Tools

You have multiple configuration options to author policies for your Cloud NGFWs.

Log Types

Cloud NGFW generates time-stamped logs that are an audit trail for network traffic events that the firewall monitors. Log entries contain artifacts, which are properties, activities, or behaviors associated with the logged event, such as the application type or the IP address of an attacker. Each log type records information for a separate event type. For example, Cloud NGFW generates a Threat log to record traffic that matches a spyware, vulnerability, or virus signature.

Log Destinations

Cloud NGFW can deliver the generated logs to AWS destinations and Strata Logging Service.

Log Visualization & Analytics

Review Cloud NGFW logs to verify a wealth of information of your VPC traffic. Some examples of this information are source, destination, URLs, Ports Protocols, App-ID, threats, Countries, URLs, etc.

Reports

Generate predefined and custom reports on applications, threats and URL activities of your VPC traffic.

—

Policy Analysis and Optimization

Rule usage monitoring helps you evaluate whether your policy implementation continues to match your enforcement needs.

Policy Analyzer analyzes your Cloud NGFW rules and recommends possible consolidation or removal of specific rules to meet your intended Security posture. It also checks for anomalies, such as shadows, redundancies, generalizations, correlations, and consolidations in your rulebase.

Packet Capture

Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture.

—

—

Security Policy

Security policy protects your VPC traffic from threats and disruptions. Individual Security policy rules determine whether to block or allow a VPC traffic session based on traffic attributes, such as the source and destination security zone, the source and destination IP address, the application, the user, and the service.

Address

You can specify an address object to include IPv4 addresses, an FQDN, or a wildcard address (IPv4 address followed by a slash and wildcard mask).

Address Groups

You can group specific source or destination addresses that require the same policy enforcement.

—

Regions

You can allow or block traffic from (or to) an IP addresses based on their geographic location such as a county. The region is available as an option when specifying the source and destination for your policies. You can choose from a standard list of countries or specify a custom region/geolocation along with its associated IP addresses

Service (Port & Protocol)

You can granularly control VPC traffic session usage to specific ports on your network (in other words, you can define the default port for the application). Cloud NGFW includes two pre-defined services—service-http and service-https— that use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. You can however, create any custom service on any TCP/UDP port of your choice.

Service Groups

You can combine services that have the same security settings into Service Groups to reduce the number of rules in Security policy .

—

External Dynamic List

You can granularly control your VPC traffic using a dynamic list of IP addresses, Domains, or URLs. Stored in a file hosted on an external web server. Palo Alto Networks also offers built-in (Bulletproof, High-Risk, Known Malicious, and Tor Exit IP address) EDLs. Additionally, Palo Alto Networks offers a free EDL hosting service that maintains the ever-dynamic list of IP addresses for Microsoft 365, Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). You can use these EDLs to control your VPC Ingress and Egress traffic.

Applications

You can granularly control your VPC traffic by using Palo Alto Networks App-ID™ traffic classification system that relies on application signatures to accurately identify applications in your network.

Application Group

You can group together a set of App-IDs that require the same policy enforcement.

—

Application Filters

You can granularly control your VPC traffic by defining an application filter that groups current App-IDs and any future App-IDs that match certain attributes. For example, You can create an Application Filter by one or more attributes—category, subcategory, technology, risk, characteristics. From now on, whenever a new App-ID is introduced to Cloud NGFW based on a content update, all new applications matching the filter criteria are automatically added to your set.

—

Application Override

You can configure Cloud NGFW to override the normal Application Identification (App-ID) of specific traffic passing through the firewall. As soon as the Application Override policy takes effect, all further App-ID inspection of the traffic is stopped and the session is identified with the custom application signatures you provide.

—

Tags

Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address groups (static and dynamic), applications, zones, services, service groups, and to policy rules.

—

Dynamic User Group

Allow you to create a list of users from the local database, an external database, or match criteria and group them.

—

—

Devices

Also known as the Device Dictionary, this page contains metadata for device objects.

—

—

Certificates Management

Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer.

Decryption

Cloud NGFW can decrypt, inspect, and reencrypt your VPC Ingress and Egress traffic as a policy-based decision. You can granularly control what VPC traffic is decrypted and what traffic cannot be decrypted and the type of SSL decryption, you want to perform on the indicated traffic. To enable decryption, you set up the certificates required to act as a trusted third party to a session.

IPS Vulnerability Protection

Vulnerability Protection protects against on inbound threats, where an attacker is attempting to exploit a system vulnerability to breach your network, The system vulnerabilities might be in the form buffer overflows, illegal code execution etc.

Anti-Spyware

Anti-Spyware detects and blocks outbound threats, especially command-and-control (C2) activity, initiated by a (cyberattack leveraged) malware infected workloads in your AWS VPC. You can also define custom regular expression patterns to identify spyware phone home communication.

File Blocking

File Blocking allows you to granularly control file types in your VPC traffic in a specified direction (inbound/outbound/both). You can proactively block files known to carry threats or that have no real use case for upload and download.

Antivirus

Antivirus detects and protects against malware concealed in compressed files, executables, PDF files, and HTML and JavaScript viruses in your VPC traffic

WildFire Analysis

Cloud NGFW detects and forwards files, and executables in your VPC traffic to WildFire™ cloud service for analysis, and also performs inline ML analysis for certain files. If a threat is detected on the files, WildFire creates protections to block malware, and globally distributes protection for that threat in under five minutes.

—

URL Filtering

URL Filtering analyzes the VPC traffic and controls the URLs accessed by your VPC workloads (in both clear-text and encrypted traffic) by performing inline analysis and comparing against Palo Alto Networks managed URL categories or the custom categories you provide.

DNS Security

DNS Security protects outbound DNS requests from your VPCs against threats such as DNS tunneling, Domain Generation Algorithm (DGA) detection, malware domains, etc.

—

Data Filtering & Enterprise DLP

Data filtering detects sensitive information in your VPC traffic—such as credit card or social security numbers or internal corporate documents—and prevent this data from leaving your AWS environment.

With Enterprise DLP, you gain the benefit of Advanced Data Filtering on your VPC traffic with a pre-defined list of data patterns with the cloud-based analytics.

—

Security Profile Groups

A security profile group is a set of security profiles treated as a unit and then easily added to security policies.

—

Security Zones

Security zones are a logical way to group interfaces on the firewall, and Cloud NGFW endpoints to control and log the VPC traffic.

—

—

Zone Protection

—

—

XFF

Traffic to your VPC workloads might have passed more than one proxy server (such as CDN or ALB) before it reaches the Cloud NGFW. If there's an existing XFF header, these proxies append its IP address to it or adds the XFF header with its IP address. Therefore, XFF request header might contain multiple IP addresses separated by commas. Cloud NGFW uses the X-Forwarded-For (XFF) HTTP header field identifies the original client IP address. Cloud NGFW always uses the most recently added address in the XFF header to enforce policy.

NAT

Palo Alto Networks firewalls can enforce destination NAT on your Ingress VPC traffic and source NAT your Egress VPC traffic.

—

—

DNS Proxy

When you configure Cloud NGFW as a DNS proxy, it acts as an intermediary between clients and servers and as a DNS server by resolving queries from its DNS cache or forwarding queries to other DNS servers. Use this page to configure the settings that determine how the firewall serves as a DNS proxy.

—

—

Interface Management

Palo Alto Networks Firewalls allow you to configure VLANs, virtual wires Link Layer Discovery Protocol (LLDP), Bidirectional Forwarding Detection (BFD) on its interfaces

—

—

QoS

Palo Alto Networks firewalls allow you to specify traffic that requires preferential treatment or bandwidth limiting. QoS rules allow you to dependably run high-priority applications and traffic under limited network capacity.

—

—

Routing Management

Palo Alto Networks Firewalls allow you to configure Static Routing and Routing Protocols (BGP, BFD, OSPF, OSPFv3, multicast, RIPv2, and filters).

—

—

IPSec Tunnel Management

Palo Alto Networks firewalls terminate IPSec tunnels and inspect tunneled traffic

—

—

GlobalProtect Management

Palo Alto Networks firewalls secure mobile workforces by specifying algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway module and client.

—

—

GRE Tunnel Management

Palo Alto Networks firewalls terminate Generic Routing Encapsulation (GRE) tunnels and inspect tunneled traffic.

—

—

SD-WAN Link Management

Palo Alto Networks firewalls bind multiple WAN connections (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, Wi-Fi) to a virtual interface and support dynamic, intelligent path selection based on applications and services and the conditions of links that each application or service is allowed to use.

—

—

Policy Based Forwarding

—

—