New Features - Cloud NGFW for AWS - October 2024

Cloud NGFW for AWS now supports Egress NAT (Network Address Translation) to consolidate security inspection and network address translation into a single service, eliminating the need for separate NAT gateways in your VPC architecture. Organizations deploying both Cloud NGFW and AWS NAT gateways face increased costs, additional architectural complexity, and split traffic paths that complicate troubleshooting and visibility. With Egress NAT support, Cloud NGFW performs source NAT on traffic egressing out of the Cloud NGFW resource, eliminating the need for a separate NAT gateway in your VPC for egressing traffic while maintaining comprehensive security inspection.

This consolidation simplifies your AWS network architecture by reducing the number of components you need to deploy, configure, and maintain. You now have unified visibility into both security inspection and NAT operations through a single service, making troubleshooting more straightforward and providing complete session correlation. The integration ensures that all egress traffic receives security inspection before NAT translation, preventing any unprotected egress paths that could occur with separate NAT and security infrastructure. This architectural simplification can reduce operational costs while improving your overall security posture.

For more information, see Egress NAT.

Cloud NGFW for AWS now supports zone-based policies to simplify VPC traffic classification and policy enforcement by eliminating the need to manage complex IP-based rules for every subnet and resource. Organizations managing AWS environments with numerous VPCs and subnets face escalating complexity when defining security policies based on individual IP addresses or CIDR ranges, making policies difficult to maintain and increasing the risk of misconfigurations. With zone-based policies, you can classify your VPC traffic using Private and Public zones to simplify policy enforcement, attach Zone Protection profiles to these zones, and create zone mappings to associate security zones in your Panorama with Cloud NGFW's Private (internal) or Public (external) zones.

This zone-based approach dramatically reduces policy complexity by allowing you to define rules based on traffic flow between logical zones rather than tracking individual IP ranges. You can now implement security policies that remain valid as your infrastructure scales, without constantly updating rules to account for new subnets or address changes. The zone abstraction aligns with network security best practices and makes policies more readable and maintainable, while Zone Protection profiles provide additional defenses against reconnaissance, floods, and other zone-specific attacks.

For more information, see Zone-based policies.