Deploy Cloud NGFW for AWS with the AWS Firewall Manager

The AWS Firewall Manager (FMS) is a service in that allows you to centrally manage rules for AWS Web Application Firewalls, Security Groups, and AWS Network firewalls across all member accounts of the AWS Organization. You can now use the AWS Firewall Manager to centrally deploy Cloud NGFW resources and manage rules across VPCs in different AWS accounts of your AWS Organization. AWS Firewall Manager dashboard also allows you to view and respond to compliance notifications.
The AWS Firewall Manager provides a workflow that allows you to deploy the Cloud NGFW as a FMS policy, select a deployment mode and region, create a global rulestack, configure NGFW endpoints, and define the scope of the Cloud NGFW across your organization.
For more information, see the AWS Firewall Manager documentation.
The Cloud NGFW supports VPC resources only within FMS policy scope.
  1. Subscribe to Cloud NGFW for AWS Service. The AWS account you use to subscribe to the Cloud NGFW service must be the same AWS Firewall Manager administrator account.
    As an IAM user in the AWS Firewall Manager account, begin by subscribing to the Cloud NGFW service through the AWS Marketplace. After completing your initial setup, return to the FMS dashboard in the AWS console. This procedure creates a Cloud NGFW tenant and automatically assigns you (the FMS administrator) with the TenantAdmin and GlobalFirewallAdmin roles.
  2. Associate the Palo Alto Cloud NGFW Service with the Firewall Manager.
    1. Log in to the AWS Console and select
      Services
      AWS Firewall Manager
      Settings
      .
    2. Under Third Party Firewall Association Status, select Palo Alto Networks Cloud NGFW.
    3. Click
      Associate
      .
  3. Select
    Security Policies
    Create Policy
    .
  4. Choose the policy type and region.
    1. Under Third Party Services, select
      Palo Alto Networks Cloud NGFW
      .
    2. Select your
      Deployment Mode
      —Distributed or Centralized.
    3. Select the
      Region
      .
  5. Click
    Next
    .
  6. Describe FMS Policy for the Cloud NGFW on AWS.
    Provide a descriptive name for your FMS policy, configure or associate a global rulestack with the FMS policy, and configure log settings. FMS displays any existing global rulestacks (if available) and a link that takes to the Cloud NGFW console to create a global rulestack. Because the subscribing user (FMS administrator) is a GlobalRulestackAdmin, you do not have make any changes to the user roles.
    1. Enter a descriptive
      Policy Name
      .
    2. Select or create
      Third Party Firewall Policy Configuration
      .
      In the FMS console, Third Party Firewall Policy Configuration refers to a global rulestack in the context of the Cloud NGFW. If you have already created one or more global rulestacks, they are listed here. If you have not created a global rulestack, you can create one by clicking
      Create Firewall Policy
      . This redirects you to the Cloud NGFW console. For information about rulestacks and rulestack configuration, see About Rulestacks and Rules on Cloud NGFW for AWS.
    3. Create a Global Rulestack.
      1. Enter a descriptive
        Name
        for your rulestack.
      2. (
        optional
        ) Enter a
        Description
        for your rulestack.
      3. Click
        Save
        .
      4. Return to the FMS console.
    4. Configure logging.
      You can select Traffic, Decryption, and/or Threat logs. For each type of log, you must specify a destination—S3 Bucket, CloudWatch log group, or Kinesis Firehose delivery stream—from the drop-down. The drop-down displays previously-configured destinations in your AWS environment.
    5. Click
      Next
      .
  7. Configure NGFW Endpoints.
    Cloud NGFW creates endpoints in your availabilty zones that need to be secured. These NGFW endpoints intercept and redirect traffic to Cloud NGFW for inspection and enforcement. The number and location of NGFW endpoints differs based on your deployment mode—distributed or centralized.
    You select the NGFW endpoint locations by choosing availability zone names or availability zone IDs. Keep in mind that availability zone names can differ between AWS accounts but availability zone IDs are consistent across all AWS accounts.
    1. Select
      Availability Zone Name
      or
      Availability Zone ID
      . This selection determines what options—names or IDs—the FMS console lists.
    2. In the Action column, click the slider to add an availability zone to the Cloud NFGW FMS policy.
    3. (
      optional
      ) Add Classless Inter-Domain Routing (CIDR) blocks to specify the subnets used by the NGFW endpoints.
      You can specify a CIDR block for each selected availability zone or create a list of CIDR blocks for the FMS to assign to the selected availability zones. Each CIDR block must be a /28 CIDR block.
      If you do not specify any CIDR blocks, the FMS will take a best effort approach to find unassigned CIDR blocks in your VPC to create subnets for the NGFW endpoints. If no CIDR blocks are available in your VPC, the FMS displays a non-compliant error.
    4. Click
      Next
      .
  8. Define Cloud NGFW FMS Policy Scope.
    Policy scope defines the AWS accounts or organizational units (OU) and resource that are covered the Cloud NGFW FMS policy. You can apply the Cloud NGFW FMS policies across all AWS accounts and VPCs in your organization or specify a subset of accounts and/or VPCs.
    When you add a new AWS account or VPC to your organization, the FMS determines if your Cloud NGFW policy should be applied to that account or VPC. For example, you can apply the Cloud NGFW policy to all accounts except for a small, excluded subset. When a new account joins your organization, because it is not on the excluded list, the Cloud NGFW policy is applied.
    1. Specify the accounts to include or exclude form the Cloud NGFW FMS policy.
      You can choose to
      Include all accounts under my AWS organization
      ,
      Include on the specified accounts and organizational units
      , or
      Exclude specific accounts and organizational units, and include all others
      .
      If you choose to include or exclude a subset of accounts and OUs, the FMS console displays a fields that allow you to specify those accounts and OUs. Click
      Edit List
      to create your include or exclude list.
    2. Specify the VPC to include or exclude form the Cloud NGFW FMS policy.
      Similarly to the accounts and OUs, the can
      Include all resources that match the selected type
      ,
      Include only resources that have all the specified resource tags
      , or
      Exclude resources that have all the specified resource tags, and include all others
      .
      If you choose to include or exclude a subset of VPCs, the FMS console displays options to provide a list of up to eight resource tags and values.
    3. Under
      Third Party Firewall Customer IAM Role
      , you can download a copy of the Cloud NGFW IAM Roles CloudFormation Template (CFT).
    4. Click
      Next
      .
    5. (
      Optional
      ) Configure policy tags.
      You can apply tags (consisting of a key and optional value) to help search for and filter your Cloud NGFW resource created through the FMS.
    6. Click
      Next
      .
    7. Review your Cloud NGFW policy configuration.
    8. Click
      Create Policy
      to deploy the Cloud NGFW.

Recommended For You