Getting Started from Strata Cloud Manager

Table of Contents

Supported Security Policy Management Features

Getting Started from Strata Cloud Manager

Where Can I Use This?	What Do I Need?
Cloud NGFW for AWS	Cloud NGFW subscription Palo Alto Networks Customer Support Account (CSP) AWS Marketplace account User role (either tenant or administrator)

You can now have a streamlined onboarding and management experience for Cloud NGFW for AWS. This new simplified process allows you to handle all administrative tasks directly from the Strata Cloud Manager (SCM).This streamlined Try & Buy workflow allows you to deploy Cloud NGFW resources, and configure policies without the friction of onboarding your accounts to establish cross-account IAM roles or committing to billing immediately. You can generate a billing code to complete your AWS Marketplace subscription, link billing, and then optionally purchase long-term contract credits at private pricing — all without disrupting your existing Cloud NGFW resources.

End-to-End Workflow

Steps	Description
Free Trial	Start a free trial by deploying and managing Cloud NGFW resources directly from the SCM console. You then create endpoints in your AWS VPCs and redirect traffic to this Cloud NGFW resource. You can monitor the firewall health on the same console. You can also monitor your Cloud NGFW’s logs in the Strata Cloud Manager’s Log Viewer page. Additionally, you can easily stream your logs to an S3 bucket by establishing cross-account access using resource-based policies. Optionally, you can onboard AWS account(s) into SCM to stream logs and metrics to Cloudwatch. This trial allows you to explore the full features during a trial period before buying the product.
Generate Billing Code and Subscribe via AWS Marketplace	When ready to subscribe, generate a unique billing code in SCM by providing your AWS account ID. Then log into the same AWS account, navigate to AWS Marketplace, and subscribe to Cloud NGFW using the billing code. This action establishes the PAYG billing link, enabling metering records to be sent from Cloud NGFW to the AWS Marketplace Metering Service. Your Cloud NGFW resources remain intact during this transition. If you are already logged in to your AWS account in the same browser (different tab), click the link provided at the time of billing code creation to go directly to the AWS Marketplace page to establish the PAYG subscription.
(Optional) Optimize Your Costs with Cloud NGFW Credits	Optionally purchase and activate Cloud NGFW Credits, then associate them with your Cloud NGFW tenant. The platform continuously validates usage against your credit allocation. If consumption exceeds your allocated credits, the platform calculates overages and sends PAYG metering records to AWS Marketplace. If your credits expire, Cloud NGFW automatically and seamlessly switches to your active AWS Marketplace subscription for Pay-As-You-Go billing. Your Cloud NGFW resources remain intact during these transitions. Do not cancel or remove your Pay-As-You-Go (PAYG) subscription when configuring Cloud NGFW Credits. An active PAYG subscription is strictly required to cover overages in the event that your usage exceeds your allotted credits. Removing your PAYG subscription will result in intentional usability restrictions.

This section guides you through onboarding and managing Cloud NGFW for AWS resources directly from the Strata Cloud Manager (SCM) UI.

Prerequisites

Before you begin, ensure the following:

Strata Cloud Manager: You have access to Palo Alto Networks Strata Cloud Manager (SCM). If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
Strata Cloud Manager Roles: You have the following two options in your Strata Cloud Manager user role:
- Apps & Services: Select either All Apps & Services or Prisma Access & NGFW Configuration.
- Role: Select at least one of the following roles: Superuser, Network Administrator, or Security Administrator.
AWS Account: You have an AWS account with the necessary permissions to subscribe to AWS Marketplace services and create VPCs, security groups, and IAM roles.

Deploy and Manage Cloud NGFW resources

Access the Cloud NGFW in SCM
1. Log in to the SCM console.
2. Go to Configurations and then select Cloud NGFWs.
3. Click Get Started.
4. Click Create Cloud NGFW to begin the onboarding process.
Create a Cloud NGFW for AWS Resource.
1. From the Create Cloud NGFW wizard, select Amazon Web Services as your cloud provider and click Next.
  
  If this is your first time setting up the environment, you should see a green banner indicating that the environment was created successfully. If you encounter any errors at this stage, reach out to Palo Alto Networks support for assistance.
2. Follow the wizard to configure your new firewall. Enter your firewall Name, Region, and Availability Zone IDs.
3. Click Create and Deploy.
  
  (Optional) Click Check Firewall Details to discover the advanced features that the Cloud NGFW provides.
4. Upon successful creation of the first firewall for an SCM tenant, the platform automatically creates a unique Cloud NGFW for AWS tenant and starts the 30-day free trial. For more information, see Cloud NGFW Tenant Information in Strata Cloud Manager Console.
Create Endpoints and Redirect Traffic to Cloud NGFW.
After your Cloud NGFW resource is successfully deployed, you must locate your endpoint service name, create the endpoints in AWS, and configure your routing to direct traffic to the firewall for inspection.
1. Locate the Endpoint Service Name in SCM:
  1. In the Strata Cloud Manager (SCM) console, go to Configurations > Cloud NGFWs.
  2. Click your Firewall ID (or firewall name) of your deployed Cloud NGFW resource.
  3. Select Endpoint Management from the left navigation pane.
  4. Look for the Endpoints section and copy the VPC Endpoint Service Name.
2. Create NGFW Endpoints in your AWS VPC
  1. Log in to your AWS Management Console and go to VPC > Endpoints.
  2. Click Create endpoint.
  3. Under Service category, select Other endpoint services.
  4. Paste the Service Name you copied from SCM into the box and click Verify service.
  5. Select the VPC and the specific Availability Zones/Subnets where you want the firewall endpoints to reside ( your Trust or App subnets).
  6. Select the Security Group that allows the necessary traffic to pass to the endpoint.
  7. Click Create endpoint.
3. Update VPC Route Tables to redirect traffic to the endpoint
  Modify your AWS VPC route tables (e.g., your Internet Gateway ingress route table or private subnet route tables) to set the new Cloud NGFW endpoints as the next hop for the traffic you want to inspect.
  1. In the AWS Console, go to VPC > Route Tables.
  2. Select the route table for the subnets you want to protect (such as your Public Subnet or Private App Subnet).
  3. Click Edit Routes.
  4. Add or modify a route (e.g., 0.0.0.0/0) and set the Target to VPCE Endpoint.
  5. Select the specific Endpoint ID you created in the previous step.
  6. Click Save changes.
    Traffic will now flow from your VPC through the Cloud NGFW resource for inspection.
Protect your VPC traffic with Cloud NGFW resources.
When you deploy Cloud NGFW resources in the SCM console, the deployed resources will automatically register as devices to the Strata Cloud Manager console. You can then author policies for the registered resources. For more information, see:
- View your registered Cloud NGFW resources in Strata Cloud Manager
- Author policies for Cloud NGFW resources in Strata Cloud Manager
Monitor Cloud NGFW resources.
- Go to the log viewer to view your logs and log analysis in SCM.
- You can select the NGFW resource and add one of your S3 buckets in your AWS account for streaming logs. For more information, see view logs natively in AWS and Enable Audit Log Settings in SCM Console.
- You can onboard an AWS account to establish crossx-account IAM permissions. For more information, see Onboard AWS Account in Strata Cloud Manager.
- You can select the NGFW resource and then add a CloudWatch log group or a Kinesis stream in your onboarded account as the AWS log destination. For more information, see Enable Log Settings in the Strata Cloud Manager console.
- You can select the NGFW resource and add a Cloud Watch Metrics Namespace in your onboarded account as the AWS Metrics destination. For more information, see Enable audit log settings in the Strata Cloud Manager console