Subscribe to Cloud NGFW for AWS

Complete the following steps to subscribe to the Cloud NGFW service—you can subscribe to a Cloud NGFW Pay-as-you-go (PAYG) SaaS Subscription or add a Cloud NGFW for AWS Credits contract onto your PAYG subscription.
This procedure begins the process of creating your first user—a tenant administrator. A tenant admin is the highest level of user in the Cloud NGFW service. It provides the ability to add AWS accounts to the Cloud NGFW service and onboard additional users.
You must create a Cloud NGFW PAYG SaaS subscription before you can sign up for a Cloud NGFW for AWS Credits contract.

Cloud NGFW PAYG SaaS Subscription

Before you subscribe to and deploy Cloud NGFW for AWS in your AWS environment, you must consider and create the following. During the subscription process, you will be asked to define the parameters described below in a CloudFormation Template (CFT) to complete the complete the initial configuration.
  • Endpoint Configuration
    (
    Mandatory
    )—the cross-account IAM role includes permissions that allows Cloud NGFW to read VPC resource information, which is required for configuring NGFW Endpoints.
  • Endpoint Creation
    (
    Optional
    )—you can configure Cloud NGFW to create and manage NGFW Endpoints in your AWS environment. By selecting
    Yes
    , you are giving Cloud NGFW permissions to create and manage the necessary endpoints in your VPCs. If you select
    No
    , you must Create and View NGFW Endpoints manually.
  • Permissions for Logging
    (
    Optional
    )—Cloud NGFW allows you to send traffic, threat, and decryption logs to an S3 bucket, Cloudwatch Log Group, or Kinesis Data Firehose. For Cloud NGFW to send those logs to the intended destination, you must provide the necessary permissions.
    The Cloud NGFW console redirects you to the AWS CloudFormation console and prompts you to create a stack. This stack sets up cross-account IAM roles, designates (but does not create) logging destinations, and lets Cloud NGFW access certificates in your AWS account’s Secrets Manager for decryption.
    The stack prepopulates the logging destinations for CloudWatch log group and Kinesis Data Firehose delivery stream with a destination called
    PaloAltoNetworksCloudNGFW
    . The S3 Bucket field is not prepopulated. If you want to send the logs to a different destination, you should create that destination and replace the default value the name before you complete stack creation.
    For an S3 Bucket log destination, you must provide the name of the destination bucket.
    If you are using a Kinesis Data Firehose, the source for that delivery stream must
    Direct PUT
    .
  • Audit Logging
    (
    Optional
    )—you can send audit logs, which track administrator activity, to a Cloudwatch Log Group. The CFT stack includes a default Cloudwatch Log Group destination called
    PaloAltoCloudNGFWAuditLog
    . You can create a Cloudwatch Log Group with the default name value or replace the default value with the name of another Cloudwatch Log Group.
  • Permissions for Decryption
    (
    Optional
    )—to use Cloud NGFW to inspect encrypted traffic flows, you must allow Cloud NGFW to retrieve the necessary certificate from the AWS Secrets Manager. You must enable Cloud NGFW to use attribute-based access control by specifying a tag when you launch the CFT stack.
    By default, the CFT includes the tag
    PaloAltoCloudNGFW
    . You can change this tag by configuring the ARN in the service and replacing the default value in the CFT.
Complete this procedure to subscribe with a Cloud NGFW PAYG SaaS Subscription.
  1. Log in to the AWS Console.
  2. Navigate to the Cloud NGFW for AWS in the AWS Marketplace.
  3. Click
    Subscribe
    .
  4. Click
    Set up product
    .
  5. Create a Cloud NGFW account.
    1. Click
      Login or create vendor account
      .
    2. Enter your email address.
      You must use the same email when you log in to the Cloud NGFW service for the first time. Additionally, upon logging in for the first time, this email address is used to create the first user—a tenant admin. Additionally, the email address domain of users invited by the tenant admin must match the email address domain of the tenant admin’s login credentials.
    3. Enter your
      First
      and
      Last Name
      .
    4. Click
      Create
      .
      After you click
      Create
      , an email is sent to the email address you entered above. Use the provided temporary password to access the Cloud NGFW tenant for the first time.
  6. Create a new password.
    1. Enter the temporary password you received via the email address you entered above.
    2. Enter and re-enter your new password.
    3. Click
      Create
      .
  7. Click
    Launch Template
    .
    Cloud NGFW opens the AWS CloudFormation template (CFT) console associated with the AWS account you specified in a new browser tab. If you have a pop-up blocker installed, the new tab might be blocked. In this case, in the Cloud NGFW console, select AWS Accounts and locate the AWS account you just added. Click Pending in the Status column.
  8. In the Capabilities section at the bottom of the CFT console, check
    I acknowledge that AWS CloudFormation might create IAM resources
    .
  9. Click
    Create Stack
    . The CFT associated with the subscription (for example, PaloAltoNetworksCrossAccountRoleSetup) appears.
  10. Click
    Launch your product
    .
    1. Enter your email and password, then click
      Log In
      .
    2. Select
      AWS Accounts
      .
    3. Verify that the
      Status
      has changed to
      Success
      .
      The Onboarding Status remains in the
      Pending
      state until AWS has finished launching the CFT.

Add Cloud NGFW for AWS Credits to Your Tenant

After setting up your PAYG subscription, you can optionally convert your Cloud NGFW subscription to a Cloud NGFW SaaS contract.
  1. Log in to the AWS Console.
  2. Locate the Cloud NGFW Contract Credits listing in the AWS Marketplace.
  3. After reviewing the product overview information, click
    View purchase options
    to continue.
  4. Configure your software contract.
    1. Define the length of your contract—
      12 months
      ,
      24 months
      , or
      36 months
      .
    2. Configure Auto Renew—
      Yes
      or
      No
      .
      You can configure your SaaS contract to automatically renew at the end of your selected contract period.
      If you choose not to renew automatically, when your Cloud NGFW for AWS Credits contract expires, your subscription reverts to a standard PAYG subscription.
      Do not unsubscribe for the Cloud NGFW for AWS Credits subscription during the contract period.
    3. Enter the number of credits. See Cloud NGFW for AWS Pricing for more information.
    4. Click
      Create contract
      .
  5. Review your Cloud NGFW for AWS Credits contract options and click
    Pay Now
    to complete your contract purchase.
  6. Click
    Set up your account
    to complete your Cloud NGFW for AWS Credits contract.
  7. After logging in to the Cloud NGFW console, you can verify your subscription type and monitor your credit usage.
    1. Log in to the Cloud NGFW console.
    2. Select
      Settings
      Subscription Management
      .

Recommended For You