Deploy Cloud NGFW for AWS with the AWS Firewall Manager
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Deploy Cloud NGFW for AWS with the AWS Firewall Manager
The AWS Firewall Manager (FMS)
is a service in that allows you to centrally manage rules for AWS
Web Application Firewalls, Security Groups, and AWS Network firewalls
across all member accounts of the AWS Organization. You can now
use the AWS Firewall Manager to centrally deploy Cloud NGFW resources
and manage rules across VPCs in different AWS accounts of your AWS
Organization. AWS Firewall Manager dashboard also allows you to
view and respond to compliance notifications.
The AWS Firewall
Manager provides a workflow that allows you to deploy the Cloud
NGFW as a FMS policy, select a deployment mode and region,
create a global rulestack, configure NGFW endpoints, and define
the scope of the Cloud NGFW across your organization.
For
more information, see the AWS Firewall Manager documentation.
The
Cloud NGFW supports VPC resources only within FMS policy scope.
- Subscribe to Cloud NGFW for AWS. The AWS account you use to subscribe to the Cloud NGFW service must be the same AWS Firewall Manager administrator account.As an IAM user in the AWS Firewall Manager account, begin by subscribing to the Cloud NGFW service through the AWS Marketplace. After completing your initial setup, return to the FMS dashboard in the AWS console. This procedure creates a Cloud NGFW tenant and automatically assigns you (the FMS administrator) with the TenantAdmin and GlobalFirewallAdmin roles.Associate the Palo Alto Cloud NGFW Service with the Firewall Manager.
- Log in to the AWS Console and select ServicesAWS Firewall ManagerSettings.Under Third Party Firewall Association Status, select Palo Alto Networks Cloud NGFW.Click Associate.Select Security PoliciesCreate Policy.Choose the policy type and region.
- Under Third Party Services, select Palo Alto Networks Cloud NGFW.Select your Deployment Mode—Distributed or Centralized.Select the Region.Click Next.Describe FMS Policy for the Cloud NGFW on AWS.Provide a descriptive name for your FMS policy, configure or associate a global rulestack with the FMS policy, and configure log settings. FMS displays any existing global rulestacks (if available) and a link that takes to the Cloud NGFW console to create a global rulestack. Because the subscribing user (FMS administrator) is a GlobalRulestackAdmin, you do not have make any changes to the user roles.
- Enter a descriptive Policy Name.Select or create Third Party Firewall Policy Configuration.In the FMS console, Third Party Firewall Policy Configuration refers to a global rulestack in the context of the Cloud NGFW. If you have already created one or more global rulestacks, they are listed here. If you have not created a global rulestack, you can create one by clicking Create Firewall Policy. This redirects you to the Cloud NGFW console. For information about rulestacks and rulestack configuration, see About Rulestacks and Rules on Cloud NGFW for AWS.Create a Global Rulestack.
- Enter a descriptive Name for your rulestack.
- (optional) Enter a Description for your rulestack.
- Click Save.
- Return to the FMS console.
Configure logging.You can select Traffic, Decryption, and/or Threat logs. For each type of log, you must specify a destination—S3 Bucket, CloudWatch log group, or Kinesis Firehose delivery stream—from the drop-down. The drop-down displays previously-configured destinations in your AWS environment.Click Next.Configure NGFW Endpoints.Cloud NGFW creates endpoints in your availabilty zones that need to be secured. These NGFW endpoints intercept and redirect traffic to Cloud NGFW for inspection and enforcement. The number and location of NGFW endpoints differs based on your deployment mode—distributed or centralized.You select the NGFW endpoint locations by choosing availability zone names or availability zone IDs. Keep in mind that availability zone names can differ between AWS accounts but availability zone IDs are consistent across all AWS accounts.- Select Availability Zone Name or Availability Zone ID. This selection determines what options—names or IDs—the FMS console lists.In the Action column, click the slider to add an availability zone to the Cloud NFGW FMS policy.(optional) Add Classless Inter-Domain Routing (CIDR) blocks to specify the subnets used by the NGFW endpoints.You can specify a CIDR block for each selected availability zone or create a list of CIDR blocks for the FMS to assign to the selected availability zones. Each CIDR block must be a /28 CIDR block.If you do not specify any CIDR blocks, the FMS will take a best effort approach to find unassigned CIDR blocks in your VPC to create subnets for the NGFW endpoints. If no CIDR blocks are available in your VPC, the FMS displays a non-compliant error.Click Next.Define Cloud NGFW FMS Policy Scope.Policy scope defines the AWS accounts or organizational units (OU) and resource that are covered the Cloud NGFW FMS policy. You can apply the Cloud NGFW FMS policies across all AWS accounts and VPCs in your organization or specify a subset of accounts and/or VPCs.When you add a new AWS account or VPC to your organization, the FMS determines if your Cloud NGFW policy should be applied to that account or VPC. For example, you can apply the Cloud NGFW policy to all accounts except for a small, excluded subset. When a new account joins your organization, because it is not on the excluded list, the Cloud NGFW policy is applied.
- Specify the accounts to include or exclude form the Cloud NGFW FMS policy.You can choose to Include all accounts under my AWS organization, Include on the specified accounts and organizational units, or Exclude specific accounts and organizational units, and include all others.If you choose to include or exclude a subset of accounts and OUs, the FMS console displays a fields that allow you to specify those accounts and OUs. Click Edit List to create your include or exclude list.Specify the VPC to include or exclude form the Cloud NGFW FMS policy.Similarly to the accounts and OUs, the can Include all resources that match the selected type, Include only resources that have all the specified resource tags, or Exclude resources that have all the specified resource tags, and include all others.If you choose to include or exclude a subset of VPCs, the FMS console displays options to provide a list of up to eight resource tags and values.Under Third Party Firewall Customer IAM Role, you can download a copy of the Cloud NGFW IAM Roles CloudFormation Template (CFT).Click Next.(Optional) Configure policy tags.You can apply tags (consisting of a key and optional value) to help search for and filter your Cloud NGFW resource created through the FMS.Click Next.Review your Cloud NGFW policy configuration.Click Create Policy to deploy the Cloud NGFW.