>
    Strata Copilot
    Strata Cloud Manager Policy Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Protect
    5. Strata Cloud Manager Policy Management
    Download PDF
    Cloud NGFW for AWS

    Strata Cloud Manager Policy Management

    Table of Contents

    Strata Cloud Manager Policy Management

    Link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    You can integrate your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management. With this integration, you can now use a single Strata Cloud Manager to centrally manage a shared set of security rules on Cloud NGFW resources alongside your physical and virtual firewall appliances. You can also manage all aspects of shared policy configurations, gain comprehensive visibility with actionable insights, and generate reports on traffic patterns or security incidents of your Cloud NGFW resources, all from a single console.
    When using SCM for Cloud NGFW policy management, consider the following:
    • When first registering to SCM, Cloud NGFW resources (for example, the resource ID) may fail to display. These resources will appear after a few moments if there are no underlying connection issues.
    • Best practices for Cloud NGFW SCM policy management differ from those using Panorama policy management with your Cloud NGFW resource. For example, some pass-through traffic in a Panorama managed environment may be dropped in an SCM managed Cloud NGFW resource.
    • X-forwarded functionality isn't supported in an SCM policy management for your Cloud NGFW resource.
    • Cloud certificate isn't supported.
    • DLP isn't supported.
    • DAGs isn't supported.
    • When configuring security rules for your SCM-managed Cloud NGFW resource, you must specify ANY for the security rule. However, from/to zone appears as the data Zone in the Strata Logging Service.
    When you get started from AWS Marketplace, you use the Cloud NGFW console to link your Cloud NGFW tenant with the Strata Cloud Manager and then create Cloud NGFW resources. See Policy management when started from the Cloud NGFW console.

    Policy management when started from the Cloud NGFW console

    You can register your Cloud NGFW resources with an existing Strata Cloud Manager, which you had previously activated based on your AIOps, NGFW, Prisma Access, or Strata Cloud Manager Pro/Essential licenses. If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
    It may take approximately 45-50 minutes to upgrade from SCM Essentials to PRO, when you register the first Cloud NGFW resource.

    Link Your Cloud NGFW Tenant with Strata Cloud Manager Policy Management

    To integrate your Cloud NGFW resource with Strata Cloud Manager policy management:
    1. Log in to the Cloud NGFW console.
    2. Select Integrations.
    3. In the Policy Manager screen, click Add Policy Manager.
    4. In the Add Policy Manager section, select Strata Cloud Manager for the Manage Type.
    5. Enter a descriptive name.
    6. Use the drop-down menu to select the Strata Cloud Manager Tenant you want to associate with the resource.
      The Customer Support Portal (CSP) account must be the same for both SCM and CNGFW. If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
    7. Click Save. This effectively links your Cloud NGFW resource to the SCM tenant.
      After saving the configuration the Integrations page is updated to reflect the new policy management paradigm, along with the associated Link ID and SCM Serial Number and Tenant Name:
      To view information about an individual linked SCM tenant, click the Link ID in the Policy Manager screen. You can use the Edit Policy Management screen to change the Link Name and view information:

    Associate a Firewall with Strata Cloud Manager Policy Management

    After you establish a link to Strata Cloud policy Management, you can associate a new firewall with the linked SCM tenant:
    1. Log in to the Cloud NGFW console.
    2. Select NGFWs.
    3. Click Create Firewall.
    4. In the Create Firewall screen, enter a name for the firewall.
    5. Optionally include a description.
    6. In the Policy Management section, select Strata Cloud Manager.
    7. In the Policy Manager drop-down menu, select the linked SCM tenant you want to associate with the firewall.
    8. Configure Endpoint Management to secure traffic in multiple AWS availability zones.
      1. Determine if you want Cloud NGFW to create endpoints automatically on your VPC subnets. Select Yes for service-managed endpoints.
        By default, the Cloud NGFW resource does not automatically create these endpoints; the radio button is set to No.
      2. Use the drop-down to select the AWS Account ID.
      3. Use the drop-down to select the VPC.
      4. Use the Subnet field to select an available subnet.
      5. Click Save.
      The NGFW screen changes to reflect the newly created firewall. It takes approximately 6-10 minutes to complete the process of creating a new firewall; the Status indicates CREATING:
      Click the NGFW Name to display detailed information about the firewall. Limited information is displayed as the firewall is being created:

    Unlink the Cloud NGFW from Strata Cloud Manager

    You must ensure to remove all associated firewalls from SCM before initiating the unlinking process. If not, the following error is displayed.
    Failed to get TSGID for Panorama.
    To unlink a SCM from a Cloud NGFW resource:
    1. In the Cloud NGFW console, select Integrations.
    2. On the Integrations page, locate the Actions section for your SCM policy manager
    3. Click the Unlink icon to begin the unlinking process.
    4. When you unlink a SCM from your Cloud NGFW tenant, you may be prompted to delete one or more Cloud Device Groups that are associated with the Cloud NGFW resource or region from which you are unlinking. In such cases an error message appears stating if the SCM is associated with a SLS account the link with the SLS will be deleted.
    5. Confirm the unlinking process. If your SCM is associated with a Strata Logging Service account, that association is terminated and logs are pruned after the retention period.
    6. After confirming the unlinking request, the Integrations page changes to provide status for the Cloud NGFW resource.

    View registered Cloud NGFW Resources in Strata Cloud Manager

    After you have linked your Cloud NGFW resource to an SCM tenant and have created a firewall you can use SCM for policy management.
    When you log into Strata Cloud Manager, the dashboard fails to display the Cloud NGFW count under NGFW > Software.
    1. In SCM console, select Workflows > NGFW Setup > Device Management:
    2. The Device Management screen displays the NGFWs and Cloud NGFWs. Click Cloud NGFWs to display the firewalls associated with the SCM tenant:
      The Device Management screen displays the Cloud NGFW resources that are currently managed by SCM:
      The Device Management screen displays the following fields:
      • Name. Represents the name of the Cloud NGFW resource.
      • Resource ID. Indicates the resource ID associated with the NGFW resource.
      • CNGFW Tenant ID. The ID associated with the Cloud NGFW tenant.
      • CNGFW Tenant Serial Number. The serial number associated with the Cloud NGFW tenant.
      • Labels. An arbitrary label assigned to the Cloud NGFW.
      • Cloud Provider. Indicates the cloud provider associated with the Cloud NGFW resource.
      • Region and Location. The region in which the Cloud NGFW resource is located.
      • Config sync Status. The status of the Cloud NGFW resource.
    3. The Device Management screen groups your Cloud NGFW resources into folders. To view the structure of these folders, select Workflows > Folder Management:
      The Folder Management screen displays the Cloud NGFW resources associated with the SCM tenant:

    Author and enforce Cloud NGFW policies in the SCM console

    You can use Strata Cloud Manager to globally apply security policy rules to the Cloud NGFW resources comprising a folder.
    1. In Strata Cloud Manager, select Manage > Configuration > NGFW and Prisma Access.
    2. Select Configuration Scope.
    3. In the drop-down list, locate the folder containing the Cloud NGFW AWS resources:
    4. In the Overview page, select Security Services:
    5. In the Security Services drop-down list, select Security Policy:
      For more information about configuring Security policy using Strata Cloud Manager, see Manage Security Policy.

    Create a Folder for Cloud NGFW Resource

    Folders are used to logically group your firewalls simplified configuration management. You can create a folder that contains multiple nested folders to group firewalls and deployments that require similar configurations. Folders that are already nested can have multiple nested folders as well.
    Folders for other Palo Alto Networks applications, like Prisma Access, and your NGFWs are separate; you can't group NGFWs in a folder with Prisma Access deployments. However, you can easily apply shared settings globally across all folders or use Manage: Snippets to easily apply standard settings and policy requirements across multiple folders.
    To create a folder for your Cloud NGFW resource:
    1. In the Strata Cloud Manager interface, select Workflows > NGFW Setup > Folder Management and click Add Folder.
    2. In the Create Folder screen:
      1. Enter a descriptive name for the folder.
      2. Optionally provide a description for the folder.
      3. Optionally assign one or more labels. You can select an existing label or create a new label by typing the label you want to create. For example, use the Labels drop-down to select cngfw.
      4. Specify where to create the folder using the drop-down menu. You can select All Firewalls, or select an existing folder to nest the folder under it. This is a required field.
      5. Click Create.
      Enter a descriptive name for the folder.

    © 2025 Palo Alto Networks, Inc. All rights reserved.