>
    Strata Copilot
    Cloud NGFW Policy management when started from the Cloud NGFW Console
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Protect
    5. Strata Cloud Manager Policy Management
    6. Cloud NGFW Policy management when started from the Cloud NGFW Console
    Download PDF
    Cloud NGFW for AWS

    Cloud NGFW Policy management when started from the Cloud NGFW Console

    Table of Contents

    Cloud NGFW Policy management when started from the Cloud NGFW Console

    Link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    You can register your Cloud NGFW resources with an existing Strata Cloud Manager, which you had previously activated based on your AIOps, NGFW, Prisma Access, or Strata Cloud Manager Pro/Essential licenses. If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
    It may take approximately 45-50 minutes to upgrade from SCM Essentials to PRO, when you register the first Cloud NGFW resource.

    Link Your Cloud NGFW Tenant with Strata Cloud Manager Policy Management

    To integrate your Cloud NGFW resource with Strata Cloud Manager policy management:
    1. Log in to the Cloud NGFW console.
    2. Select Integrations.
    3. In the Policy Manager screen, click Add Policy Manager.
    4. In the Add Policy Manager section, select Strata Cloud Manager for the Manage Type.
    5. Enter a descriptive name.
    6. Use the drop-down menu to select the Strata Cloud Manager Tenant you want to associate with the resource.
      The Customer Support Portal (CSP) account must be the same for both SCM and CNGFW. If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.
    7. Click Save. This effectively links your Cloud NGFW resource to the SCM tenant.
      After saving the configuration the Integrations page is updated to reflect the new policy management paradigm, along with the associated Link ID and SCM Serial Number and Tenant Name:
      To view information about an individual linked SCM tenant, click the Link ID in the Policy Manager screen. You can use the Edit Policy Management screen to change the Link Name and view information:

    Associate a Firewall with Strata Cloud Manager Policy Management

    After you establish a link to Strata Cloud policy Management, you can associate a new firewall with the linked SCM tenant:
    1. Log in to the Cloud NGFW console.
    2. Select NGFWs.
    3. Click Create Firewall.
    4. In the Create Firewall screen, enter a name for the firewall.
    5. Optionally include a description.
    6. In the Policy Management section, select Strata Cloud Manager.
    7. In the Policy Manager drop-down menu, select the linked SCM tenant you want to associate with the firewall.
    8. Configure Endpoint Management to secure traffic in multiple AWS availability zones.
      1. Determine if you want Cloud NGFW to create endpoints automatically on your VPC subnets. Select Yes for service-managed endpoints.
        By default, the Cloud NGFW resource does not automatically create these endpoints; the radio button is set to No.
      2. Use the drop-down to select the AWS Account ID.
      3. Use the drop-down to select the VPC.
      4. Use the Subnet field to select an available subnet.
      5. Click Save.
      The NGFW screen changes to reflect the newly created firewall. It takes approximately 6-10 minutes to complete the process of creating a new firewall; the Status indicates CREATING:
      Click the NGFW Name to display detailed information about the firewall. Limited information is displayed as the firewall is being created:

    Next Steps

    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. View registered Cloud NGFW Resources in Strata Cloud Manager.
    3. Author and enforce Cloud NGFW policies in the SCM console.

    Unlink the Cloud NGFW from Strata Cloud Manager

    You must ensure to remove all associated firewalls from SCM before initiating the unlinking process. If not, the following error is displayed.
    Failed to get TSGID for Panorama.
    To unlink a SCM from a Cloud NGFW resource:
    1. In the Cloud NGFW console, select Integrations.
    2. On the Integrations page, locate the Actions section for your SCM policy manager
    3. Click the Unlink icon to begin the unlinking process.
    4. When you unlink a SCM from your Cloud NGFW tenant, you may be prompted to delete one or more Cloud Device Groups that are associated with the Cloud NGFW resource or region from which you are unlinking. In such cases an error message appears stating if the SCM is associated with a SLS account the link with the SLS will be deleted.
    5. Confirm the unlinking process. If your SCM is associated with a Strata Logging Service account, that association is terminated and logs are pruned after the retention period.
    6. After confirming the unlinking request, the Integrations page changes to provide status for the Cloud NGFW resource.

    © 2025 Palo Alto Networks, Inc. All rights reserved.