>
    Strata Copilot
    View Cloud NGFW Metrics in Azure Monitor
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Monitor Cloud NGFW for Azure Resources
    4. View Cloud NGFW Metrics in Azure Monitor
    Download PDF
    Cloud NGFW for Azure

    View Cloud NGFW Metrics in Azure Monitor

    Table of Contents

    View Cloud NGFW Metrics in Azure Monitor

    Cloud NGFW for Azure integrates with the Azure Monitor to provide enhanced visibility into the performance and operational health of your firewall resources. By leveraging Azure Application Insights, you can ingest, query, and set alerts on key firewall metrics, all within your existing Azure ecosystem.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    Cloud NGFW for Azure integrates with the Azure Monitor to provide enhanced visibility into the performance and operational health of your firewall resources. By leveraging Azure Application Insights, you can ingest, query, and set alerts on key firewall metrics, all within your existing Azure ecosystem. This allows you to monitor critical data points such as throughput, session counts, SNAT port utilization, and latency to better troubleshoot issues and understand traffic patterns.
    The following tables details the metrics that are exposed through the Azure Monitor integration:
    DimensionMetricDescription
    Data ProcessedBytes in / Bytes outMonitors the traffic in terms of bytes in and bytes out.
    Packets in / Packets outMonitors the traffic in terms of the number of packets sent in both directions.
    Session CountNumber of active sessions.
    ThroughputSession ThroughputKbpsMonitors the throughput in Kbps.
    Session ThroughputPpsMonitors the number of packets per second.
    LatencyPacketLatencyMonitors the latency per packet sent and received to understand the overall traffic performance in terms of delay.
    SNATLoad Balancer Source NAT port utilizationExposes SNAT port utilization from the Load Balancer as a metric.
    Cloud NGFW for Azure publishes custom metrics in Azure Monitor to help you monitor your Cloud NGFW's health, performance, and usage patterns. With these additional metrics, you can assess the overall health of your Cloud NGFW resources, identify performance bottlenecks, and detect anomalies. These metrics are numerical values describing aspects of a Cloud NGFW at a particular time. The 5-minute collection frequency makes these metrics highly effective for alerting.
    Enable Cloud NGFW for Azure monitoring metrics in your Azure portal and view these metrics in your Azure Application Insights. Following are the prerequisites, steps to enable, and view monitoring metrics in Azure application insights page.

    Prerequisites

    Before you begin, you must have the following configured:
    1. Create Azure Application Insights: You must have Azure Application Insights created. For more information, see Configure Application Insights.
    2. Create and Associate the Managed Identity:
      1. Create a User-Assigned Managed Identity: First, you must create a user-assigned managed identity (MI). For more information, see create system managed identity.
      2. Associate Managed Identity with the Cloud NGFW Firewall:
        When you attempt to associm ate managed identity with CNGFW firewall, ensure that you have the following:
        • LocalNGFirewallAdministrator role on your Cloud NGFW firewall resource.
        • Managed Identity Operator role on the managed identity resource.
        Go to your Cloud NGFW firewall resource in the Azure portal. In the left-hand menu, go to Settings > Managed Identity, and click Add Identity. Add the managed identity you just created. This step links the identity to the firewall.
        This managed identity requires Monitoring Metrics Publisher role on the target Azure Application Insights resource.
    3. Assign Monitoring Metrics Publisher role to the managed identity.
      1. From the previously created Application Insights menu, go to Access Control (IAM).
        Ensure that the Local authentication option is disabled for the selected Application Insights.
      2. Click Add.
      3. Select previously created Monitoring metrics publisher role.
      4. In the Members tab, select Managed Identity checkbox and select the managed identity name.
      5. Click Review and Assign.

    Enable Cloud NGFW Metrics

    To enable CNGFW Metrics perform the following steps:
    1. In the Azure portal, select the Cloud NGFW Firewall resource for which you want to enable metrics.
    2. From the left navigation menu, go to Metrics and Logs > Metrics.
    3. Click Edit at the top of the page.
    4. Select Enable Metrics Settings checkbox.
    5. Select Subscription.
    6. Select the Azure Application Insights you created as a prerequisite.
    7. Click Save.

    View Cloud NGFW Metrics

    To view the metrics in your Azure Application Insights:
    1. In the Azure portal, navigate to your Cloud NGFW Firewall.
    2. In the left navigation menu, click Metrics and Logs.
    3. Click Application Insights.
    4. In the left navigation pane, go to Monitoring > Metrics.
    5. Configure the chart view:
      • Scope: Select the Cloud NGFW firewall resource for which you enabled metrics.
      • Metric Namespace: Choose the custom namespace corresponding to your firewall. The namespace is formatted as pan.cngfw.<region>.<firewall-name>.
      • Metric: Select the desired metric you wish to plot from the drop-down list (For example: SessionCount, BytesIn).
    6. The portal will automatically plot the time-series graph for the selected metric. You can add multiple metrics to the chart and use standard Azure Monitor features for time selection, aggregation, and creating alert rules.
      The metrics published to your Application Insights are not real-time. There will be a minor delay consisting of a one-minute aggregation interval plus a propagation latency of under five minutes

    Important Considerations

    • If the linked Application Insights resource is deleted, CNGFW metrics will stop flowing. The resource link on the Cloud NGFW's Logs and Metrics page will become invalid or return a 404 error.
    • Metric collection will fail if the associated User-Assigned Managed Identity is deleted or disabled, as the firewall will lose its ability to authenticate to your Azure Application insights.
    • If the required Monitoring Metrics Publisher role is removed from the Managed Identity, the firewall will no longer have the authorization to send data, and metric publication will stop. In this case, add the role back to the managed identity. For any assistance contact customer support.

    © 2026 Palo Alto Networks, Inc. All rights reserved.