Product Q: What is Cloud NGFW for Azure? A: Cloud NGFW for Azure is a managed cloud-native next-generation firewall service delivered by Palo Alto Networks on the Azure platform. Cloud NGFW for Azure protects your Azure workloads by offering best-in-class security with the ease of use of a cloud native service.   Q: What are the key benefits of Cloud NGFW for Azure? A: With Cloud NGFW for Azure, customers get both best-in-class security and an easy, managed cloud-native experience. Customers no longer have the operational overhead of managing the infrastructure, scaling, availability, resiliency, and software/content updates associated with a network virtual appliance solution. Cloud Security teams can now deploy this service with ease and speed at scale in their Azure environment by using the Azure Portal and Azure automation tools. Network Security teams have the flexibility to use Panorama for centralized security policy management and logging.. Cloud NGFW seamlessly integrates with Azure services (e.g., Azure Portal, Azure Key Vault, Azure Log Analytics). These out-of-the-box integrations reduce the operational burden for security teams. They no longer need to maintain custom solutions or specialized expertise to provision and operationalize NGFWs. Q: What is the difference between Cloud NGFW for Azure and VM-series on Azure? A: Cloud NGFW for Azure is a fully managed service while the customers manage the VM-series. With Cloud NGFW for Azure customers do not need to worry about the design and management of the underlying infrastructure (i.e Virtual Machines, Load Balancers), PAN-OS software and content updates, scaling, and high availability deployments. The VM-series is a Network Virtual Appliance (NVA) that customers use to build a self-managed NGFW using Azure infrastructure components. The customer is responsible for managing the infrastructure, software, high availability, and scaling.   Q: Who manages the Cloud NGFW for Azure firewall service? A: Palo Alto Networks owns and manages the service. You can find the service listed on the Azure Marketplace. You can also find Cloud NGFW directly in the Azure portal (search for “Cloud NGW”), and when creating an Azure Virtual WAN Hub.   Q: Does Cloud NGFW for Azure offer a Service Level Agreement? A: Cloud NGFW for Azure offers an uptime Service Level Agreement (SLA) of 99.99%. During the Public Preview period, this SLA is not guaranteed and customers will not be eligible to claim compensation if there is an outage.   Q: In what Azure regions is Cloud NGFW for Azure available? A: You can find the latest information on Azure region availability in the Cloud NGFW for Azure documentation. Rapid expansion to additional regions is planned.   Q: Is Cloud NGFW for Azure available in Azure Government? A: Not at this time. Expansion to Azure Government is under consideration.   Q: What is expected from customers to maintain software updates and dynamic content updates from Palo Alto Networks cloud-delivered services, such as threat signatures and URL categories? A: Customers do not need to do anything to use the latest threat content from Palo Alto Networks. Cloud NGFW will automatically download the latest content from the Palo Alto Networks cloud to deliver the most up-to-date threat protection. Customers will not be responsible for managing the software updates for the NGFWs either. Cloud NGFW will roll out the software updates for the NGFWs using Azure’s rolling upgrade infrastructure.   Q: Can Panorama be used to manage Cloud NGFW for Azure service? A: Yes. With Cloud NGFW for Azure, the VM-Series instances that make up the Cloud NGFW resources connect directly to Panorama. This allows Panorama to send security policies directly to the VM-Series, unlocking the majority of the security policy functionality available in Panorama, including Dynamic Address Groups (DAGs). It also means that the VM-Series can send logs directly to Panorama. Note that Cortex Data Lake is NOT supported today.   Q: What Cloud Delivered Security Services (CDSS) are available for Cloud NGFW for Azure? A: CDSS availability depends on how the security policy is being managed: Azure portal: If Cloud NGFW is managed through the Azure portal, Advanced Threat Prevention (ATP) and Advanced URL Filtering (AURL) are available. Panorama: If  Cloud NGFW is managed through Panorama, Advanced Threat Prevention (ATP), Advanced URL Filtering (AURL), WildFire (WF), and DNS security are available. Q: When will there be full feature parity between Cloud NGFW and VM-Series? A: At launch on May 2, 2023, Cloud NGFW for Azure will be integrated with Panorama, with majority of the VM-Series security functionalities included. There are some routing and advanced VM-Series features that are not supported today, such as BGP routing, VPN termination, and Global Protect.    Q: Will my network traffic be isolated from the network traffic of other customers? A:  Yes. The data plane is dedicated per tenant, so network traffic processing is kept separate from other customers.   Q: What compliance certifications does Cloud NGFW have? A: Cloud NGFW for Azure is SOC 2 Type 2 compliant. SOC 2 compliance provides assurance that Palo Alto Networks is securing data and ensuring privacy according to industry best practices. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Customers can request the report here.   Getting Started - Deployment Q: How do I get started using Cloud NGFW for Azure? A: You can start using Cloud NGFW from the Azure Marketplace. You can also find Cloud NGFW directly in the Azure portal, and when creating an Azure Virtual WAN Hub.   Q: How do I protect my VNET deployments? A: Cloud NGFW for Azure can protect your VNET deployments. Please see the VNet documentation for additional details.   Q: How do I protect my VWAN deployments?  A: Cloud NGFW for Azure can protect your VWAN deployments. Please see the VWAN documentation for additional details.   Q: What is a Cloud NGFW tenant? A: A tenant is an instantiation of the Cloud NGFW service associated with a customer. The tenant is created when the first Cloud NGFW resource is created, and is associated with the Azure customers’ account that created the resource.   Q: What is a Cloud NGFW rulestack? A: A rulestack defines Cloud NGFW resource’s advanced access control (App-ID, Advanced URL Filtering) and threat prevention behavior. A rulestack includes a set of security rules and the associated objects and security profiles. To use a rulestack, associate the rulestack with one or more NGFW resources.   Working with Cloud NGFW for Azure Q: Where can I send logs generated by Cloud NGFW for Azure? A: The logging destination depends on how the security policy is being managed: For Azure Portal, logs can be sent to an Azure Log Analytics Workspace  For Panorama, logs can be sent to Panorama or a Panorama log collector. Q: What is the maximum throughput of a Cloud NGFW resource? A: A Cloud NGFW resource can scale up to 50 Gbps.   Q: What is the cold-start capacity of a Cloud NGFW resource? A: Each Cloud NGFW resource starts with a cold-start capacity of 9 Gbps, and provides redundancy across three Availability Zones (where available).   Q: Does Cloud NGFW for Azure support automation? A: Support for the Azure Infrastructure as Code (IaC) tools is planned for GA. These include the Azure API/CLI/SDK, ARM Templates, and Terraform provider.   Pricing and Licensing Q: Can customers purchase Cloud NGFW for Azure through the Azure Marketplace? A: Yes. Cloud NGFW for Azure is available on Azure Marketplace on a Pay-As-You-Go basis. During the Public Preview period, the price is 50% of the regular price. At GA, it will be the regular price.   Q: How is Cloud NGFW for Azure priced? A: Cloud NGFW for Azure is priced like other Azure virtual networking resources—per Hour plus per GB of traffic. With Cloud NGFW for Azure, customers pay an hourly rate for each Cloud NGFW resource. Data processing charges apply for each GB processed by the Cloud NGFW resource. Customers can add additional security capabilities such as Advanced Threat Prevention and Advanced URL Filtering to the per-hour and per-GB prices. Further information on pricing can be found in the Cloud NGFW for Azure documentation.   Q: Does Cloud NGFW for Azure have a Free Trial option? A: Yes. Cloud NGFW is available with a Free Trial via the Pay-as-you-go listing in the Azure Marketplace. Customers are automatically enrolled in the 30-day free trial period upon subscription. The free trial allows customers to use two NGFW resources with full features to secure 1 TB of traffic at no cost to the customer. After 30 days, the free trial converts to pay-as-you-go billing, consistent with the terms of the listing.   Q: Can customers deploy Cloud NGFW for Azure using Software NGFW credits?  A: No. Software NGFW credits may only be used with VM-Series and CN-Series, which are software products. This is detailed in the SKU description: "Software NGFW Credits to deploy VM-Series, CN-Series, Subscription Services, and Virtual Panorama to manage Software Firewalls." Cloud NGFW is a service offering so Software NGFW credits may not be used to consume Cloud NGFW. We plan to introduce a new type of credit called Cloud NGFW credits in the second half of 2023. Cloud NGFW credits will be able to be used to consume Cloud NGFW for AWS and Cloud NGFW for Azure. Cloud NGFW credits will be a different type of credit than Software NGFW credits, and the two will not be interchangeable.   Q: Can customers deploy Cloud NGFW for Azure using their VM-Serles ELA?  A: No. Cloud NGFW for Azure cannot be deployed using the VM-Series ELA.   Support Q: How can customers get customer support for Cloud NGFW? A: Premium support is included with Cloud NGFW. Customers must register their Cloud NGFW for Azure tenant to their CSP account. They can do this in the Azure portal on the page where they create and manage Cloud NGFWs.   Q: Who provides support for Cloud NGFW for Azure? A: Palo Alto Networks is responsible for providing support for Cloud NGFW for Azure. If needed, Palo Alto Networks will work with Microsoft Azure to resolve any customer support issues.

Background   This guide documents a recommended architecture to deploy the Cloud NGFW for Azure behind the Azure Application Gateway.   This deployment model allows leveraging the Application Gateway's reverse proxy and Web Application Firewall (WAF) functionality while benefiting the best-in-class network security capabilities of the Cloud NGFW.   Cloud Next-Generation Firewall by Palo Alto Networks - an Azure Native ISV Service is Palo Alto Networks Next-Generation Firewall (NGFW) delivered as a cloud-native service on Azure. You can discover Cloud NGFW in the Azure Marketplace and consume it in your Azure Virtual Networks (VNet) and in the Azure Virtual WAN (vWAN). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID and URL filtering-based technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures.   More details about the Cloud NGFW by Palo Alto Networks - an Azure Native ISV Service can be found here: https://learn.microsoft.com/en-ca/azure/partner-solutions/palo-alto/palo-alto-overview   Architecture   The Cloud NGFW for Azure secures inbound, outbound, and lateral traffic traversing the Hub Virtual Network (Hub VNet) or Virtual WAN Hub (vWAN Hub).   To secure ingress connections, Cloud NGFW resource supports Destination Network Address Translation (DNAT) configuration. Cloud NGFW accepts client connections on one or more of the configured Public IP addresses and performs the address translation, traffic inspection, and enforces the user-configured security policies.   For web applications, users may benefit from using Azure Application Gateway (AppGW) as a reverse proxy/Load Balancer. This combination offers the best security when securing both web-based and non-web workloads in Azure and on-prem. Ingress connections. It allows using a single Public IP address of the AppGW to proxy the HTTP(s) connections to many web application backends. Non-HTTP(s) connections should be directed via the Cloud NGFW Public IP address for inspection and policy enforcement.    The AppGW also offers Web Application Firewall (WAF) capabilities to look for patterns that indicate an attack at the web application layer.   More details about Application Gateway features can be found here: (https://learn.microsoft.com/en-us/azure/application-gateway/)   Cloud NGFW for Azure supports two deployment architectures: Hub-and-Spoke VNet  Virtual WAN The following sections describe the details and the required configuration to implement this architecture in Azure.   Hub VNet In this deployment, two subnets are allocated in the Hub VNet. The Cloud NGFW resource is provisioned into the Hub VNet.    The AppGW is deployed in a dedicated VNet with a Frontend listening on a Public IP address. The backend pool and target the workloads serving the web application in this example a Virtual Machine in a spoke VNet 192.168.1.0/24.   Similar to spoke VNets, the AppGW VNet must be peered with the Hub VNet to ensure the traffic can be routed towards the destination spoke VNet.   To force the incoming web traffic via the Cloud NGFW resource a User-Defined route must be created and associated with AppGW subnet. The next hop in this case is Cloud NGFW’s Private IP address which can be obtained from the “Overview” blade of the resource in Azure Portal.       Example User-defined Route: Address prefix: 192.168.1.0/24 Next hop type: Virtual Appliance Next hop IP address: 172.16.1.132   Once the infrastructure is deployed and configured there must be a security policy applied to the Cloud NGFW allowing the connection from the AppGW VNet. The AppGW proxies the client’s TCP connection and creates a new connection to the destination specified in the backend target. The source IP of this connection is the private IP address from the AppGW subnet. Thus, the security policy configuration should be configured accordingly using the AppGW VNet prefix to ensure it is treated as the inbound flow. The original source IP of the client is not preserved at layer 3.   Non-web traffic can continue using the Cloud NGFW’s public IP address(s) and DNAT rules.   vWAN Hub Securing vWAN Hub using the Palo Alto Networks SaaS solution is the most effective and easiest way to guarantee your vWAN stays secure with a consistent security policy applied across the entire deployment.    Routing Intent and Policy must be configured to use Cloud NGFW resource as a Next Hop for Public and/or Private traffic. Any connected spoke VNet or VPN/ExpressRoute Gateway would get the routing information to send the traffic via the Cloud NGFW resource.   By default, the VNet connection to the hub has the “Propagate Default Route” flag set to “Enabled”. This installs a 0.0.0.0/0 route forcing all non-matched traffic sourced from that VNet to go via the vWAN hub. In this topology, this would result in asymmetric routing as the return traffic proxied by the AppGW will go back to the vHub instead of the Internet. Hence, when connecting the AppGW VNet to the vWAN hub, set this attribute to “Disabled” to allow the AppGW-sourced traffic to break out locally.       In some cases, this may not be desirable. For example, when there are other applications or workloads hosted in the AppGW VNet requiring the inspection by the Cloud NGFW. In this case, you can enable the default route propagation but also add a 0.0.0.0/0 route to the AppGW subnet to override the default route received from the hub. An explicit route to the application VNet is also required.   You can locate the Next Hop IP address of the Cloud NGFW by looking at the effective routes of a workload in a spoke VNet, for example, a Virtual Machine Network interface:     Security Policy Considerations   Azure Rulestack   Azure Rulestack allows configuring the security rules and applying the security profiles right in the Azure Portal or via the API. When implementing the architecture presented above, configure the security rules leverating Palo Alto Network’s patented App-ID, Advanced Threat Prevention, Advanced URL filtering and DNS security Cloud-Delivered Security Services (CDSS).   See Cloud NGFW Native Policy Management using Rulestacks for more details.   NOTE: Use  of X-Forwarded-For (XFF) HTTP header field to enforce security policy is currently not supported with the Azure Rulestack policy management. Panorama When managing the Cloud NGFW resources using Panorama, users may leverage the existing and new policy constructs such as template stacks, zones, vulnerability profiles, etc. The Cloud NGFW security policies may be configured between the 2 zones: Private and Public. Inbound traffic goes from Public Zone to Private, Outbound is Private-to-Public, and East-West is Private-to-Private.      The ingress traffic coming through the Application Gateway is forwarded via the Private Zone to the Cloud NGFW resource for inspection and security policy enforcement as depicted in the diagram below.   Special considerations need to be applied to the zone-based policies to ensure the traffic coming from the Application Gateway is treated as Inbound i.e. security rules, threat prevention profiles, Inline Cloud Analysis and other. The traffic will be treated as Private-to-Private as the Application Gateway proxies the traffic and it is sourced using the Private IP address from the Application Gateway subnet.   © Palo Alto  Networks, Inc.   References https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-palo-alto-cloud-ngfw    

In this guide, we will discuss how to enable user-id on Cloud NGFW for Azure and use user-id in policy definition and traffic monitoring.  

Learn how the self-managed virtual appliance and managed cloud service stack up to each other in capabilities such as security controls, Azure-native services support, and additional security services.

Unlock the power of Cloud NGFW on Azure effortlessly! Dive into a streamlined solution—automating your end-to-end lab creation with Azure VWAN and Spoke VNets. Seamlessly connect workloads to the Hub, while effortlessly integrating Cloud NGFW into Azure Virtual WAN. Perfect for Palo Alto Field Teams and Partners eager to independently build and showcase the transformative benefits of Cloud NGFW for Azure.  

Cloud NGFW for Azure is a Firewall as a service jointly offered by Palo Alto Networks and Microsoft Azure. The below list includes the required steps to get started with the Cloud NGFW. 

Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on Azure. With Cloud NGFW, you can run more apps securely at cloud speed and cloud scale with an actual cloud-native experience. There is no trade-off between cloud agility and sophisticated, multi-layered security. You get to experience the best of both worlds with natively integrated network security delivered as a service on Azure.   This guide outlines the architecture of the Cloud NGFW from a high-availability (HA) and resiliency point of view. The document covers design considerations applied to the Cloud NGFW to ensure there's no single point of failure in any of the underlying service components. It also covers the approach taken with respect to zonal redundancy protecting from Azure infrastructure outages. Lastly, the guide lists available Azure services and strategies aimed at providing regional disaster recovery.

Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on Azure. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. There is no trade-off between cloud agility and sophisticated, multi-layered security. You get to experience the best of both worlds with natively integrated network security delivered as a service on Azure.   This guide explains how to configure and integrate Cloud NGFW into  Azure Virtual Network(VNet) and Azure Virtual WAN(VWAN) infrastructure, enabling the users to utilize the benefits of Palo Alto Networks next-generation firewall as a service. The sections in the document provide details about the architecture and various components of this service. This document also provides guidance on how to set up and configure Cloud NGFW  using a simplified configuration workflow and explains how to route your application/spoke traffic through Cloud NGFW.