skip to Main Content

Valtix vs. Palo Alto Cloud NGFW

A Square Peg
in a Round Hole

Don’t be fooled. Palo Alto Networks Cloud NGFW is a poorly executed solution for cloud network security that fragments visibility and control across clouds and adds compliance risk. Valtix provides best-in-class network security for cloud workload protection in a single policy, cloud-native, compliance-ready, and multi-cloud platform.

Don’t Let Palo Alto Networks
Create a Mess of Your Cloud Network Security



The Palo Alto Cloud NGFW requires 3 different consoles: AWS Firewall Manager (FMS) for deployment, the Cloud NGFW console for policy, and there’s no console for analyzing logs going to AWS S3, Kinesis or CloudWatch.

Bottom Line Impact:

Elevated Security Risk


Not Really

Palo Alto Cloud NGFW is an AWS only offering. There is no support for Azure, and GCP has a separate IDS-only version which cannot inspect encrypted traffic. There’s yet another experience in OCI. With multiple products the PAN solution fragments your security.

Bottom Line Impact:

Wasted Expense and Efforts


Lost Traffic

Traffic is sent outside your cloud account boundaries to the Palo Alto Cloud NGFW along with access to your private encryption keys.

Bottom Line Impact:

Increased Compliance Risk

Palo Alto Network Cloud NGFW
Fails to Meet Key Cloud Security Needs





Visibility of Workloads and Cloud Services


PAN’s strength in App ID is eliminated in the cloud where they have have almost zero awareness of cloud services and no integration with the cloud provider for workload context (dev, test, pci, etc)


Valtix provides continuous visibility and discovery of cloud workloads along with association with workload context from cloud tags. Valtix delivers IDs for 100s of cloud services.


Zero Trust Microsegmentation


PAN security policies only support static policies using IP addresses. Zero trust requires dynamic context-specific policies, i.e. different policies for dev/test/prod or frontend/app-tier/backend or based on trust levels. IP addresses in public clouds are ephemeral, a static policy does not allow microsegmentation or zero trust.


Valtix delivers tag-based microsegmenation that leverages native cloud constructs to adapt seamlessly to change.


Protection of Cloud Workloads


Given that most cloud workloads are ultimately web apps or APIs, a generic NGFW cannot truly protect web-facing assets. And adding a separate WAF means you deal with two different management consoles – security policies and logs. More importantly, by fragmenting WAF from the NGFW, you lose a 360 view of traffic flows inbound, inside your environment, and outbound.


Valtix delivers comprehensive web protection in the form of a WAF with single policy management and comprehensive traffic visibility across web, east-west traffic, and egress.


Cloud Friendly Pricing


A simple cloud-friendly pricing model should include no more than 1 or 2 metrics. You want predictable pricing and clarity in the budgeting and purchase process. The Palo Alto Cloud NGFW includes multiple pricing components with additional upsells for what should be essential security features.


Valtix delivers consumption based pricing that is simple to estimate based on number of VPCs and desired architecture.

Top Reasons to Choose Valtix
Over Palo Alto Networks Cloud NGFW

Single Policy Management

Combines visibility into network posture, network protection (NGFW, Egress, DLP), web app protection (WAF), and threat data with threat intelligence.

True Multicloud

Comprehensive cloud network security across all major clouds (AWS, Azure, GCP, and OCI) through a single console.

Compliance Ready

Flexible platform as a service architecture that means you can manage your security through a SaaS console while keeping your data in your accounts through a distributed, but fully managed gateway.

Blog Post

Do You Care About Network Security in Public Cloud? You Certainly Should.

Our perspective on the latest Google Cloud announcement Last week, Google Cloud Platform and Palo Alto Networks announced a GCP IDS based…

Learn More
Back To Top