>
    Strata Copilot
    Cloud NGFW for AWS V1 to V2 Migration
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS V1 to V2 Migration
    Download PDF
    Cloud NGFW for AWS

    Cloud NGFW for AWS V1 to V2 Migration

    Table of Contents

    Cloud NGFW for AWS V1 to V2 Migration

    Learn how the Cloud NGFW for AWS migration to V2 infrastructure affects your existing firewalls, Terraform deployments, and log configuration.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    Palo Alto Networks® is migrating all existing Cloud NGFW for AWS V1 tenants to V2 infrastructure to provide a more scalable and feature-rich experience through Simplified Onboarding.
    The migration is designed as a rolling update to ensure continuous logging and zero impact on active data plane traffic. During the transition, firewalls will display an Updating status in the console, and management actions will be temporarily disabled to prevent configuration drift. To access the updated V2 Management Console once the migration is complete, simply log out and back into your session.

    Benefits of Migrating from V1 to V2

    Migrating to V2 provides the following advantages:
    • You can add accounts to an allow list without requiring full permissions for creating endpoints, instead of onboarding the AWS accounts.
    • The following features are available exclusively on V2:
      • Premium SKUs (upcoming)
      • User-ID with Panorama® (upcoming)
      • Egress NAT using Cloud NGFW with Strata Cloud Manager (upcoming)

    Impacts of Cloud NGFW for AWS from V1 to V2 Migration

    Before migration — When you log into your CNGFW for AWS tenant, you will see that your tenant is running version V1.
    During migration
    • UI Status: Firewall Status displays an Updating status in the Cloud NGFW for AWS V1 console.
    • Console Restrictions: Access links to edit or modify firewalls will be grayed out to prevent configuration changes during the migration.
    • Firewall Operations: Create, Update, and Delete Firewall resources may fail during this time window. Additionally, Policy configuration commits via Panorama, Strata Cloud Manager or Local Rulestack may fail during the specified maintenance window. You will be able to resume these operations in a few hours after the maintenance window.
    • User Action (Programmatic): It is recommended that during the migration window no Terraform or API config changes are performed.
    After migration
    • Console Transition: Log out and log back in to access the V2 UI for your migrated tenant.
    • Firewalls Status will show Update Complete status in the CNGFW for AWS V2 console.
    • Actions Required: If you are using Programmatic access, while current firewalls will stay backward compatible with the current version and accept basic modifications. It is recommended to move to the latest version to be able to create new firewalls or access new features.

    Programmatic Access and Terraform

    • Backward Compatibility: The latest Terraform provider version supports both V1 and V2 schemas to support co-existence.
    • Existing Firewalls: Existing firewalls originally deployed using the V1 provider version will continue to function and accept basic modifications normally. Ensure that you perform the steps documented in Cloud NGFW firewall management using Terraform when upgrading to the latest version of the cloudngfwaws Terraform provider.
    • New Firewalls: Creating new firewall resources using your legacy V1 provider path will no longer be supported after this upgrade and will result in a creation failure. To deploy new firewalls post-migration, your deployment configurations must be updated to point to the latest V2 path/Terraform provider version.
    • Globally Unique Firewall IDs: Previously, Cloud NGFW resources were identified by user-provided names. To streamline integration across the Palo Alto Networks ecosystem, they now use unique Firewall IDs. Your original names are retained as metadata.
    • ​​CloudWatch Log Groups: Post-migration, Cloud NGFW logs will appear in new log streams that include the Firewall ID (rather than the original firewall name). If you have any automations based on the log stream name prefix, please make necessary changes.
    • SCM Managed Cloud NGFW resources: Post migration, you may temporarily see two global rulestacks associated with your SCM-managed resources. The original rulestack will be automatically deleted in a few weeks. No action is required from you.

    © 2026 Palo Alto Networks, Inc. All rights reserved.