03-31-2026 08:31 PM
Hi @beakkenn ,
You are correct. In Azure, Palo Alto Networks offers two main options: VM-Series NGFW and Cloud NGFW for Azure.
In my experience, VM-Series is typically the better fit for customers that have dedicated networking or security teams and want more direct control over the firewall deployment, architecture, and policy management. Cloud NGFW for Azure is often the better fit for teams that are more cloud-native and want to reduce the operational overhead of managing the underlying firewall infrastructure themselves. In my opinion, another way to think about it is how much you actually plan on using the firewall. If the need is mostly L4/L7 security policy enforcement in a cloud-native environment, Cloud NGFW can make a lot of sense. If you expect the firewall to do more heavy lifting from a networking perspective, like remote access, dynamic routing, custom traffic flows, or a more tailored architecture, then VM-Series is usually the better fit.
As far as management, Panorama is not required for either by default. VM-Series can be managed locally or through Panorama/SCM if centralized management is needed. Cloud NGFW for Azure can be managed through its native management workflow, Panorama, or SCM depending on the deployment model.
From a licensing perspective, both options require their own licensing/subscription. VM-Series supports models like BYOL and PAYG, while Cloud NGFW for Azure uses its own cloud service subscription model.
And yes, your understanding on the hardware firewall license is also correct. An on-prem physical firewall license would not be reused in Azure, since it is tied to that specific device and serial number, while cloud deployments use their own licensing entitlements.
