Cloud NGFW for AWS Tenant
This section gives details on all CNGFW for AWS tenants.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Account (CSP)
- AWS Marketplace account
- User role (either tenant or administrator)
|
A Cloud NGFW tenant is an instantiation of Palo Alto Networks’ Cloud
Next-Generation Firewall (NGFW) service associated with your (or your organization’s)
AWS environment. It represents a logically isolated and dedicated boundary for
deploying, managing, and monitoring the SaaS firewall (also known as Cloud NGFW
resource) protections natively in your AWS environment.
Cloud NGFW console helps you centrally manage and govern your tenant. It enables
centralized user administration, AWS account administration, firewall and policy
management, and integration with both AWS and Palo Alto Networks’ security management
platforms.
Key Functions of a Tenant:
| Functions | Description |
| AWS account(s) administration | A Cloud NGFW tenant manages AWS account administration
through a combination of direct AWS marketplace subscription, permission
delegation, and allow-list enablement. Refer here for further details on
Subscribed accounts, Onboarded accounts, and AllowListed
accounts. |
| Users & Roles Management | A Cloud NGFW tenant uses robust role-based access control
(RBAC) to manage who can access and administer firewall resources, and
who can manage local policies or integrate with Palo Alto Networks’
policy managers (Panorama, SCM). |
| NGFW resource management | A Cloud NGFW tenant streamlines and centralizes the
management of Cloud NGFW resources in AWS by providing a unified
administrative layer for deployment, configuration, and policy
enforcement |
| Metering & Billing management | A Cloud NGFW tenant consolidates the metering and billing
of all its Cloud NGFW resources and their related usage of
Cloud-Delivered Security Services (CDSS) and Centralized management
(Panorama, Strata Cloud Manager, and Strata Logging Service). For this
purpose, it enables you to associate credits that you
procured via contract. It also allows you to subscribe from AWS
Marketplace for sending PAYG and overage metering records. |
| Programmatic Access Administration | A Cloud NGFW for AWS tenant administers programmatic access
by allowing authorized users to manage NGFW resources and policies
through REST APIs, CloudFormation, and Terraform, leveraging AWS IAM
roles for secure, temporary credential management instead of static
access keys. |
| Audit Log Administration | A Cloud NGFW tenant facilitates centralized audit log
management for compliance by automatically capturing detailed records of
all administrator actions and forwarding these logs to a specified AWS
CloudWatch log group. |
