Subscribe to Cloud NGFW for AWS
Complete the following steps to subscribe to the Cloud NGFW service—you can subscribe to a Cloud NGFW Pay-as-you-go (PAYG) SaaS Subscription or add a Cloud NGFW for AWS Credits contract onto your PAYG subscription.
This procedure begins the process of creating your first user—a tenant administrator. A tenant admin is the highest level of user in the Cloud NGFW service. It provides the ability to add AWS accounts to the Cloud NGFW service and onboard additional users.
You must create a Cloud NGFW PAYG SaaS subscription before you can sign up for a Cloud NGFW for AWS Credits contract.
Cloud NGFW PAYG SaaS Subscription
Before you subscribe to and deploy Cloud NGFW for AWS in your AWS environment, you must consider and create the following. During the subscription process, you will be asked to define the parameters described below in a CloudFormation Template (CFT) to complete the complete the initial configuration.
- Endpoint Configuration(Mandatory)—the cross-account IAM role includes permissions that allows Cloud NGFW to read VPC resource information, which is required for configuring NGFW Endpoints.
- Endpoint Creation(Optional)—you can configure Cloud NGFW to create and manage NGFW Endpoints in your AWS environment. By selectingYes, you are giving Cloud NGFW permissions to create and manage the necessary endpoints in your VPCs. If you selectNo, you must Create and View NGFW Endpoints manually.
- Permissions for Logging(Optional)—Cloud NGFW allows you to send traffic, threat, and decryption logs to an S3 bucket, Cloudwatch Log Group, or Kinesis Data Firehose. For Cloud NGFW to send those logs to the intended destination, you must provide the necessary permissions.The Cloud NGFW console redirects you to the AWS CloudFormation console and prompts you to create a stack. This stack sets up cross-account IAM roles, designates (but does not create) logging destinations, and lets Cloud NGFW access certificates in your AWS account’s Secrets Manager for decryption.The stack prepopulates the logging destinations for CloudWatch log group and Kinesis Data Firehose delivery stream with a destination calledPaloAltoNetworksCloudNGFW. The S3 Bucket field is not prepopulated. If you want to send the logs to a different destination, you should create that destination and replace the default value the name before you complete stack creation.For an S3 Bucket log destination, you must provide the name of the destination bucket.If you are using a Kinesis Data Firehose, the source for that delivery stream mustDirect PUT.
- Audit Logging(Optional)—you can send audit logs, which track administrator activity, to a Cloudwatch Log Group. The CFT stack includes a default Cloudwatch Log Group destination calledPaloAltoCloudNGFWAuditLog. You can create a Cloudwatch Log Group with the default name value or replace the default value with the name of another Cloudwatch Log Group.
- Permissions for Decryption(Optional)—to use Cloud NGFW to inspect encrypted traffic flows, you must allow Cloud NGFW to retrieve the necessary certificate from the AWS Secrets Manager. You must enable Cloud NGFW to use attribute-based access control by specifying a tag when you launch the CFT stack.By default, the CFT includes the tagPaloAltoCloudNGFW. You can change this tag by configuring the ARN in the service and replacing the default value in the CFT.
Complete this procedure to subscribe with a Cloud NGFW PAYG SaaS Subscription.
- Log in to the AWS Console.
- Navigate to the Cloud NGFW for AWS in the AWS Marketplace.
- ClickSet up product.
- Create a Cloud NGFW account.
- ClickLogin or create vendor account.
- Enter your email address.You must use the same email when you log in to the Cloud NGFW service for the first time. Additionally, upon logging in for the first time, this email address is used to create the first user—a tenant admin. Additionally, the email address domain of users invited by the tenant admin must match the email address domain of the tenant admin’s login credentials.
- Enter yourFirstandLast Name.
- ClickCreate.After you clickCreate, an email is sent to the email address you entered above. Use the provided temporary password to access the Cloud NGFW tenant for the first time.
- Create a new password.
- Enter the temporary password you received via the email address you entered above.
- Enter and re-enter your new password.
- ClickLaunch Template.Cloud NGFW opens the AWS CloudFormation template (CFT) console associated with the AWS account you specified in a new browser tab. If you have a pop-up blocker installed, the new tab might be blocked. In this case, in the Cloud NGFW console, select AWS Accounts and locate the AWS account you just added. Click Pending in the Status column.
- In the Capabilities section at the bottom of the CFT console, checkI acknowledge that AWS CloudFormation might create IAM resources.
- ClickCreate Stack. The CFT associated with the subscription (for example, PaloAltoNetworksCrossAccountRoleSetup) appears.
- ClickLaunch your product.
- Enter your email and password, then clickLog In.
- SelectAWS Accounts.
- Verify that theStatushas changed toSuccess.The Onboarding Status remains in thePendingstate until AWS has finished launching the CFT.
Add Cloud NGFW for AWS Credits to Your Tenant
After setting up your PAYG subscription, you can optionally convert your Cloud NGFW subscription to a Cloud NGFW SaaS contract.
- Log in to the AWS Console.
- Locate the Cloud NGFW Contract Credits listing in the AWS Marketplace.
- After reviewing the product overview information, clickView purchase optionsto continue.
- Configure your software contract.
- Define the length of your contract—12 months,24 months, or36 months.
- Configure Auto Renew—YesorNo.You can configure your SaaS contract to automatically renew at the end of your selected contract period.If you choose not to renew automatically, when your Cloud NGFW for AWS Credits contract expires, your subscription reverts to a standard PAYG subscription.Do not unsubscribe for the Cloud NGFW for AWS Credits subscription during the contract period.
- Enter the number of credits. See Cloud NGFW for AWS Pricing for more information.
- ClickCreate contract.
- Review your Cloud NGFW for AWS Credits contract options and clickPay Nowto complete your contract purchase.
- ClickSet up your accountto complete your Cloud NGFW for AWS Credits contract.
- After logging in to the Cloud NGFW console, you can verify your subscription type and monitor your credit usage.
- Log in to the Cloud NGFW console.
- Select.SettingsSubscription Management
You can onboard multiple AWS accounts onto the same tenant. Once onboarded, you can create firewall resources in multiple accounts. Additionally, you’ll have the ability to deploy Cloud NGFW endpoints across onboarded accounts for the firewall resource in any AWS account.
Your AWS account subscription integrates with an enhanced subscription experience from the AWS Marketplace Service. This integration occurs when you create a Cloud NGFW Tenant; your AWS account links to the Cloud NGFW tenant.
Multiple AWS account subscriptions can be added to the tenant. Cloud NGFW supports up to 200 accounts.
You can onboard multiple AWS accounts (with no new subscription requirements) to the tenant from the Cloud NGFW console, and you create firewall resources in all onboarded AWS accounts in the tenant.
To facilitate ease of use, only one billing account exists in the tenant; if the billing account is unsubscribed from AWS Marketplace, the next billing account for the tenant is dynamically selected. Additional account state changes are introduced to better manage the AWS account life cycle in the tenant. When the last AWS account is unsubscribed from the tenant, it triggers a clean up of tenant resources if there is no active contract attached to the tenant.
10 pending accounts are supported per tenant.
In addition to support for Multi-Account Tenant, Cloud NGFW supports a multi-VPC firewall resource model. With multi-VPC support, you can enable your Cloud NGFW to secure traffic in multiple AWS VPCs. You pay for Cloud NGFW usage for each AWS availability zone for which the NGFW is provisioned to secure traffic.
Endpoint Managementsection of the
Create Firewallpage to manage how endpoints are created for the NGFW in these availability zones. You pay AWS for each VPC (gateway load balancer) endpoint you create for the NGFW.
When using multi-VPC firewall resource, consider the following:
- Multi-VPC firewalls are only supported in Customer Managed Mode.
- Endpoints for a multi-VPC firewall resource may exist in any VPC in any of the successfully onboarded accounts. 50 endpoints are supported for a multi-VPC firewall resource.
- When you disable the multi-VPC feature for a firewall resource, an endpoint can only exist in the Anchor VPC (and Anchor account). The Anchor represents a resilient connection to the availability zone. The Anchor VPC and Anchor Account refer to the VPC and the account associated with the firewall resource at creation time. Communication to the VPC fails if an endpoint exists outside the Anchor Account and VPC.
- When you remove an account from the tenant, all endpoints from multi-VPC firewalls must be removed from the account. The call fails if an endpoint exists in an account that was removed from the tenant.
- When creating endpoints across accounts for a firewall resource, the endpoints should be created in one of the zone IDs that are mapped to the zones defined in the firewall configuration.
- Zone ID names are treated differently in AWS. For separate accounts, use the same zone ID to ensure that the endpoint appears in the correct zone.
- While the account ID is optional for a single account, multiple accounts must use the account ID.
The Zone Name (for example, us-east-la) will have a different mapping to the Zone ID (for example, use1-az4) across different accounts.
You can add cross account roles from your AWS account to the Cloud NGFW Tenant using the AWS Marketplace enhanced subscription experience. This process requires you to add additional IAM permissions and resource deployment. You can also use the Cloud NGFW console to manually add the role ARNs. Cross Account Roles management is supported for incremental additions of the roles.
Cloudformation template update is supported.
For example, the certificate in account1 and the certificate in account2 can be mapped to a rulestack in account3 which could be associated with a firewall resource in account4. In this scenario, all accounts (1-4) must be successfully onboarded.
For AWS accounts that are already onboarded, you can add additional accounts using Multi-Account Tenant. Start by accessing the AWS Marketplace subscription page for your Palo Alto Networks NGFW subscription.
- Access your subscription in AWS Marketplace.
- In Step 1, ensure that your subscription has the necessary AWS administrator permissions.
- In Step 2, link a new or existing vendor account. ClickLogin or create vendor accountto access an existing Cloud NGFW account to link your tenant and enable communication with the AWS Service. ThePalo Alto Networks Cloud NGFWlogin page appears.
- In theWelcomescreen, clickLogin with an Existing Account.
- Enter your login credentials for the Cloud NGFW tenant. After logging in, AWS Marketplace shows that you have successfully linked your vendor account.If a CloudFormation template (CFT) does not exist for your account, of, if you need to configure an existing CFT, see the information at the end of this article for manually adding a CloudFormation template.
- If a CFT exists, move to Step 4 and launch the Cloud NGFW console to continue the configuration. ClickLaunch product.
- Log into the Cloud NGFW console.
- SelectAWS Accounts.
- Choose theAWS Account IDfor which you want to add as a Multi-Account Tenant.
- ClickAdd AWS Account.
- Enter the name of theAWS Accout IDfor the account you want to add to the existing account.
- Log into your AWS account.
- Create a stack using the AWS console; clickCreate Stack on AWS, or, alternately use the AWS CLI.
- SelectI acknowledge that AWS Cloud Formation might create IAM resources with custom names.
- ClickCreate Stack.
- Once the status showsCREATE_COMPLETEcopy theRole ARNfrom theOutputstab in the Cloud NGFW console.
Manually add a CloudFormation template
In some cases you may need to manually add a CloudFormation template (CFT) to an account.
- In the Cloud NGFW console, select the AWS account you want to configure.
- UnderAccount Property, clickCheck Details. This screen provides details you’ll use for the CFT.
- TheAccount Property Detailsscreen provides the necessary information for manually creating a new CFT. To improve your security, generate a new token for the new CFT. ClickGenerate Update Token.
- Use the updated token information, along with the other information in theAccount Property Detailsscreen (External ID, Cloud NGFW Account ID, and SNS Topic ARN) to manually configure the CFT in the AWS console.
- To support the Multi-Account Tenant feature, some functionality was added to the AWS CFT Stack page for your subscription. Locate your subscription in the AWS console, and use the information in theEventstab to monitor that status of a CFT stack.
- Use theOutputstab to display information you’ll use (for example, the key’sEndpointRoleandLogMetricRoleto manually configure the Multi-Account tenant for an existing AWS account in the Cloud NGFW console. Copy this information so you can use it later.
- In the Cloud NGFW console, selectAWS Accounts. Select the account you want to configure, then select theManage Cross Acccount RulesManage option from the drop-down menu.
- In theAccount Property Detailsscreen, enter theEndpoint Rules ArnandLogging Rule Arn. You’ll find this information in theEndpoint Rulesfield located in theOutputstab in the AWS console (CloudFormation > Stacks), then clickCreate.After updating the ARN information in theAccount Detailsscreen, theCloud NGFW AWS Accountspage shows that it has successfully updated the account information.
Recommended For You
Recommended videos not found.