Cloud NGFW for AWS Limits and Quotas
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Cloud NGFW for AWS Limits and Quotas
Learn the limits and quotas of the Cloud NGFW for AWS.
The following tables list the limits for your Cloud NGFW. Unless indicated
otherwise, you can request an increase for these limits.
Use the Cloud NGFW for AWS pricing estimator to help
you determine AWS limits and quotas for your Cloud NGFW subscription.
Local Rulestack Policy Management
Name | Default Limits per Cloud NGFW Tenant | Adjustable |
|---|---|---|
Number of Cloud (AWS) accounts in a tenant | 200 | No |
Cloud NGFW resources in a tenant | 50 per account per region | Yes |
Cloud NGFW endpoints for each NGFW resource | 50 | Yes |
Outstanding global rulestacks not associated with NGFW
resources | 10 | Yes |
Outstanding local rulestacks not associated with NGFW
resources | 10 | Yes |
To change any of the adjustable limits listed above,
contact Palo Alto Networks Customer Support.
Native Policy Management (Rulestack)
Attribute | Maximum Limit per Cloud NGFW Resource | Adjustable |
|---|---|---|
Security rules | 1,000 | No |
Addresses objects (FQDN list and IP prefix lists) | 1,000 | No |
Number of IP prefix list | 1,000 | No |
FQDN objects across all FQDN lists | 2,000 | No |
Prefix objects for each IP prefix list | 2,500 | No |
Custom URL categories | 500 | No |
URLs across all URL categories | 25,000 | No |
Intelligent feeds (including the five predefined feeds) | 30 | No |
IP addresses across all feeds | 50,000 | No |
Certificate objects | 100 | No |
Panorama Policy Management
Attribute | Maximum Limit per Cloud NGFW Resource* |
|---|---|
Policy | |
Security rules | 6,000 |
Decryption rules | 1,000 |
Objects | |
Address objects | 10,000 |
Address groups | 1,000 |
Members per address group | 2,500 |
FQDN address groups | 2,000 |
Service objects | 2,000 |
Service groups | 500 |
Members per service group | 500 |
EDL | |
Max number of DNS per domain system | 500,000 |
Max number of IPs per system | 50,000 |
Max number of URLs per system | 100,000 |
Max number of custom lists | 30 |
URL Filtering | |
Total entities for allow list, block list and custom
categories | 25,000 |
Max custom categories | 500 |
* The limits on policy and objects specified are unidimensional maximum. Palo Alto
Networks recommends additional testing within your environment to ensure you meet
your policy authoring objectives.