Security Features
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Configure Zone-based Policy Rules
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Security Features
The Palo Alto Networks Cloud NGFW for AWS supports the following security
features.
The Palo Alto Networks Cloud NGFW for AWS supports the following security features.
Security Policy Management, Visualization, and Reporting
|
Description
|
Native Policy Management (Rulestacks)
|
Panorama Policy Management (Cloud Device Groups)
|
Strata Cloud Manager (SCM) Policy Management
|
---|---|---|---|---|
Tools
|
You have multiple configuration options to author policies for your
Cloud NGFWs.
| |||
Log Types
|
Cloud NGFW generates time-stamped logs that are an audit trail for
network traffic events that the firewall monitors. Log entries
contain artifacts, which are properties, activities, or behaviors
associated with the logged event, such as the application type or
the IP address of an attacker. Each log type records information for
a separate event type. For example, Cloud NGFW generates a Threat
log to record traffic that matches a spyware, vulnerability, or
virus signature.
| |||
Log Destinations
|
Cloud NGFW can deliver the generated logs to AWS destinations and
Strata Logging Service.
| |||
Log Visualization & Analytics
|
Review Cloud NGFW logs to verify a wealth of information of your VPC
traffic. Some examples of this information are source, destination,
URLs, Ports Protocols, App-ID, threats, Countries, URLs, etc.
| |||
Reports
|
Generate predefined and custom reports on applications, threats and
URL activities of your VPC traffic.
|
—
| ||
Policy Analysis and Optimization
|
Rule usage monitoring helps you evaluate whether your policy
implementation continues to match your enforcement needs.
Policy Analyzer analyzes your Cloud NGFW rules and recommends
possible consolidation or removal of specific rules to meet your
intended Security posture. It also checks for anomalies, such as
shadows, redundancies, generalizations, correlations, and
consolidations in your rulebase.
| — | ||
Packet Capture
|
Palo Alto Networks firewall to perform a custom packet capture or a
threat packet capture.
|
—
|
—
|
—
|
Policy & Policy Objects
|
Description
|
Native Policy Management (Rulestacks)
|
Panorama Policy Management (Cloud Device Groups)
|
Strata Cloud Manager (SCM) Policy Management
|
---|---|---|---|---|
Security Policy
|
Security policy protects your VPC traffic from threats and
disruptions. Individual Security policy rules determine whether to
block or allow a VPC traffic session based on traffic attributes,
such as the source and destination security zone, the source and
destination IP address, the application, the user, and the
service.
| |||
Address
|
You can specify an address object to include IPv4 addresses, an FQDN,
or a wildcard address (IPv4 address followed by a slash and wildcard
mask).
| |||
Address Groups
|
You can group specific source or destination addresses that require
the same policy enforcement.
|
—
| ||
Regions
|
You can allow or block traffic from (or to) an IP addresses based on
their geographic location such as a county. The region is available
as an option when specifying the source and destination for your
policies. You can choose from a standard list of countries or
specify a custom region/geolocation along with its associated IP
addresses
| |||
Service (Port & Protocol)
|
You can granularly control VPC traffic session usage to specific
ports on your network (in other words, you can define the default
port for the application). Cloud NGFW includes two pre-defined
services—service-http and service-https— that use TCP ports 80 and
8080 for HTTP, and TCP port 443 for HTTPS. You can however, create
any custom service on any TCP/UDP port of your choice.
| |||
Service Groups
|
You can combine services that have the same security settings into
Service Groups to reduce the number of rules in Security policy
.
|
—
| ||
External Dynamic List
|
You can granularly control your VPC traffic using a dynamic list of
IP addresses, Domains, or URLs. Stored in a file hosted on an
external web server. Palo Alto Networks also offers built-in (Bulletproof, High-Risk,
Known Malicious, and Tor Exit IP address) EDLs.
Additionally, Palo Alto Networks offers a free EDL hosting service that
maintains the ever-dynamic list of IP addresses for Microsoft 365,
Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
You can use these EDLs to control your VPC Ingress and Egress
traffic.
| |||
Applications
|
You can granularly control your VPC traffic by using Palo Alto
Networks App-ID™ traffic classification system that relies on
application signatures to accurately identify applications in your
network.
| |||
Application Group
|
You can group together a set of App-IDs that require the same policy
enforcement.
|
—
| ||
Application Filters
|
You can granularly control your VPC traffic by defining an
application filter that groups current App-IDs and any future
App-IDs that match certain attributes. For example, You can create
an Application Filter by one or more attributes—category,
subcategory, technology, risk, characteristics. From now on,
whenever a new App-ID is introduced to Cloud NGFW based on a content
update, all new applications matching the filter criteria are
automatically added to your set.
|
—
| ||
Application Override
|
You can configure Cloud NGFW to override the normal Application
Identification (App-ID) of specific traffic passing through the
firewall. As soon as the Application Override policy takes effect,
all further App-ID inspection of the traffic is stopped and the
session is identified with the custom application signatures you
provide.
|
—
| ||
Dynamic User Group
|
Allow you to create a list of users from the local database, an
external database, or match criteria and group them.
|
—
|
—
|
—
|
Devices
|
Also known as the Device Dictionary, this page contains metadata for
device objects.
|
—
|
—
|
—
|
Certificates and Decryption
|
Description
|
Native Policy Management (Rulestacks)
|
Panorama Policy Management (Cloud Device Groups)
|
Strata Cloud Manager (SCM) Policy Management
|
---|---|---|---|---|
Certificates Management
|
Cloud NGFW uses certificates to access an intelligent feed and to
enable inbound and outbound decryption. Each certificate contains a
cryptographic key to encrypt plaintext or decrypt ciphertext. Each
certificate also includes a digital signature to authenticate the
identity of the issuer.
|
The Cloud Certificate is not yet supported
by Cloud NGFW. | ||
Decryption
|
Cloud NGFW can decrypt, inspect, and reencrypt your VPC Ingress and
Egress traffic as a policy-based decision. You can granularly
control what VPC traffic is decrypted and what traffic cannot be
decrypted and the type of SSL decryption, you want to perform on the
indicated traffic. To enable decryption, you set up the certificates
required to act as a trusted third party to a session.
|
Security Services
|
Description
|
Native Policy Management (Rulestacks)
|
Panorama Policy Management (Cloud Device Groups)
|
Strata Cloud Manager (SCM) Policy Management
|
---|---|---|---|---|
IPS Vulnerability Protection
|
Vulnerability Protection protects against on inbound threats, where
an attacker is attempting to exploit a system vulnerability to
breach your network, The system vulnerabilities might be in the form
buffer overflows, illegal code execution etc.
| |||
Anti-Spyware
|
Anti-Spyware detects and blocks outbound threats, especially
command-and-control (C2) activity, initiated by a (cyberattack
leveraged) malware infected workloads in your AWS VPC. You can also
define custom regular expression patterns to identify spyware phone
home communication.
| |||
File Blocking
|
File Blocking allows you to granularly control file types in your VPC
traffic in a specified direction (inbound/outbound/both). You can
proactively block files known to carry threats or that have no real
use case for upload and download.
| |||
Antivirus
|
Antivirus detects and protects against malware concealed in
compressed files, executables, PDF files, and HTML and JavaScript
viruses in your VPC traffic
| |||
WildFire Analysis
|
Cloud NGFW detects and forwards
files, and executables in your VPC traffic to WildFire™ cloud
service for analysis, and also performs inline ML analysis for
certain files. If a threat is detected on the files, WildFire
creates protections to block malware, and globally distributes
protection for that threat in under five minutes.
|
—
| ||
URL Filtering
|
URL Filtering analyzes the VPC traffic and controls the URLs accessed
by your VPC workloads (in both clear-text and encrypted
traffic) by performing inline analysis and comparing
against Palo Alto Networks managed URL categories or the
custom categories you provide.
|
| ||
DNS Security
|
DNS Security protects outbound DNS
requests from your VPCs against threats such as DNS tunneling,
Domain Generation Algorithm (DGA) detection, malware domains, etc.
|
—
|
| DNS Security |
Data Filtering & Enterprise DLP
|
Data filtering detects sensitive information in your VPC traffic—such
as credit card or social security numbers or internal corporate
documents—and prevent this data from leaving your AWS
environment.
With Enterprise DLP, you gain the benefit of Advanced Data Filtering
on your VPC traffic with a pre-defined list of data patterns with
the cloud-based analytics.
|
—
|
DLP on SCM is not currently
supported. | |
Security Profile Groups
|
A security profile group is a set of security profiles treated as a
unit and then easily added to security policies.
|
—
|
Security Zones & Protection
|
Description
|
Native Policy Management (Rulestacks)
|
Panorama Policy Management (Cloud Device Groups)
|
Strata Cloud Manager (SCM) Policy Management
|
---|---|---|---|---|
Security Zones
|
Security zones are a logical way to group interfaces on the firewall,
and Cloud NGFW endpoints to control and log the VPC traffic.
|
—
|
—
|
—
|
Zone Protection
| Zone protection defends network security zones against flood attacks, reconnaissance attempts, packet-based attacks. |
—
|
—
|
—
|
Networking Services
|
Description
|
Native Policy Management (Rulestacks)
|
Panorama Policy Management (Cloud Device Groups)
|
Strata Cloud Manager (SCM) Policy Management
|
---|---|---|---|---|
XFF
|
Traffic to your VPC workloads might have passed more than one proxy
server (such as CDN or ALB) before it reaches the Cloud NGFW. If
there's an existing XFF header, these proxies append its IP address
to it or adds the XFF header with its IP address. Therefore, XFF
request header might contain multiple IP addresses separated by
commas. Cloud NGFW uses the X-Forwarded-For (XFF) HTTP header field
identifies the original client IP address. Cloud NGFW always uses
the most recently added address in the XFF header to enforce
policy.
|
XFF on SCM is not currently
supported. | ||
NAT
|
Palo Alto Networks firewalls can enforce destination NAT on your
Ingress VPC traffic and source NAT your Egress VPC traffic.
|
—
|
—
|
—
|
DNS Proxy
|
When you configure Cloud NGFW as a DNS proxy, it acts as an
intermediary between clients and servers and as a DNS server by
resolving queries from its DNS cache or forwarding queries to other
DNS servers. Use this page to configure the settings that determine
how the firewall serves as a DNS proxy.
|
—
|
—
|
—
|
Interface Management
|
Palo Alto Networks Firewalls allow you to configure VLANs, virtual
wires Link Layer Discovery Protocol (LLDP), Bidirectional Forwarding
Detection (BFD) on its interfaces
|
—
|
—
|
—
|
QoS
|
Palo Alto Networks firewalls allow you to specify traffic that
requires preferential treatment or bandwidth limiting. QoS rules
allow you to dependably run high-priority applications and traffic
under limited network capacity.
|
—
|
—
|
—
|
Routing Management
|
Palo Alto Networks Firewalls allow you to configure Static Routing
and Routing Protocols (BGP, BFD, OSPF, OSPFv3, multicast, RIPv2, and
filters).
|
—
|
—
|
—
|
IPSec Tunnel Management
|
Palo Alto Networks firewalls terminate IPSec tunnels and inspect
tunneled traffic
|
—
|
—
|
—
|
GlobalProtect Management
|
Palo Alto Networks firewalls secure mobile workforces by specifying
algorithms for authentication and encryption in VPN tunnels between
a GlobalProtect gateway module and client.
|
—
|
—
|
—
|
GRE Tunnel Management
|
Palo Alto Networks firewalls terminate Generic Routing Encapsulation
(GRE) tunnels and inspect tunneled traffic.
|
—
|
—
|
—
|
SD-WAN Link Management
|
Palo Alto Networks firewalls bind multiple WAN connections (ADSL/DSL,
cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio,
satellite, Wi-Fi) to a virtual interface and support dynamic,
intelligent path selection based on applications and services and
the conditions of links that each application or service is allowed
to use.
|
—
|
—
|
—
|
Policy Based Forwarding
| Palo Alto Networks firewalls Policy Based Forwarding rules allow traffic to take an alternative path for security or performance reasons. Let's say your company has two links between the corporate office and the branch office: a cheaper internet link and a more expensive leased line. For enhanced security, you can use PBF to send applications that aren’t encrypted traffic, such as FTP traffic, over the private leased line and all other traffic over the internet link. Or, for performance, you can choose to route business-critical applications over the leased line while sending all other traffic, such as web browsing, over the cheaper link. |
—
|
—
|
—
|