AWS Network Firewall vs Palo Alto VM-Series - what I learned after deploying both in production

I've deployed both AWS Network Firewall and Palo Alto VM-Series firewalls in production AWS environments. Security VPC architectures for enterprise clients across automotive, government, and cultural sectors - some with AWS Network Firewall, others with Palo Alto VM-Series behind a Gateway Load Balancer. This is not a feature matrix from a vendor website. This is what I found after running both, what surprised me, and what you should know before choosing. The short version AWS Network Firewall is good enough for most workloads. It's native, managed, and cheap to start with. But it has a documented egress filtering bypass that lets an attacker circumvent your domain allowlist with a single curl command. If you're in a regulated industry or handle sensitive data, you need to understand this before committing. Palo Alto VM-Series catches things AWS Network Firewall doesn't - but you pay for it in complexity, cost, and operational overhead. It's not a slam dunk either. Where AWS Network Fi