Cloud NGFW for AWS Pricing
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
- Cloud NGFW for AWS Certifications
- Cloud NGFW for AWS Privacy and Data Protection
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Configure Zone-based Policy Rules
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Cloud NGFW for AWS Pricing
Cloud NGFW pay-as-you-go (PAYG) pricing.
Pay-as-you-go Pricing Model
Cloud NGFW is available as a pay-as-you-go (PAYG) subscription in the AWS Marketplace. With this model, you pay only for what you
use each month, with all charges consolidated on the invoice you receive from AWS. You
can also enjoy the AWS Marketplace benefits such as consolidated billing Amazon Web Services Enterprise Discount Program (EDP).
You pay an hourly rate for each Cloud NGFW resource. You also pay for the amount of
traffic, billed by the gigabyte, processed by the NGFW resource. Additionally, you pay
an hourly rate and for the amount of traffic processed by your Cloud NGFW resource when
you configure security services add-ons (such as Threat Prevention, Advanced URL
Filtering, DNS Security, or WildFire) or the centralized management add-on (Panorama
management). The rate charged for the traffic also depends on the aggregate traffic
processed by all NGFWs in the tenant during the month (referred to as tiered traffic
pricing).
Credit Pricing Model
You can procure and associate Cloud NGFW for AWS Credits to your tenant by
paying an upfront cost for a long-term contract of one, two, or three years. You can
procure these credits directly from AWS Marketplace (AWS SaaS contracts) or at a private
price from Palo Alto Networks (AWS Private Offer) or its partners (AWS Consulting
Partner Private Offer). You purchase these credits while taking advantage of AWS
Marketplace benefits such as consolidated billing, AWS EDP, and automated or
configurable renewals. Cloud NGFW credits allow you to consume Cloud NGFW resources in
your tenant at a lower cost up to a specific capacity until your contract expires. See
Subscribe to Cloud NGFW for AWS to learn how to add contract credits.
If your average consumption per month exceeds the purchased
credits, overages are charged at PAYG rates.
If you add Cloud NGFW credits during a free-trial period, your contract starts immediately and
overrides the free trial.
Use the Cloud NGFW for AWS pricing estimator to
help you determine AWS pricing for your Cloud NGFW tenant.
Metering and Billing
Cloud NGFW consumption translates to pay-as-you-go hourly pricing or as Cloud NGFW
credits as described in the tables below.
Base NGFW Resource Consumption
You pay an hourly rate for each Cloud NGFW resource. You also pay for the amount of
traffic, billed by the gigabyte, processed by the NGFW resource.
Base NGFW Resource | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour | Up to 3 AZs | $ 1.50 | 125.0 | |
Each additional AZ | $ 0.50 | 41.7 | ||
Traffic Secured | First 15 TB/month | $ 0.065 | 5.4 | |
Next 15 TB/month | $ 0.045 | 3.7 | ||
Above 30 TB/month | $ 0.030 | 2.5 |
Usage hour is metered on each NGFW resource
you deploy. Traffic is metered across all NGFW resources deployed in your
Cloud NGFW tenant.
Cloud-Delivered Security Services (CDSS) add-on Consumption
Your security services add-on consumption is metered on each NGFW resource for each hour
you have enabled the add-on and for the amount of traffic processed by that NGFW, when
you configured it. The charged rate for the traffic also depends on the aggregate
traffic processed by all NGFWs in the tenant during the month (referred to as tiered
traffic pricing).
Threat Prevention add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour* | Up to 3 AZs | $ 0.300 | 25.0 | |
Each additional AZ | $ 0.100 | 8.3 | ||
Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
Next 15 TB/month | $ 0.009 | 0.7 | ||
Above 30 TB/month | $ 0.006 | 0.5 |
Advanced Threat Prevention add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour* | Up to 3 AZs | $ 0.450 | 0.8 | |
Each additional AZ | $ 0.150 | 0.3 | ||
Traffic Secured | First 15 TB/month | $ 0.020 | 1.7 | |
Next 15 TB/month | $ 0.014 | 1.2 | ||
Above 30 TB/month | $ 0.009 | 0.7 |
DNS Security add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour* | Up to 3 AZs | $ 0.300 | 25.0 | |
Each additional AZ | $ 0.100 | 8.3 | ||
Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
Next 15 TB/month | $ 0.009 | 0.7 | ||
Above 30 TB/month | $ 0.006 | 0.5 |
WildFire add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour* | Up to 3 AZs | $ 0.300 | 25.0 | |
Each additional AZ | $ 0.100 | 8.3 | ||
Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
Next 15 TB/month | $ 0.009 | 0.7 | ||
Above 30 TB/month | $ 0.006 | 0.5 |
Advanced URL Filtering add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour* | Up to 3 AZs | $ 0.450 | 37.5 | |
Each additional AZ | $ 0.150 | 12.5 | ||
Traffic Secured | First 15 TB/month | $ 0.020 | 1.7 | |
Next 15 TB/month | $ 0.014 | 1.2 | ||
Above 30 TB/month | $ 0.009 | 0.7 |
DLP add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour* | Up to 3 AZs | $ 0.600 | 50.0 | |
Each additional AZ | $ 0.200 | 16.7 | ||
Traffic Secured | First 15 TB/month | $ 0.026 | 2.2 | |
Next 15 TB/month | $ 0.018 | 1.5 | ||
Above 30 TB/month | $ 0.012 | 1.0 |
*Usage hour is metered on each NGFW resource
with CDSS add-on enabled.
Centralized Management add-on Consumption
You can use a Panorama virtual appliance to manage policy rules in your Cloud NGFW
tenant. In that case, your centralized management add-on consumption is metered on each
NGFW resource for each hour you have associated with a Panorama appliance and for the
amount of traffic processed by that NGFW, when you configured it. The rate you’re
charged for the traffic also depends on the aggregate traffic processed by all NGFWs in
the tenant during the month (referred to as tiered traffic pricing).
You don't pay for additional device licenses for managing
policy rules in Cloud NGFW resources. Panorama does not count these NGFW resources
against its managed device license count.
Cloud NGFW sends logs to the same Strata Logging Service
tenant currently associated with your Panorama. You don't pay for additional
storage. When used with Cloud NGFW for AWS, Strata Logging Service automatically
scales along with the Cloud NGFW for AWS resources. As traffic throughput increases
on these Cloud NGFW resources, so does your available storage so that you don't need
to worry about making manual adjustments to storage to save your log
data.
Palo Alto Networks Centralized Management add-on | Price (per hour) | Price (per GB) | Equivalent Cloud NGFW Credits | |
Usage Hour | Up to 3 AZs | $ 0.300 | 25.0 | |
Each additional AZ | $ 0.100 | 8.3 | ||
Traffic Secured | First 15 TB/month | $ 0.013 | 1.1 | |
Next 15 TB/month | $ 0.009 | 0.7 | ||
Above 30 TB/month | $ 0.006 | 0.5 |
Usage hour is metered on each NGFW resource
associated with a Panorama virtual appliance.
AWS Marketplace Metering Mechanism
Cloud NGFW uses the AWS SaaS subscription pricing model by translating the tenant’s
consumption as Units for multiple Custom dimensions and reports it to AWS
Marketplace as shown in the table below. This mechanism provides the flexibility to
aggregate your entire tenant’s consumption based on a few dimensions. These dimensions
include the deployment hours of all NGFWs, how much traffic they are securing, and how
many security features they use every hour. Cloud NGFW translates the security services
and centralized management consumption to Cloud NGFW credits and reports it as add-on
units to the AWS Metering service.
AWS Marketplace | Cloud NGFW SaaS Subscription Price | |
Base NGFW Usage Hours | $ 1.5/unit | |
(1 unit = 1 usage hour) up to 3 AZs | ||
(0.333 units = 1 usage hour) for additional AZs | ||
Traffic Secured > First 15 TB/month | $ 0.065/unit | |
(1 unit = 1 GB secured) | ||
Traffic Secured > Next 15 TB/month | $ 0.045/unit | |
(1 unit = 1 GB secured) | ||
Traffic Secured > Above 30 TB/month | $ 0.030/unit | |
(1 unit = 1 GB secured) | ||
Add-ons | $ 0.012/unit | |
(1 unit = 1 Cloud NGFW credit) | ||
Refer to the add-on tables above. |