: Subscribe to Cloud NGFW for AWS

Subscribe to Cloud NGFW for AWS

Table of Contents

Subscribe to Cloud NGFW for AWS

Learn how to subscribe and add users to your Cloud NGFW for AWS deployment.
Complete the following steps to subscribe to the Cloud NGFW service—you can subscribe to a Cloud NGFW Pay-as-you-go (PAYG) SaaS Subscription.
This procedure begins the process of creating your first user—a tenant administrator. A tenant admin is the highest level of user in the Cloud NGFW service. It provides the ability to add AWS accounts to the Cloud NGFW service and onboard additional users.
You must create a Cloud NGFW PAYG SaaS subscription before you can sign up for a Cloud NGFW for AWS Credits contract.

Cloud NGFW PAYG SaaS Subscription

Before you subscribe to and deploy Cloud NGFW for AWS in your AWS environment, you must consider and create the following. During the subscription process, you will be asked to define the parameters described below in a CloudFormation Template (CFT) to complete the complete the initial configuration.
  • Endpoint Configuration
    )—the cross-account IAM role includes permissions that allows Cloud NGFW to read VPC resource information, which is required for configuring NGFW Endpoints.
  • Endpoint Creation
    )—you can configure Cloud NGFW to create and manage NGFW Endpoints in your AWS environment. By selecting
    , you are giving Cloud NGFW permissions to create and manage the necessary endpoints in your VPCs. If you select
    , you must Create and View NGFW Endpoints manually.
  • Permissions for Logging
    )—Cloud NGFW allows you to send traffic, threat, and decryption logs to an S3 bucket, Cloudwatch Log Group, or Kinesis Data Firehose. For Cloud NGFW to send those logs to the intended destination, you must provide the necessary permissions.
    The Cloud NGFW console redirects you to the AWS CloudFormation console and prompts you to create a stack. This stack sets up cross-account IAM roles, designates (but does not create) logging destinations, and lets Cloud NGFW access certificates in your AWS account’s Secrets Manager for decryption.
    The stack prepopulates the logging destinations for CloudWatch log group and Kinesis Data Firehose delivery stream with a destination called
    . The S3 Bucket field is not prepopulated. If you want to send the logs to a different destination, you should create that destination and replace the default value the name before you complete stack creation.
    For an S3 Bucket log destination, you must provide the name of the destination bucket.
    If you are using a Kinesis Data Firehose, the source for that delivery stream must
    Direct PUT
  • Audit Logging
    )—you can send audit logs, which track administrator activity, to a Cloudwatch Log Group. The CFT stack includes a default Cloudwatch Log Group destination called
    . You can create a Cloudwatch Log Group with the default name value or replace the default value with the name of another Cloudwatch Log Group.
  • Permissions for Decryption
    )—to use Cloud NGFW to inspect encrypted traffic flows, you must allow Cloud NGFW to retrieve the necessary certificate from the AWS Secrets Manager. You must enable Cloud NGFW to use attribute-based access control by specifying a tag when you launch the CFT stack.
    By default, the CFT includes the tag
    . You can change this tag by configuring the ARN in the service and replacing the default value in the CFT.
Complete this procedure to subscribe with a Cloud NGFW PAYG SaaS Subscription.
  1. Log in to the AWS Console.
  2. Navigate to the Cloud NGFW for AWS in the AWS Marketplace.
  3. Click
  4. Click
    Set up product
    . This launches the Configure and Launch (
    SaaS Quick Launch
    ) page in AWS Marketplace. Palo Alto Networks has enabled its Cloud NGFW products with quick launch and you can now create and deploy a new tenant using the quick launch.
  5. Click
    Enable integration
    on the Configure and Launch page of the quick launch to ensure that you have the required IAM permissions from AWS.
    If you are a new user, the Enable integration button automatically appears in the Step 1 of the Configure and Launch page.
  6. Click
    Login or create an account
    button to either sign in to an existing account or to create a new account on the vendor website. This takes you to a Create Tenant registration page of the Cloud NGFW for AWS Tenant.
    1. If you are a
      new user
      , you will need to create a Cloud NGFW account. Enter your email address.
      You must use the same email when you log in to the Cloud NGFW service for the first time. Additionally, upon logging in for the first time, this email address is used to create the first user—a tenant admin. Additionally, the email address domain of users invited by the tenant admin must match the email address domain of the tenant admin’s login credentials.
    2. Enter your
      Last Name
    3. Click
      After you click
      , an email with an activation button is sent to the email address you entered above.
    4. Click the
      Activate Account
      button in the email you received.
      The link is active for 7 days. If you don't click the link within 7 days, you will need to request for activation mail to be resent.
    5. Enter and re-enter your new password.
    6. Click
      Create My Account
    7. Configure your multifactor authentication (MFA).
      If you have not registered to MFA, but know your SSO password, you are prompted to register to MFA on your first login to any of the applications. To reset MFA, raise a support ticket.
    8. Choose one of the MFA methods and click
    9. Complete the MFA verification process —For example, If you click the Setup button for Email Authentication, you will be prompted to click the
      Send me the code button
      . On clicking, you will receive an email with the verification code. Enter the verification code and click
      . Alternatively, you may choose to complete the MFA verification process using Okta Verify, Security Key or Biometric Authenticator or the Google Authenticator.
    10. Sign in to the Tenant with your registered email and password and click
      Continue to Finish Subscription
    11. The quick launch page now shows that you have successfully linked your account to the AWS Marketplace subscription.
    1.  If you are an existing user and have not registered to SSO, but wish to create a new tenant using the same email id, you will receive an activation email after logging into the tenant. Follow steps 6d to 6k to register your tenant.
      If you are an existing user on Cloud NGFW, but not a Tenant Admin, then MFA is currently not available. You will continue to login without being prompted for MFA registration.
    2. If you are an existing user who has registered to SSO and wish to create a new tenant using the same email id, you will be prompted to select a Tenant and click
  7. Click
    Launch Template
    and select the CFT region and create roles and permissions for your tenant.
    Cloud NGFW opens the AWS CloudFormation template (CFT) console associated with the AWS account you specified in a new browser tab. If you have a pop-up blocker installed, the new tab might be blocked. In this case, in the Cloud NGFW console, select AWS Accounts and locate the AWS account you just added. Click
    in the
  8. In the Capabilities section at the bottom of the CFT console, check
    I acknowledge that AWS CloudFormation might create IAM resources
  9. Click
    Create Stack
    . The CFT associated with the subscription (for example, PaloAltoNetworksCrossAccountRoleSetup) appears.
  10. Click
    Launch your product
    1. Enter your email and password, then click
      Log In
    2. Select
      AWS Accounts
    3. Verify that the
      has changed to
      The Onboarding Status remains in the
      state until AWS has finished launching the CFT.
    SAML 2.0 can be used as an identity provider for Cloud NGFW for AWS. For more information, see Manage Third Party Identity Provider Integrations Through Common Services and How To Enable a Third-Party Identity Provider (IDP).

Secure Your Current Cloud NGFW Access Using SSO and MFA

Use the information in this section to migrate an existing cognito user to SSO. If you are an existing user of Cloud NGFW for AWS, you need to register for additional security measures, such as SSO and MFA for an existing tenant (by activating the user email with SSO+MFA), in order to login and access existing tenants.
  1. Enter the
    address with which you have registered to AWS Cloud NGFW and click
    Log in.
  2. Enter the password and click
    Log in
  3. You will be prompted to register to Palo Alto Networks Single Sign-On (SSO).
  4. Click
    to continue with registering to SSO. Alternatively, you may choose to click
    Register Later
    to continue with your previous login credentials. However, you will be prompted to register to SSO each time you try to login.
  5. You will receive an email with instructions to register to SSO. Follow the instructions and complete the registration to SSO and MFA as described above.
  6. Click
  7. During your next login, you will be prompted with the
    Enable and Log Out
    button to log back in using SSO.
  8. Enter your
    address and click Log in. You will be prompted with the SSO Sign In page.
  9. Enter your email address and click
  10. Enter the password and click
    Log In
  11. Complete the MFA verification process. You will now be able to access the Cloud NGFW tenant page after logging in with your SSO credentials.

Add Cloud NGFW for AWS Credits to Your Tenant

After setting up your PAYG subscription, you can optionally convert your Cloud NGFW subscription to a Cloud NGFW SaaS contract.
  1. Log in to the AWS Console.
  2. Locate the Cloud NGFW Contract Credits listing in the AWS Marketplace.
  3. After reviewing the product overview information, click
    View purchase options
    to continue.
  4. Configure your software contract.
    1. Define the length of your contract—
      12 months
      24 months
      , or
      36 months
    2. Configure Auto Renew—
      You can configure your SaaS contract to automatically renew at the end of your selected contract period.
      If you choose not to renew automatically, when your Cloud NGFW for AWS Credits contract expires, your subscription reverts to a standard PAYG subscription.
      Do not unsubscribe for the Cloud NGFW for AWS Credits subscription during the contract period.
    3. Enter the number of credits. See Cloud NGFW for AWS Pricing for more information.
    4. Click
      Create contract
  5. Review your Cloud NGFW for AWS Credits contract options and click
    Pay Now
    to complete your contract purchase.
  6. Click
    Set up your account
    to complete your Cloud NGFW for AWS Credits contract.
  7. After logging in to the Cloud NGFW console, you can verify your subscription type and monitor your credit usage.
    1. Log in to the Cloud NGFW console.
    2. Select
      Subscription Management

Multi Tenant User of a Single User Supported on Multiple Tenants

The Cloud NGFW for AWS supports single login credentials for multiple tenants. When you log into the Cloud NGFW console, login credentials are used to associate the user with the appropriate tenant. If the same login credentials are used for multiple tenants, the login page prompts you to select the tenant you want to configure.
After logging in to the Cloud NGFW, use the drop-down menu to select the appropriate tenant, then click
The table below illustrates use cases for multi-tenant scenarios:
Use case
User A has already registered to tenant A and user A is being invited to tenant B.
You will not receive an activation email.
User A has already registered to tenant A and subscribes to a new tenant through the AWS Marketplace subscription.
You will not receive an activation email.

Add Multiple AWS Accounts

You can onboard multiple AWS accounts onto the same tenant. Once onboarded, you can create firewall resources in multiple accounts. Additionally, you’ll have the ability to deploy Cloud NGFW endpoints across onboarded accounts for the firewall resource in any AWS account.
Your AWS account subscription integrates with an enhanced subscription experience from the AWS Marketplace Service. This integration occurs when you create a Cloud NGFW Tenant; your AWS account links to the Cloud NGFW tenant.
Multiple AWS account subscriptions can be added to the tenant. Cloud NGFW supports up to 200 accounts.
You can onboard multiple AWS accounts (with no new subscription requirements) to the tenant from the Cloud NGFW console, and you create firewall resources in all onboarded AWS accounts in the tenant.
To facilitate ease of use, only one billing account exists in the tenant; if the billing account is unsubscribed from AWS Marketplace, the next billing account for the tenant is dynamically selected. Additional account state changes are introduced to better manage the AWS account life cycle in the tenant. When the last AWS account is unsubscribed from the tenant, it triggers a clean up of tenant resources if there is no active contract attached to the tenant.
10 pending accounts are supported per tenant.
In addition to support for Multi-Account Tenant, Cloud NGFW supports a multi-VPC firewall resource model. With multi-VPC support, you can enable your Cloud NGFW to secure traffic in multiple AWS VPCs. You pay for Cloud NGFW usage for each AWS availability zone for which the NGFW is provisioned to secure traffic.
Use the
Endpoint Management
section of the
Create Firewall
page to manage how endpoints are created for the NGFW in these availability zones. You pay AWS for each VPC (gateway load balancer) endpoint you create for the NGFW.
When using multi-VPC firewall resource, consider the following:
  • Multi-VPC firewalls are only supported in Customer Managed Mode.
  • Endpoints for a multi-VPC firewall resource may exist in any VPC in any of the successfully onboarded accounts. 50 endpoints are supported for a multi-VPC firewall resource.
  • When you disable the multi-VPC feature for a firewall resource, an endpoint can only exist in the Anchor VPC (and Anchor account). The Anchor represents a resilient connection to the availability zone. The Anchor VPC and Anchor Account refer to the VPC and the account associated with the firewall resource at creation time. Communication to the VPC fails if an endpoint exists outside the Anchor Account and VPC.
  • When you remove an account from the tenant, all endpoints from multi-VPC firewalls must be removed from the account. The call fails if an endpoint exists in an account that was removed from the tenant.
  • When creating endpoints across accounts for a firewall resource, the endpoints should be created in one of the zone IDs that are mapped to the zones defined in the firewall configuration.
  • Zone ID names are treated differently in AWS. For separate accounts, use the same zone ID to ensure that the endpoint appears in the correct zone.
  • While the account ID is optional for a single account, multiple accounts must use the account ID.
The Zone Name (for example, us-east-la) will have a different mapping to the Zone ID (for example, use1-az4) across different accounts.
You can add cross account roles from your AWS account to the Cloud NGFW Tenant using the AWS Marketplace enhanced subscription experience. This process requires you to add additional IAM permissions and resource deployment. You can also use the Cloud NGFW console to manually add the role ARNs. Cross Account Roles management is supported for incremental additions of the roles.
Cloudformation template update is supported.
For example, the certificate in account1 and the certificate in account2 can be mapped to a rulestack in account3 which could be associated with a firewall resource in account4. In this scenario, all accounts (1-4) must be successfully onboarded.
For AWS accounts that are already onboarded, you can add additional accounts using Multi-Account Tenant. Start by accessing the AWS Marketplace subscription page for your Palo Alto Networks NGFW subscription.
  1. Access your subscription in AWS Marketplace.
  2. In Step 1, ensure that your subscription has the necessary AWS administrator permissions.
  3. In Step 2, link a new or existing vendor account. Click
    Login or create vendor account
    to access an existing Cloud NGFW account to link your tenant and enable communication with the AWS Service. The
    Palo Alto Networks Cloud NGFW
    login page appears.
  4. In the
    screen, click
    Login with an Existing Account
  5. Enter your login credentials for the Cloud NGFW tenant. After logging in, AWS Marketplace shows that you have successfully linked your vendor account.
    If a CloudFormation template (CFT) does not exist for your account, of, if you need to configure an existing CFT, see the information at the end of this article for manually adding a CloudFormation template.
  6. If a CFT exists, move to Step 4 and launch the Cloud NGFW console to continue the configuration. Click
    Launch product
  7. Log into the Cloud NGFW console.
  8. Select
    AWS Accounts
  9. Choose the
    AWS Account ID
    for which you want to add as a Multi-Account Tenant.
  10. Click
    Add AWS Account
  11. Enter the name of the
    AWS Accout ID
    for the account you want to add to the existing account.
  12. Log into your AWS account.
  13. Create a stack using the AWS console; click
    Create Stack on AWS
    , or, alternately use the AWS CLI.
  14. Select
    I acknowledge that AWS Cloud Formation might create IAM resources with custom names
  15. Click
    Create Stack
  16. Once the status shows
    copy the Role ARN
    from the
    tab in the AWS console.
  17. Add the Role ARN values to the Cloud NGFW tenant console.
    1. Return the Cloud NGFW tenant console.
    2. In the Cloud NGFW tenant console, select
      AWS Accounts
    3. Select the radio button of the AWS account you are adding and select
      Manage Cross Account Roles
      from the
    4. Paste the Role ARN values from the previous step into the corresponding fields.
    5. Click

Manually add a CloudFormation Template

In some cases you may need to manually add a CloudFormation template (CFT) to an account.
  1. In the Cloud NGFW console, select the AWS account you want to configure.
  2. Under
    Account Property
    , click
    Check Details
    . This screen provides details you’ll use for the CFT.
  3. The
    Account Property Details
    screen provides the necessary information for manually creating a new CFT. To improve your security, generate a new token for the new CFT. Click
    Generate Update Token
  4. Use the updated token information, along with the other information in the
    Account Property Details
    screen (External ID, Cloud NGFW Account ID, and SNS Topic ARN) to manually configure the CFT in the AWS console.
  5. To support the Multi-Account Tenant feature, some functionality was added to the AWS CFT Stack page for your subscription. Locate your subscription in the AWS console, and use the information in the
    tab to monitor that status of a CFT stack.
  6. Use the
    tab to display information you’ll use (for example, the key’s
    to manually configure the Multi-Account tenant for an existing AWS account in the Cloud NGFW console. Copy this information so you can use it later.
  7. In the Cloud NGFW console, select
    AWS Accounts
    . Select the account you want to configure, then select the
    Manage Cross Acccount Rules
    Manage option from the drop-down menu.
  8. In the
    Account Property Details
    screen, enter the
    Endpoint Rules Arn
    Logging Rule Arn
    , and
    Network Monitoring Role Arn
    . You’ll find this information in the
    Endpoint Rules
    field located in the
    tab in the AWS console (
    CloudFormation > Stacks
    ), then click
    After updating the ARN information in the
    Account Details
    screen, the
    Cloud NGFW AWS Accounts
    page shows that it has successfully updated the account information.

Recommended For You