Cloud NGFW for AWS
Getting Started from Strata Cloud Manager
Table of Contents
Getting Started from Strata Cloud Manager
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can now have a streamlined onboarding and management experience for Cloud
NGFW for AWS. This new simplified process allows you to handle all administrative tasks
directly from the Strata Cloud Manager (SCM).This streamlined Try & Buy
workflow allows you to deploy Cloud NGFW resources, and configure policies
without the friction of onboarding your accounts to establish cross-account
IAM roles or committing to billing immediately. You can generate a billing
code to complete your AWS Marketplace subscription, link billing, and then
optionally purchase long-term contract credits at private pricing — all without
disrupting your existing Cloud NGFW resources.
End-to-End Workflow
| Steps | Description |
|---|---|
| Free Trial |
Start a free trial by deploying and managing
Cloud NGFW resources directly from the SCM console.
You can monitor the firewall health on the same
console. You can also monitor your Cloud NGFW’s logs in the
Strata Cloud Manager’s Log Viewer page.
Additionally, you can easily stream your logs to an
S3 bucket by establishing cross-account access
using resource-based policies. Optionally, you
can onboard AWS account(s) to SCM for streaming logs and
metrics to Cloudwatch.
This trial allows you to explore the full features
during a trial period before buying the product.
|
| Generate Billing Code and Subscribe via AWS Marketplace |
When ready to subscribe, generate a unique billing
code in SCM by providing your AWS account ID. Then log into
the same AWS account, navigate to AWS Marketplace, and
subscribe to Cloud NGFW using the billing code. This action
establishes the PAYG billing link, enabling metering records
to be sent from Cloud NGFW to the AWS Marketplace Metering
Service. Your Cloud NGFW resources remain intact during this
transition.
If you are already logged in to your AWS account in
the same browser (different tab), click the link provided at
the time of billing code creation to go directly to the AWS
Marketplace page to establish the PAYG subscription.
|
| (Optional) Optimize Your Costs with Cloud NGFW Credits | Optionally purchase and activate Cloud NGFW Credits, then associate them with your Cloud NGFW tenant. The platform continuously validates usage against your credit allocation. If consumption exceeds your allocated credits, the platform calculates overages and sends PAYG metering records to AWS Marketplace. If your credits expire, Cloud NGFW automatically and seamlessly switches to your active AWS Marketplace subscription for Pay-As-You-Go billing. Your Cloud NGFW resources remain intact during these transitions. |
This section guides you through onboarding and managing Cloud NGFW for AWS
resources directly from the Strata Cloud Manager (SCM) UI.
Prerequisites
Before you begin, ensure the following:
- Strata Cloud Manager: You have access to Palo Alto Networks Strata Cloud Manager (SCM). If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
- Strata Cloud Manager Roles: You have the following two options in your Strata Cloud Manager user role:
- Apps & Services: Select either All Apps & Services or Prisma Access & NGFW Configuration.
- Role: Select at least one of the following roles: Superuser, Network Administrator, or Security Administrator.
- AWS Account: You have an AWS account with the necessary permissions to subscribe to AWS Marketplace services and create VPCs, security groups, and IAM roles.
Deploy and Manage Cloud NGFW resources
- Access the Cloud NGFW in SCM
- Log in to the SCM console.
- Go to Configurations and then select Cloud NGFWs.
- Click Get Started.
![]()
- Click Create Cloud NGFW to begin the onboarding process.
![]()
- Create a Cloud NGFW for AWS Resource.
- From the Create Cloud NGFW wizard, select Amazon Web Services as your cloud provider and click Next.
![]()
If this is your first time setting up the environment, you should see a green banner indicating that the environment was created successfully. If you encounter any errors at this stage, reach out to Palo Alto Networks support for assistance. - Follow the wizard to configure your new firewall. Enter your firewall Name, Region, and Availability Zone IDs.
- Click Create and Deploy.
![]()
(Optional) Click Check Firewall Details to discover the advanced features that the Cloud NGFW provides.![]()
- Upon successful creation of the first firewall for an SCM tenant, the platform automatically creates a unique Cloud NGFW for AWS tenant and starts the 30-day free trial. For more information, see Cloud NGFW Tenant Information in Strata Cloud Manager Console.
- Protect your VPC traffic with Cloud NGFW resources.When you deploy Cloud NGFW resources in the SCM console, the deployed resources will automatically register as devices to the Strata Cloud Manager console. You can then author policies for the registered resources. For more information, see:
- Monitor Cloud NGFW resources.
- Go to the log viewer to view your logs and log analysis in SCM.
- You can select the NGFW resource and add one of your S3 buckets in your AWS account for streaming logs. For more information, see view logs natively in AWS and Enable Audit Log Settings in SCM Console.
- You can onboard an AWS account to establish crossx-account IAM permissions. For more information, see Onboard AWS Account in Strata Cloud Manager.
- You can select the NGFW resource and then add a CloudWatch log group or a Kinesis stream in your onboarded account as the AWS log destination. For more information, see Enable Log Settings in the Strata Cloud Manager console.
- You can select the NGFW resource and add a Cloud Watch Metrics Namespace in your onboarded account as the AWS Metrics destination. For more information, see Enable audit log settings in the Strata Cloud Manager console
