Features

Distributed, cloud-first firewall service

Cloud NGFW's fully distributed, stateful inspection firewall engine is built natively into our software defined networking fabric and enforced at each workload.

Advanced threat protection

Cloud NGFW offers a cloud-first, market-leading, easy to deploy Intrusion Prevention System powered by Palo Alto Networks for inline protection against malware, spyware, and command-and-control attacks on your network. 

Simplified configuration and deployment

Network firewall policies are global by default and apply to all regions. Define policies at the organization, folder, and project levels with hierarchical firewall policies.

Granular control and micro-segmentation

Leverage IAM-governed tags to define granular control for both north-south and east-west traffic, down to a single VM, across VPCs and organizations. 

Context-aware and dynamic objects for firewall rules

Policy objects, such as Google Cloud Threat Intelligence lists, domain name (FQDN) objects, and geolocation objects, provide advanced protection for firewall rules. These objects are curated by Google, constantly updated, and automatically applied in firewall rules that call them. 

Cloud NGFW tiers

FeatureCloud NGFW EssentialsCloud NGFW StandardCloud NGFW Enterprise

Global and regional network firewall policy

Tag integration

Stateful inspection

Address groups

Google Cloud Threat Intelligence

FQDN objects

Geolocation filtering

Intrusion Prevention System (IPS)

TLS decryption

Global and regional network firewall policy

Cloud NGFW Essentials

Cloud NGFW Standard

Cloud NGFW Enterprise

Tag integration

Cloud NGFW Essentials

Cloud NGFW Standard

Cloud NGFW Enterprise

Stateful inspection

Cloud NGFW Essentials

Cloud NGFW Standard

Cloud NGFW Enterprise

Address groups

Cloud NGFW Essentials

Cloud NGFW Standard

Cloud NGFW Enterprise

Google Cloud Threat Intelligence

Cloud NGFW Essentials
Cloud NGFW Standard

Cloud NGFW Enterprise

FQDN objects

Cloud NGFW Essentials
Cloud NGFW Standard

Cloud NGFW Enterprise

Geolocation filtering

Cloud NGFW Essentials
Cloud NGFW Standard

Cloud NGFW Enterprise

Intrusion Prevention System (IPS)

Cloud NGFW Essentials
Cloud NGFW Standard
Cloud NGFW Enterprise

TLS decryption

Cloud NGFW Essentials
Cloud NGFW Standard
Cloud NGFW Enterprise

How It Works

To use Cloud NGFW, you’ll first create a firewall policy. Then you'll be able to configure rules to help protect your cloud workloads against both internal and external attacks and meet compliance requirements. 

Security illustration

Common Uses

Detect and prevent advanced threats

Inline Intrusion Prevention System (IPS)

Cloud NGFW Enterprise offers a cloud-first, market-leading, easy to deploy Intrusion Prevention System (IPS). It helps prevent malware, spyware, and command-and-control attacks on your network by inspecting both TLS and non-TLS traffic.

Architecture diagram for Cloud Firewall Plus

    Inline Intrusion Prevention System (IPS)

    Cloud NGFW Enterprise offers a cloud-first, market-leading, easy to deploy Intrusion Prevention System (IPS). It helps prevent malware, spyware, and command-and-control attacks on your network by inspecting both TLS and non-TLS traffic.

    Architecture diagram for Cloud Firewall Plus

      Secure traffic based on domain names

      Domain name (FQDN) based objects

      Achieve advanced protection with dynamic policies that filter traffic from domains, even as the underlying IP addresses change. 

      Learn more about the FQDN feature

        Domain name (FQDN) based objects

        Achieve advanced protection with dynamic policies that filter traffic from domains, even as the underlying IP addresses change. 

        Learn more about the FQDN feature

          Filter traffic based on location

          Geolocation objects

          Simplify the process of managing traffic to designated countries without the need to specify individual IP addresses.

          Learn more about the geolocation feature

            Geolocation objects

            Simplify the process of managing traffic to designated countries without the need to specify individual IP addresses.

            Learn more about the geolocation feature

              Integrate with threat intelligence data

              Threat Intelligence for Cloud NGFW

              Block traffic based on curated lists of threat intelligence data, such as known malicious IPs and domains. Allow public IPs that your service uses. These lists are managed by Google Cloud and aggregate data from various Google, third-party, and open-source feeds. 

              Learn more about the Threat Intelligence feature
              Diagram of Cloud Firewall workloads

                Threat Intelligence for Cloud NGFW

                Block traffic based on curated lists of threat intelligence data, such as known malicious IPs and domains. Allow public IPs that your service uses. These lists are managed by Google Cloud and aggregate data from various Google, third-party, and open-source feeds. 

                Learn more about the Threat Intelligence feature
                Diagram of Cloud Firewall workloads

                  Enable micro-segmentation for workloads

                  Firewall policies and IAM-governed tags

                  Tags provide built-in IAM governance for firewall policies. Each tag has granular controls to determine which users can create, modify, and bind individual tags. Combined with network firewall policies, these features help increase policy precision and simplify rule creation to deliver micro-segmentation. 

                  Start tutorial

                    Firewall policies and IAM-governed tags

                    Tags provide built-in IAM governance for firewall policies. Each tag has granular controls to determine which users can create, modify, and bind individual tags. Combined with network firewall policies, these features help increase policy precision and simplify rule creation to deliver micro-segmentation. 

                    Start tutorial

                      Enforce consistency across your org

                      Hierarchical firewall policies

                      Network firewall policies let you group multiple firewall rules, apply batch updates, and control access to these rules with Identity and Access Management (IAM) roles. Hierarchical Firewall Policies can be applied at the organization and folder level, and Global and Regional Network Firewall Policies can be applied at the VPC level. 

                      Learn more about hierarchical firewall policies
                      Hierarchical firewall policy enforcement diagram

                        Hierarchical firewall policies

                        Network firewall policies let you group multiple firewall rules, apply batch updates, and control access to these rules with Identity and Access Management (IAM) roles. Hierarchical Firewall Policies can be applied at the organization and folder level, and Global and Regional Network Firewall Policies can be applied at the VPC level. 

                        Learn more about hierarchical firewall policies
                        Hierarchical firewall policy enforcement diagram

                          Pricing

                          How Cloud NGFW pricing worksPricing for Cloud NGFW is based on traffic throughput. Add-on manageability products are billed separately.
                          ProductDescriptionPrice

                          Cloud NGFW

                          Cloud NGFW Essentials

                          Free

                          Cloud NGFW Standard

                          $0.018

                          per GB of data processed

                          Cloud NGFW Enterprise

                          $0.018

                          per GB of data processed

                          Cloud NGFW Enterprise

                          $1.75

                          per hour endpoint deployment

                          Hierarchical Firewall Policies

                          500 or fewer attributes in the policy

                          $1

                          per VM covered by the policy

                          501 or more attributes in the policy (large)

                          $1.50

                          per VM covered by the policy

                          Firewall Insights

                          Configuration analysis

                          $1

                          for each rule that exists in your project when the feature is enabled

                          Overgranting analysis

                          $0.20

                          monthly rate per million log entries for 1-10,000 million log entries

                          Learn more about Cloud Firewall pricing. View all pricing details

                          How Cloud NGFW pricing works

                          Pricing for Cloud NGFW is based on traffic throughput. Add-on manageability products are billed separately.

                          Cloud NGFW

                          Description

                          Cloud NGFW Essentials

                          Price

                          Free

                          Cloud NGFW Standard

                          Description

                          $0.018

                          per GB of data processed

                          Cloud NGFW Enterprise

                          Description

                          $0.018

                          per GB of data processed

                          Cloud NGFW Enterprise

                          Description

                          $1.75

                          per hour endpoint deployment

                          Hierarchical Firewall Policies

                          Description

                          500 or fewer attributes in the policy

                          Price

                          $1

                          per VM covered by the policy

                          501 or more attributes in the policy (large)

                          Description

                          $1.50

                          per VM covered by the policy

                          Firewall Insights

                          Description

                          Configuration analysis

                          Price

                          $1

                          for each rule that exists in your project when the feature is enabled

                          Overgranting analysis

                          Description

                          $0.20

                          monthly rate per million log entries for 1-10,000 million log entries

                          Learn more about Cloud Firewall pricing. View all pricing details

                          Pricing Calculator

                          Estimate your monthly Google Cloud costs, including region specific pricing and fees.

                          Custom Quote

                          Connect with our sales team to get a custom quote for your organization.

                          Start your proof of concept

                          New customers get $300 in free credits

                          Get a quick intro to using Cloud NGFW

                          Create a network firewall policy with tags

                          Learn more about the latest product updates

                          How to migrate to network firewall policies

                          Google Cloud
                          • ‪English‬
                          • ‪Deutsch‬
                          • ‪Español‬
                          • ‪Español (Latinoamérica)‬
                          • ‪Français‬
                          • ‪Indonesia‬
                          • ‪Italiano‬
                          • ‪Português (Brasil)‬
                          • ‪简体中文‬
                          • ‪繁體中文‬
                          • ‪日本語‬
                          • ‪한국어‬
                          Console
                          Google Cloud