03-26-2026 07:12 AM
Hello-
I have a few questions regarding installs in Azure tenants regarding products and licensing.
My understanding is that we can install either the VM-based model of NGFWs in Azure or the SaaS model, correct? If so, do both/either of those two require Panorama for management? Both VM-based models and SaaS models require licensing?
If I have an on-prem physical Palo Alto firewall, I wouldn't be able to use its license in the cloud as it is tied to the firewall's serial number, correct?
TIA
03-31-2026 08:31 PM
Hi @beakkenn ,
You are correct. In Azure, Palo Alto Networks offers two main options: VM-Series NGFW and Cloud NGFW for Azure.
In my experience, VM-Series is typically the better fit for customers that have dedicated networking or security teams and want more direct control over the firewall deployment, architecture, and policy management. Cloud NGFW for Azure is often the better fit for teams that are more cloud-native and want to reduce the operational overhead of managing the underlying firewall infrastructure themselves. In my opinion, another way to think about it is how much you actually plan on using the firewall. If the need is mostly L4/L7 security policy enforcement in a cloud-native environment, Cloud NGFW can make a lot of sense. If you expect the firewall to do more heavy lifting from a networking perspective, like remote access, dynamic routing, custom traffic flows, or a more tailored architecture, then VM-Series is usually the better fit.
As far as management, Panorama is not required for either by default. VM-Series can be managed locally or through Panorama/SCM if centralized management is needed. Cloud NGFW for Azure can be managed through its native management workflow, Panorama, or SCM depending on the deployment model.
From a licensing perspective, both options require their own licensing/subscription. VM-Series supports models like BYOL and PAYG, while Cloud NGFW for Azure uses its own cloud service subscription model.
And yes, your understanding on the hardware firewall license is also correct. An on-prem physical firewall license would not be reused in Azure, since it is tied to that specific device and serial number, while cloud deployments use their own licensing entitlements.
03-31-2026 08:31 PM
Hi @beakkenn ,
You are correct. In Azure, Palo Alto Networks offers two main options: VM-Series NGFW and Cloud NGFW for Azure.
In my experience, VM-Series is typically the better fit for customers that have dedicated networking or security teams and want more direct control over the firewall deployment, architecture, and policy management. Cloud NGFW for Azure is often the better fit for teams that are more cloud-native and want to reduce the operational overhead of managing the underlying firewall infrastructure themselves. In my opinion, another way to think about it is how much you actually plan on using the firewall. If the need is mostly L4/L7 security policy enforcement in a cloud-native environment, Cloud NGFW can make a lot of sense. If you expect the firewall to do more heavy lifting from a networking perspective, like remote access, dynamic routing, custom traffic flows, or a more tailored architecture, then VM-Series is usually the better fit.
As far as management, Panorama is not required for either by default. VM-Series can be managed locally or through Panorama/SCM if centralized management is needed. Cloud NGFW for Azure can be managed through its native management workflow, Panorama, or SCM depending on the deployment model.
From a licensing perspective, both options require their own licensing/subscription. VM-Series supports models like BYOL and PAYG, while Cloud NGFW for Azure uses its own cloud service subscription model.
And yes, your understanding on the hardware firewall license is also correct. An on-prem physical firewall license would not be reused in Azure, since it is tied to that specific device and serial number, while cloud deployments use their own licensing entitlements.
04-01-2026 05:50 AM
Hi @JayGolf -
Thank you for the explanation, this clears up a lot of uncertainty for me as far as which direction we should take. Thanks again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
