Subscribe to Cloud NGFW for AWS

Complete the following steps to subscribe to the Cloud NGFW service—you can subscribe to a Cloud NGFW Pay-as-you-go (PAYG) SaaS Subscription or add a Cloud NGFW for AWS Credits contract onto your PAYG subscription.
This procedure begins the process of creating your first user—a tenant administrator. A tenant admin is the highest level of user in the Cloud NGFW service. It provides the ability to add AWS accounts to the Cloud NGFW service and onboard additional users.
You must create a Cloud NGFW PAYG SaaS subscription before you can sign up for a Cloud NGFW for AWS Credits contract.

Cloud NGFW PAYG SaaS Subscription

Before you subscribe to and deploy Cloud NGFW for AWS in your AWS environment, you must consider and create the following. During the subscription process, you will be asked to define the parameters described below in a CloudFormation Template (CFT) to complete the complete the initial configuration.
  • Endpoint Configuration
    )—the cross-account IAM role includes permissions that allows Cloud NGFW to read VPC resource information, which is required for configuring NGFW Endpoints.
  • Endpoint Creation
    )—you can configure Cloud NGFW to create and manage NGFW Endpoints in your AWS environment. By selecting
    , you are giving Cloud NGFW permissions to create and manage the necessary endpoints in your VPCs. If you select
    , you must Create and View NGFW Endpoints manually.
  • Permissions for Logging
    )—Cloud NGFW allows you to send traffic, threat, and decryption logs to an S3 bucket, Cloudwatch Log Group, or Kinesis Data Firehose. For Cloud NGFW to send those logs to the intended destination, you must provide the necessary permissions.
    The Cloud NGFW console redirects you to the AWS CloudFormation console and prompts you to create a stack. This stack sets up cross-account IAM roles, designates (but does not create) logging destinations, and lets Cloud NGFW access certificates in your AWS account’s Secrets Manager for decryption.
    The stack prepopulates the logging destinations for CloudWatch log group and Kinesis Data Firehose delivery stream with a destination called
    . The S3 Bucket field is not prepopulated. If you want to send the logs to a different destination, you should create that destination and replace the default value the name before you complete stack creation.
    For an S3 Bucket log destination, you must provide the name of the destination bucket.
    If you are using a Kinesis Data Firehose, the source for that delivery stream must
    Direct PUT
  • Audit Logging
    )—you can send audit logs, which track administrator activity, to a Cloudwatch Log Group. The CFT stack includes a default Cloudwatch Log Group destination called
    . You can create a Cloudwatch Log Group with the default name value or replace the default value with the name of another Cloudwatch Log Group.
  • Permissions for Decryption
    )—to use Cloud NGFW to inspect encrypted traffic flows, you must allow Cloud NGFW to retrieve the necessary certificate from the AWS Secrets Manager. You must enable Cloud NGFW to use attribute-based access control by specifying a tag when you launch the CFT stack.
    By default, the CFT includes the tag
    . You can change this tag by configuring the ARN in the service and replacing the default value in the CFT.
Complete this procedure to subscribe with a Cloud NGFW PAYG SaaS Subscription.
  1. Log in to the AWS Console.
  2. Navigate to the Cloud NGFW for AWS in the AWS Marketplace.
  3. Click
  4. Click
    Set up product
  5. Create a Cloud NGFW account.
    1. Click
      Login or create vendor account
    2. Enter your email address.
      You must use the same email when you log in to the Cloud NGFW service for the first time. Additionally, upon logging in for the first time, this email address is used to create the first user—a tenant admin. Additionally, the email address domain of users invited by the tenant admin must match the email address domain of the tenant admin’s login credentials.
    3. Enter your
      Last Name
    4. Click
      After you click
      , an email is sent to the email address you entered above. Use the provided temporary password to access the Cloud NGFW tenant for the first time.
  6. Create a new password.
    1. Enter the temporary password you received via the email address you entered above.
    2. Enter and re-enter your new password.
    3. Click
  7. Click
    Launch Template
    Cloud NGFW opens the AWS CloudFormation template (CFT) console associated with the AWS account you specified in a new browser tab. If you have a pop-up blocker installed, the new tab might be blocked. In this case, in the Cloud NGFW console, select AWS Accounts and locate the AWS account you just added. Click Pending in the Status column.
  8. In the Capabilities section at the bottom of the CFT console, check
    I acknowledge that AWS CloudFormation might create IAM resources
  9. Click
    Create Stack
    . The CFT associated with the subscription (for example, PaloAltoNetworksCrossAccountRoleSetup) appears.
  10. Click
    Launch your product
    1. Enter your email and password, then click
      Log In
    2. Select
      AWS Accounts
    3. Verify that the
      has changed to
      The Onboarding Status remains in the
      state until AWS has finished launching the CFT.

Add Cloud NGFW for AWS Credits to Your Tenant

After setting up your PAYG subscription, you can optionally convert your Cloud NGFW subscription to a Cloud NGFW SaaS contract.
  1. Log in to the AWS Console.
  2. Locate the Cloud NGFW Contract Credits listing in the AWS Marketplace.
  3. After reviewing the product overview information, click
    View purchase options
    to continue.
  4. Configure your software contract.
    1. Define the length of your contract—
      12 months
      24 months
      , or
      36 months
    2. Configure Auto Renew—
      You can configure your SaaS contract to automatically renew at the end of your selected contract period.
      If you choose not to renew automatically, when your Cloud NGFW for AWS Credits contract expires, your subscription reverts to a standard PAYG subscription.
      Do not unsubscribe for the Cloud NGFW for AWS Credits subscription during the contract period.
    3. Enter the number of credits. See Cloud NGFW for AWS Pricing for more information.
    4. Click
      Create contract
  5. Review your Cloud NGFW for AWS Credits contract options and click
    Pay Now
    to complete your contract purchase.
  6. Click
    Set up your account
    to complete your Cloud NGFW for AWS Credits contract.
  7. After logging in to the Cloud NGFW console, you can verify your subscription type and monitor your credit usage.
    1. Log in to the Cloud NGFW console.
    2. Select
      Subscription Management

Add Multiple AWS Accounts

You can onboard multiple AWS accounts onto the same tenant. Once onboarded, you can create firewall resources in multiple accounts. Additionally, you’ll have the ability to deploy Cloud NGFW endpoints across onboarded accounts for the firewall resource in any AWS account.
Your AWS account subscription integrates with an enhanced subscription experience from the AWS Marketplace Service. This integration occurs when you create a Cloud NGFW Tenant; your AWS account links to the Cloud NGFW tenant.
Multiple AWS account subscriptions can be added to the tenant. Cloud NGFW supports up to 200 accounts.
You can onboard multiple AWS accounts (with no new subscription requirements) to the tenant from the Cloud NGFW console, and you create firewall resources in all onboarded AWS accounts in the tenant.
To facilitate ease of use, only one billing account exists in the tenant; if the billing account is unsubscribed from AWS Marketplace, the next billing account for the tenant is dynamically selected. Additional account state changes are introduced to better manage the AWS account life cycle in the tenant. When the last AWS account is unsubscribed from the tenant, it triggers a clean up of tenant resources if there is no active contract attached to the tenant.
10 pending accounts are supported per tenant.
In addition to support for Multi-Account Tenant, Cloud NGFW supports a multi-VPC firewall resource model. With multi-VPC support, you can enable your Cloud NGFW to secure traffic in multiple AWS VPCs. You pay for Cloud NGFW usage for each AWS availability zone for which the NGFW is provisioned to secure traffic.
Use the
Endpoint Management
section of the
Create Firewall
page to manage how endpoints are created for the NGFW in these availability zones. You pay AWS for each VPC (gateway load balancer) endpoint you create for the NGFW.
When using multi-VPC firewall resource, consider the following:
  • Multi-VPC firewalls are only supported in Customer Managed Mode.
  • Endpoints for a multi-VPC firewall resource may exist in any VPC in any of the successfully onboarded accounts. 50 endpoints are supported for a multi-VPC firewall resource.
  • When you disable the multi-VPC feature for a firewall resource, an endpoint can only exist in the Anchor VPC (and Anchor account). The Anchor represents a resilient connection to the availability zone. The Anchor VPC and Anchor Account refer to the VPC and the account associated with the firewall resource at creation time. Communication to the VPC fails if an endpoint exists outside the Anchor Account and VPC.
  • When you remove an account from the tenant, all endpoints from multi-VPC firewalls must be removed from the account. The call fails if an endpoint exists in an account that was removed from the tenant.
  • When creating endpoints across accounts for a firewall resource, the endpoints should be created in one of the zone IDs that are mapped to the zones defined in the firewall configuration.
  • Zone ID names are treated differently in AWS. For separate accounts, use the same zone ID to ensure that the endpoint appears in the correct zone.
  • While the account ID is optional for a single account, multiple accounts must use the account ID.
The Zone Name (for example, us-east-la) will have a different mapping to the Zone ID (for example, use1-az4) across different accounts.
You can add cross account roles from your AWS account to the Cloud NGFW Tenant using the AWS Marketplace enhanced subscription experience. This process requires you to add additional IAM permissions and resource deployment. You can also use the Cloud NGFW console to manually add the role ARNs. Cross Account Roles management is supported for incremental additions of the roles.
Cloudformation template update is supported.
For example, the certificate in account1 and the certificate in account2 can be mapped to a rulestack in account3 which could be associated with a firewall resource in account4. In this scenario, all accounts (1-4) must be successfully onboarded.
For AWS accounts that are already onboarded, you can add additional accounts using Multi-Account Tenant. Start by accessing the AWS Marketplace subscription page for your Palo Alto Networks NGFW subscription.
  1. Access your subscription in AWS Marketplace.
  2. In Step 1, ensure that your subscription has the necessary AWS administrator permissions.
  3. In Step 2, link a new or existing vendor account. Click
    Login or create vendor account
    to access an existing Cloud NGFW account to link your tenant and enable communication with the AWS Service. The
    Palo Alto Networks Cloud NGFW
    login page appears.
  4. In the
    screen, click
    Login with an Existing Account
  5. Enter your login credentials for the Cloud NGFW tenant. After logging in, AWS Marketplace shows that you have successfully linked your vendor account.
    If a CloudFormation template (CFT) does not exist for your account, of, if you need to configure an existing CFT, see the information at the end of this article for manually adding a CloudFormation template.
  6. If a CFT exists, move to Step 4 and launch the Cloud NGFW console to continue the configuration. Click
    Launch product
  7. Log into the Cloud NGFW console.
  8. Select
    AWS Accounts
  9. Choose the
    AWS Account ID
    for which you want to add as a Multi-Account Tenant.
  10. Click
    Add AWS Account
  11. Enter the name of the
    AWS Accout ID
    for the account you want to add to the existing account.
  12. Log into your AWS account.
  13. Create a stack using the AWS console; click
    Create Stack on AWS
    , or, alternately use the AWS CLI.
  14. Select
    I acknowledge that AWS Cloud Formation might create IAM resources with custom names
  15. Click
    Create Stack
  16. Once the status shows
    copy the
    Role ARN
    from the
    tab in the Cloud NGFW console.

Manually add a CloudFormation template

In some cases you may need to manually add a CloudFormation template (CFT) to an account.
  1. In the Cloud NGFW console, select the AWS account you want to configure.
  2. Under
    Account Property
    , click
    Check Details
    . This screen provides details you’ll use for the CFT.
  3. The
    Account Property Details
    screen provides the necessary information for manually creating a new CFT. To improve your security, generate a new token for the new CFT. Click
    Generate Update Token
  4. Use the updated token information, along with the other information in the
    Account Property Details
    screen (External ID, Cloud NGFW Account ID, and SNS Topic ARN) to manually configure the CFT in the AWS console.
  5. To support the Multi-Account Tenant feature, some functionality was added to the AWS CFT Stack page for your subscription. Locate your subscription in the AWS console, and use the information in the
    tab to monitor that status of a CFT stack.
  6. Use the
    tab to display information you’ll use (for example, the key’s
    to manually configure the Multi-Account tenant for an existing AWS account in the Cloud NGFW console. Copy this information so you can use it later.
  7. In the Cloud NGFW console, select
    AWS Accounts
    . Select the account you want to configure, then select the
    Manage Cross Acccount Rules
    Manage option from the drop-down menu.
  8. In the
    Account Property Details
    screen, enter the
    Endpoint Rules Arn
    Logging Rule Arn
    . You’ll find this information in the
    Endpoint Rules
    field located in the
    tab in the AWS console (
    CloudFormation > Stacks
    ), then click
    After updating the ARN information in the
    Account Details
    screen, the
    Cloud NGFW AWS Accounts
    page shows that it has successfully updated the account information.

Recommended For You