Getting Started from Strata Cloud Manager

Table of Contents

Getting Started from Strata Cloud Manager

Where Can I Use This?	What Do I Need?
Cloud NGFW for AWS	Cloud NGFW subscription Palo Alto Networks Customer Support Account (CSP) AWS Marketplace account User role (either tenant or administrator)

You can now have a streamlined onboarding and management experience for Cloud NGFW for AWS. This new simplified process allows you to handle all administrative tasks directly from the Strata Cloud Manager (SCM).This streamlined “Try & Buy” workflow allows you to deploy Cloud NGFW resources, and configure policies without the friction of onboarding your accounts to establish cross-account IAM roles or committing to billing immediately. You can generate a billing code to complete your AWS Marketplace subscription, link billing, and then optionally purchase long-term contract credits at private pricing — all without disrupting your existing Cloud NGFW resources.

End-to-End Workflow

Steps	Description
Free Trial	Start a free trial by deploying and managing Cloud NGFW resources directly from the SCM console. You can monitor the firewall health on the same console. You can also monitor your Cloud NGFW’s logs in the Strata Cloud Manager’s Log Viewer page. Additionally, you can easily stream your logs to an S3 bucket by establishing cross-account access using resource-based policies. Optionally, you can onboard AWS account(s) to SCM for streaming logs and metrics to Cloudwatch. This trial allows you to explore the full features during a trial period before buying the product.
Generate Billing Code and Subscribe via AWS Marketplace.	When ready to subscribe, generate a unique billing code in SCM by providing your AWS account ID. Then log into the same AWS account, navigate to AWS Marketplace, and subscribe to Cloud NGFW using the billing code. This action establishes the PAYG billing link, enabling metering records to be sent from Cloud NGFW to the AWS Marketplace Metering Service. Your Cloud NGFW resources remain intact during this transition. If you are already logged in to your AWS account in the same browser (different tab), click the link provided at the time of billing code creation to go directly to the AWS Marketplace page to establish the PAYG subscription.
(Optional) Optimize Your Costs with Cloud NGFW Credits	Optionally purchase and activate Cloud NGFW Credits, then associate them with your Cloud NGFW tenant. The platform continuously validates usage against your credit allocation. If consumption exceeds your allocated credits, the platform calculates overages and sends PAYG metering records to AWS Marketplace. If your credits expire, Cloud NGFW automatically and seamlessly switches to your active AWS Marketplace subscription for Pay-As-You-Go billing. Your Cloud NGFW resources remain intact during these transitions.

This section guides you through onboarding and managing Cloud NGFW for AWS resources directly from the Strata Cloud Manager (SCM) UI.

Prerequisites

Before you begin, ensure the following:

Strata Cloud Manager: You have access to Palo Alto Networks Strata Cloud Manager (SCM). If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
Strata Cloud Manager Roles: You have the following two options in your Strata Cloud Manager user role:
- Apps & Services: Select either All Apps & Services or Prisma Access & NGFW Configuration.
- Role: Select at least one of the following roles: Superuser, Network Administrator, or Security Administrator.
AWS Account: You have an AWS account with the necessary permissions to subscribe to AWS Marketplace services and create VPCs, security groups, and IAM roles.

Deploy and Manage Cloud NGFW resources

Access the Cloud NGFW in SCM
1. Log in to the SCM console.
2. Go to Configurations and then select Cloud NGFWs.
3. Click Get Started.
4. Click Create Cloud NGFW to begin the onboarding process.
Create a Cloud NGFW for AWS Resource.
1. From the Create Cloud NGFW wizard, select Amazon Web Services as your cloud provider and click Next.
  
  If this is your first time setting up the environment, you should see a green banner indicating that the environment was created successfully. If you encounter any errors at this stage, reach out to Palo Alto Networks support for assistance.
2. Follow the wizard to configure your new firewall. Enter your firewall Name, Region, and Availability Zone IDs.
3. Click Create and Deploy.
  
  (Optional) Click Check Firewall Details to discover the advanced features that the Cloud NGFW provides.
4. Upon successful creation of the first firewall for an SCM tenant, the platform automatically creates a unique Cloud NGFW for AWS tenant and starts the 30-day free trial. For more information, see Cloud NGFW Tenant Information in Strata Cloud Manager Console.
Protect your VPC traffic with Cloud NGFW resources.
When you deploy Cloud NGFW resources in the SCM console, the deployed resources will automatically register as devices to the Strata Cloud Manager console. You can then author policies for the registered resources. For more information, see:
- View your registered Cloud NGFW resources in Strata Cloud Manager
- Author policies for Cloud NGFW resources in Strata Cloud Manager
Monitor Cloud NGFW resources.
- Go to the log viewer to view your logs and log analysis in SCM.
- You can select the NGFW resource and add one of your S3 buckets in your AWS account for streaming logs. For more information, see view logs natively in AWS and Enable Audit Log Settings in SCM Console.
- You can onboard an AWS account to establish crossx-account IAM permissions. For more information, see Onboard AWS Account in Strata Cloud Manager.
- You can select the NGFW resource and then add a CloudWatch log group or a Kinesis stream in your onboarded account as the AWS log destination. For more information, see Enable Log Settings in the Strata Cloud Manager console.
- You can select the NGFW resource and add a Cloud Watch Metrics Namespace in your onboarded account as the AWS Metrics destination. For more information, see Enable audit log settings in the Strata Cloud Manager console

Generate Billing Code and Subscribe using AWS Marketplace

Add a Pay-As-You-Go (PAYG) Subscription
1. In the SCM UI, go to the Subscriptions page.
2. Click Add New Subscription.
3. Enter the AWS Account ID that will be used for billing.
4. Click Generate Billing Subscription Code. The platform will generate a billing association code, and an email will be sent to the admin user who created the SCM tenant.
5. Click Complete the Subscription on AWS Marketplace.
6. Go to the Palo Alto Networks Cloud NGFW page on the AWS Marketplace and click View purchase options or Subscribe. This will open the AWS Marketplace in a new browser tab.
Complete Subscription on AWS Marketplace.
If you are subscribing to Cloud NGFW with this AWS account for the first time, you will be redirected to Palo Alto Networks Cloud NGFW page in AWS Marketplace. Perform the following steps:
1. Click Subscribe.
2. Review the offer details and click Subscribe again on the confirmation page if prompted.
3. After subscribing, click Set up your account. You will be redirected to the AWS Quick Launch page to link your SCM tenant.
  
  For user who have already subscribed to CNGFW AWS account:
  In the AWS Marketplace > Discover products page, the subscribe button will be greyed out. Click Set up your Account to go to the Quick Launch page.
  
  Alternatively, if you are on AWS Marketplace > Manage Subscription page, click Set up product. You are redirected to the Quick Launch page. Click link a different account to apply your billing code generated in Step 1. For more information, see AWS Marketplace Billing Aggregation.
Click Enable Integration and ensure that you have all required AWS permissions.
Click Login or create an account.
Link your CNGFW Account by applying Billing Code generated in Step 1.
1. Select the option I have a SCM Billing Subscription Code and enter the code you generated in SCM to link the SCM.
2. Enter your Email.
3. Click Save.
  Upon successful subscription, you will be redirected back to the SCM UI.
4. Click Continue with Strata Cloud Manager. You are now redirected to the SCM portal. In the Subscription tab, you can see the Pay-as-you-go subscription or free-trial subscription details.
  
  If you want to add a second SCM tenant using the same AWS account, click Add New Subscription. You will be redirected to generate new SCM Billing Subscription Code. Complete the steps described in Step 2. This will change the billing account to a different AWS Account.
If you want to add a second SCM tenant using the same AWS account, in your SCM console, click Add New Subscription. You will be redirected to generate new SCM Billing Subscription Code. Complete the steps described in Step 2. This will change the billing account to a different AWS Account.