>
    Strata Copilot
    Migrate an AWS Network Firewall Policy to Cloud NGFW for AWS
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Protect
    5. Strata Cloud Manager Policy Management
    6. Migrate an AWS Network Firewall Policy to Cloud NGFW for AWS
    Download PDF
    Cloud NGFW for AWS

    Migrate an AWS Network Firewall Policy to Cloud NGFW for AWS

    Table of Contents

    Migrate an AWS Network Firewall Policy to Cloud NGFW for AWS

    Migrate your AWS Network Firewall security policies to Cloud NGFW for AWS using the Strata Cloud Manager policy migration workflow.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Strata Cloud Manager Essential license
    • Superuser, Network Administrator, or Security Administrator role
    • Supported region: Canada, India, United Kingdom, Singapore, or United States
    Cloud service provider (CSP) native firewall policy migration enables the automated transfer of existing security policies from AWS Network Firewall to Cloud NGFW for AWS through Strata™ Cloud Manager. The migration translates native cloud firewall logic into next-generation firewall configurations so you can consolidate security management without manually recreating rules.
    The Policy Migration Engine processes your exported cloud configuration files and converts them into reusable Strata Cloud Manager snippets. You associate these snippets with folders linked to your Cloud NGFW resources, then push the configuration to deploy the translated policy.
    The following table outlines the AWS Network Firewall policy components supported for automated migration to Strata Cloud Manager.
    Feature CategorySupported ComponentsUnsupported or Skipped Items
    Rules
    • Stateless rules
    • Stateful rules (Standard)
    • Stateful rules (Domain List)
    		Suricata stateful rulegroups
    Objects
    • IPSets
    • PortSets
    • Domains
    Resource GroupsRules referencing tag-based resources (such as EC2 instances and elastic network interfaces) via Dynamic Address Groups (DAG)
    1. Verify that your Strata Cloud Manager instance operates in a supported region.
      1. In Strata Cloud Manager, go to the Overview page.
      2. In the General Information widget, locate the Region field.
      3. Confirm the region is one of the supported areas: Canada, India, United Kingdom, Singapore, or United States.
    2. Verify your user permissions in Strata Cloud Manager.
      1. Select Identity & Access Management from the Strata Cloud Manager menu.
      2. Confirm your user role is Superuser, Network Administrator, or Security Administrator.
    3. Access the Migration Catalog.
      1. Select ConfigurationOnboarding.
      2. In the Migration Catalog, select AWS Network Firewall.
    4. Download the AWS export script.
      1. In the AWS migration UI, click Download export scripts.
      2. Follow the link to GitHub and download the Python script (for example, aws_network_policy.py).
      3. Save the file with a .py extension.
    5. Export the AWS Network Firewall policy.
      1. Ensure Python 3 and the Boto3 library are installed on your local machine.
      2. In your AWS console, identify the AWS Network Firewall policy you want to migrate (for example, test-policy-1).
      3. Open a command-line interface and run the export script, providing your AWS profile, region, and policy name.
        python3 aws_network_policy.py --profile your-aws-profile --region aws-region --policy your-policy-name
      4. Confirm that a ZIP file containing the exported configuration is generated in your current directory.
    6. Upload and convert the AWS configuration in Strata Cloud Manager.
      1. In the Strata Cloud Manager AWS migration UI, click Browse file and upload the generated ZIP file.
      2. Click Analyze and convert.
      3. Review the summary of imported configuration objects, rule groups, and rules displayed in the UI.
    7. Review and import the converted configuration.
      1. Click Review converted configuration.
      2. Review the policy rules, address objects, and any skipped items with their reasons.
        Review the Skipped Items list before completing your import. This section provides a breakdown of any rules or configurations that were not processed, along with the reason for each skip, such as unsupported syntax or duplicate entries. Reviewing skipped items ensures your security posture remains intact after migration.
      3. Enter a descriptive name in the Snippet Name field (for example, aws-demo-1).
      4. Click Import to Strata Cloud Manager.
    8. Review the migration summary and click Complete Migration.
      Strata Cloud Manager redirects you to the onboarding page. The migration has generated a snippet containing the security rule objects and address objects derived from your AWS Network Firewall policy.
    9. Verify the migrated snippet.
      1. Select ConfigurationNGFW and Prisma AccessSnippet.
      2. Locate and select your newly created snippet (for example, aws-demo-1).
      3. Review the Security Rules and Address Objects tabs to confirm the migration succeeded.
    10. Push the configuration to Cloud NGFW for AWS.
      1. For Configuration Scope, choose Folder.
      2. Select the folder associated with your Cloud NGFW for AWS instances.
      3. From the folder overview, click Add next to Snippets.
      4. Add your migrated snippet (for example, aws-demo-1) to the folder and adjust its priority as needed.
      5. Click Close.
      6. Click Push in the top-right corner.
      7. Enter a description and confirm the push to your Cloud NGFW resource.
      8. Monitor the job log to confirm the push succeeds.

    © 2026 Palo Alto Networks, Inc. All rights reserved.