>
    Strata Copilot
    Cloud NGFW for Azure Limits and Quotas
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Reference
    3. Cloud NGFW for Azure Limits and Quotas
    Download PDF
    Cloud NGFW for Azure

    Cloud NGFW for Azure Limits and Quotas

    Table of Contents

    Cloud NGFW for Azure Limits and Quotas

    Learn the limits and quotas of the Cloud NGFW for Azure.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portals (CSP) account
    • Azure Marketplace subscription
    The following tables list the limits and performance data for your Cloud NGFW tenant. Unless indicated otherwise, you can request an increase for these limits.
    Use the Cloud NGFW for Azure pricing estimator to help you determine Azure limits and quotas for your Cloud NGFW subscription.

    Native Policy Management (Rulestack)

    Attribute
    Maximum Limit per Cloud NGFW Resource
    Adjustable
    Security rules
    1,000
    No
    Addresses objects (FQDN list and IP prefix lists)
    1,000
    No
    Number of IP prefix lists
    1,000
    No
    FQDN objects across all FQDN lists
    2,000
    No
    Prefix objects for each IP prefix list
    2,500
    No
    URLs across all URL categories
    25,000
    No
    Intelligent feeds (including the five predefined feeds)
    30
    No
    IP addresses across all feeds
    50,000
    No
    Certificate objects
    100
    No

    Panorama Policy Management

    Attribute
    Maximum Limit per Cloud NGFW Resource*
    Policy
    Security rules
    10,000
    Decryption rules
    1,000
    Objects
    Address objects
    10,000
    Address groups
    1,000
    Members per address group
    2,500
    FQDN address groups
    2,000
    Service objects
    2,000
    Service Groups
    500
    Members per Service Group
    500
    External dynamic list
    Max number of DNS per domain system
    500,000
    Max number of IPs per system
    50,000
    Max number of URLs per system
    100,000
    Max number of custom lists
    30
    URL Filtering
    Total entities for allow list, block list, and custom categories
    25,000
    Max custom categories
    500
    * The limits on policy and objects specified are unidimensional maximum. Palo Alto Networks recommends additional testing within your environment to ensure you meet your policy authoring objectives.

    Cloud NGFW for Azure Performance

    The following table provides performance information for your Cloud NGFW for Azure tenant.
    The information provided in the following table assumes a maximum of 40 instances.
    Attribute
    Performance Metric
    Firewall throughput (App-ID enabled)
    Maximum throughput: 100 Gbps; per instance is 2.92 Gbps
    Coldstart: 8.55 Gbps
    Coldstart refers to initial, baseline capacity and performance of a newly deployed or idle Cloud NGFW resource before it automatically scales up to handle increased traffic loads.
    For coldstart traffic, Content Threat Detection is enabled. Without Content threat Protection, each firewall instance is capped at 3.00 Gbps due to the instance type. This is an Azure limitation.
    Threat Prevention throughput
    Maximum throughput: 92 Gbps; per instance is 2.31 Gbps
    Encrypted Traffic throughput
    44 Gbps (with Content Threat Detection); per instance is 1.11 Gbps
    60 Gbps (without Content Threat Detection); per instance is 1.52 Gbps
    SNAT Ports
    Per Public IP SNAT port = 64000
    CNGFW can scale maximum up to 40 instances behind the scene hence per instance 1600 SNAT ports are available.
    Total available ports = Number of Public IP * Number of Instance * 1600
    For example: By default, one instance is deployed in each AZ. If a region has three AZ, and one Public IP is assigned to firewall, the cold start SNAT port will be 4800.
    You can either add more IP addresses to increase the number or it will auto scale instance if we reach exhaustion to the scaling threshold.

    Metrics Integration Limits

    Azure Monitoring Metrics Integration has the following service and platform limitations:
    • Data Retention: Firewall metrics are stored for a maximum of 90 days within Application Insights.
    • Azure Custom Metrics Limit: The Azure custom metrics ingestion feature is subject to an Azure platform limit of 50,000 total active time series per subscription per region.

    © 2026 Palo Alto Networks, Inc. All rights reserved.