supported regions.

Cloud NGFW for Azure bills virtual network peering charges under the Azure Networking charges dimension. The consumption details are shared to the Azure Marketplace. Usage is tracked for inbound (from Internet to VNET), outbound (to Internet from VNET) and east-west traffic (across VNETs). For more information on the charges, see the Pricing page.

See Supported Regions and Zones for the complete list of supported regions.

See Supported Regions and Zones for the complete list of supported regions.

See Supported Regions and Zones for the complete list of supported regions.

See Supported Regions and Zones for the complete list of supported regions.

Terraform	Use the Azure Provider to configure infrastructure using Azure Resource Manager APIs.
PowerShell	Use Microsoft Azure PowerShell cmdlets to configure Cloud NGFW for Azure.
CLI	Use these commands to manage your Cloud NGFW for Azure resources.
SDK	SDK package for Python is supported.

Cloud NGFW for Azure has reached general availability. This release includes numerous fixes, support for additional regions, and enhancements to the pay-as-you-go (PAYG) subscription model.

View the overall health status of the Cloud NGFW firewall, connection status, and diagnostic information. Use this information to determine the cause of an unhealthy firewall state. See Monitor Cloud NGFW Health for more information.

The initial release of Cloud NGFW for Azure includes the following features:

• vNET and vWAN-based firewall deployments
• Single and multihub for vWAN. For more information, see Configure Palo Alto Networks Cloud NGFW in Virtual WAN.
• Use cases for inbound, outbound, and east-west traffic
• Policy Management for rulestacks, prefix objects, FQDN objects and certificate objects
• Logging support
• Autoscale support
• Outbound decryption
• Content and antivirus upgrades
• Rolling upgrades for firewall resources
• Support provided by Customer Support Portal
• Support for built-in roles (LocalNGFirewall and LocalRuleStacksAdministrator)