>
    Strata Copilot
    Create a Cloud NGFW for AWS Resource
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Deploy
    5. Deploy in Cloud NGFW Console
    6. Create a Cloud NGFW for AWS Resource
    Download PDF
    Cloud NGFW for AWS

    Create a Cloud NGFW for AWS Resource

    Table of Contents

    Create a Cloud NGFW for AWS Resource

    Create a Cloud NGFW for AWS resource.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    Now that you have created rulestacks and rules, you can create an NGFW resource and associate a local rulestack with that NGFW. During the configuration of your NGFW, you must choose how to create NGFW endpoints—automatically or manually. If you chose to manually create NGFW endpoints, you create NGFW endpoints in the availability zones you specify.
    ​​Before enabling IPv6 support, you must complete the following infrastructure setup in your AWS environment:
    • PAN-OS Version: Ensure that your firewall is running PAN-OS version 11.2.8 or above.
    • AWS IPAM: You must have a pre-configured AWS IP Address Manager (IPAM) in your region.
    • Private ULA Parent Pool: Create an IPv6 ULA (Unique Local Address) pool in the private scope of your IPAM in the fd80::/9 range.
    • VPC Capability: Your target VPC must be associated with a /56 IPv6 CIDR allocated from your IPAM pool.
    Complete the following steps to create an NGFW.
    1. Select NGFWs.
    2. Click Add Firewall.
    3. Enter a descriptive Name.
    4. (Optional) Enter a Description.
    5. Select an AWS Account from the drop-down to associate with this NGFW.
    6. Select a VPC from the drop-down.
      IPv6 Tenant Activation- To enable IPv6 for your Cloud NGFW, you must first request activation as the feature is not enabled by default and is managed on a per-tenant basis. Before proceeding with the infrastructure setup, open a Technical Assistance Center (TAC) case with Palo Alto Networks support explicitly stating, Please enable IPv6, and ensure you include your specific Tenant ID in the request.
    7. In the Policy Management section, select a local rulestack from the drop-down.
    8. Specify AWS availability zones or subnets. Specify whether or not the Cloud NGFW tenant will (service-managed mode) or won't (customer-managed mode) deploy NGFW endpoints.
      • Yes (service-managed)—in service-managed mode, the Cloud NGFW tenant automatically creates NGFW endpoints in the VPC subnets you specify. Perform the endpoint management for service-managed mode through Cloud NGFW console only. The endpoint management for service-managed mode can only be done by associating or disassociating a subnet. Associating a subnet creates the endpoint and disassociating a subnet removes the endpoint.
      • No (customer-managed)—in customer-managed mode, you must manually create NGFW endpoints in each availability zone you specify.
      In the Endpoint Management section, you can enable your Cloud NGFW for securing traffic in multiple AWS availability zones. You pay for each AWS availability zone that your NGFW is provisioned to secure traffic. You can manage how the endpoints are created for your NGFW in these availability zones. You pay AWS for each VPC (gateway load balancer) endpoint that you create for your NGFW.
      The Availability Zone displays the Zone ID and the corresponding Availability Zone Name in your Palo Alto Networks account. Use this information when mapping your availability zones to your AWS accounts.
    9. Click Create.

    © 2026 Palo Alto Networks, Inc. All rights reserved.