How Palo Alto NGFW Prevent Unknow CVEs?

Hello @SopheaHem - CVE IDs are centrally allocated, but it is inevitable that there is some duplication and overlap among the 220,000+ CVE records currently available. Sometimes an "unknown" one (to us) might actually be known to us as a different CVE ID.  A similar story would apply to any other security vendor.

Bear in mind that CVE IDs can be allocated before any information is known about the specifics of the threat, and without threat specifics we would need to rely on other heuristics to identify a novel threat. 

Like any good answer, the best answer I can give here is, "it depends."  No security vendor, be it Palo Alto Networks or anyone else, can guarantee anything about detecting and eliminating unknown CVEs, and you should be highly suspicious of claims to the contrary.  If they're unknown, or highly novel, there is always a risk that they could slip past unnoticed.  This is where tools like App-ID, URL Filtering, and WildFire, and having a sensible but strict security policy that utilises them, really come into their own.   Defence in depth is an excellent approach as well: don't just rely on App-ID, for example, but instead use all of the tools at your disposal.

Moreover, not every CVE is network-centric, which makes it hard for a next-generation firewall to have any impact, positive or negative, on the detection of those.

What we can also do is use tools like Advanced WildFire to detect and eliminate threats, including novel one threats, as quickly as possible using a range of analysis tools and techniques.  This can also include threats that don't (yet) have a CVE identified.  This relies on the knowledge gained from multiple sources including other customer environments using Advanced WildFire, which means that on average, any novel threat will have been seen at least once, and hopefully identified as such, before it encroaches on your environment.