You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/partner-solutions/palo-alto/faq.yml
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
### YamlMime:FAQ
2
2
metadata:
3
3
title: Cloud NGFW by Palo Alto Networks frequently asked questions
4
-
description: Answers to common questions about using Cloud NGFW by Palo Alto Networks
4
+
description: Answers to common questions about using Cloud NGFW by Palo Alto Networks including deployment, management, and configuration.
5
5
ms.topic: faq
6
6
ai-usage: ai-generated
7
7
ms.date: 12/18/2025
@@ -13,7 +13,7 @@ sections:
13
13
- name: General
14
14
questions:
15
15
- question: What is Cloud NGFW by Palo Alto Networks?
16
-
answer: Cloud NGFW by Palo Alto Networks is a next-generation firewall delivered as an integrated service on Azure. It's codeveloped and managed by Microsoft and Palo Alto Networks, and combines the scalability and reliability of Azure with Palo Alto Networks network security expertise. You can find it in Azure Marketplace and manage it through the Azure portal.
16
+
answer: Cloud NGFW by Palo Alto Networks is a next-generation firewall delivered as an integrated service on Azure. Microsoft and Palo Alto Networks codeveloped and managed it. The product combines the scalability and reliability of Azure with Palo Alto Networks network security expertise. You can find it in Azure Marketplace and manage it through the Azure portal.
17
17
- question: What are the key capabilities of Cloud NGFW?
answer: Destination Network Address Translation (DNAT) allows Cloud NGFW to accept client connections on public IP addresses and perform address translation and traffic inspection. This enables inbound connections to be routed to internal resources while enforcing security policies.
77
+
answer: Destination Network Address Translation (DNAT) allows Cloud NGFW to accept client connections on public IP addresses and perform address translation and traffic inspection. This approach enables inbound connections to be routed to internal resources while enforcing security policies.
78
78
- question: What is Source NAT (SNAT) in Cloud NGFW?
79
79
answer: Source Network Address Translation (SNAT) allows you to configure how outbound traffic from your virtual network is translated. You can specify public IP addresses for outbound traffic, and Cloud NGFW can replace the source IP with a trusted firewall IP address through Private Source NAT.
80
80
- question: How do I configure traffic routing through Cloud NGFW?
@@ -88,14 +88,14 @@ sections:
88
88
answer: Deploy Application Gateway in a separate virtual network and peer it with your hub network containing Cloud NGFW. Create user-defined routes in the Application Gateway subnet to direct traffic through Cloud NGFW for inspection. Application Gateway functions as a reverse proxy and WAF, while Cloud NGFW provides network security inspection.
89
89
- question: Should I disable default route propagation when using Application Gateway with Virtual WAN?
90
90
answer: |
91
-
Yes, when connecting the Application Gateway virtual network to a Virtual WAN hub, disable the **Propagate Default Route** option to prevent asymmetric routing. This allows Application Gateway-sourced traffic to break out locally rather than returning through the virtual hub.
91
+
Yes, when connecting the Application Gateway virtual network to a Virtual WAN hub, disable the **Propagate Default Route** option to prevent asymmetric routing. This configuration allows Application Gateway-sourced traffic to break out locally rather than returning through the virtual hub.
92
92
- question: What traffic should go through Cloud NGFW versus Application Gateway?
93
93
answer: HTTP and HTTPS web traffic should be routed through Application Gateway for reverse proxy, load balancing, and WAF protection. Non-HTTP connections should be directed to Cloud NGFW's public IP address for network inspection and policy enforcement.
94
94
95
95
- name: Security Policy Considerations
96
96
questions:
97
97
- question: Is the X-Forwarded-For (XFF) HTTP header supported with Azure Rulestacks?
98
-
answer: Currently, use of the X-Forwarded-For (XFF) HTTP header field to enforce security policy is not supported with Azure Rulestacks. This limitation is important to consider when configuring policies for Application Gateway traffic.
98
+
answer: Currently, use of the X-Forwarded-For (XFF) HTTP header field to enforce security policy isn't supported with Azure Rulestacks. This limitation is important to consider when configuring policies for Application Gateway traffic.
99
99
- question: How should I configure zone-based policies when using Panorama?
100
100
answer: |
101
101
When using Panorama with Cloud NGFW, configure two zones: private and public. Traffic flows are:
@@ -119,7 +119,7 @@ sections:
119
119
- name: Billing and Plans
120
120
questions:
121
121
- question: What billing plan options are available?
122
-
answer: Cloud NGFW is available under a Pay-As-You-Go (PAYG) billing model. Billing through Azure provides unified invoicing for both infrastructure and software costs in a single line item.
122
+
answer: Cloud NGFW is available under a pay-as-you-go (PAYG) billing model. Billing through Azure provides unified invoicing for both infrastructure and software costs in a single line item.
123
123
- question: Can I change my billing plan after deployment?
124
124
answer: Yes. You can change your billing plan by selecting **Change Plan** from the resource overview page in the Azure portal.
0 commit comments