AWS Firewall Manager Integration with Cloud NGFW for AWS
AWS Firewall Manager (FMS) is a security management service that allows you to
centrally configure and manage firewall rules across your accounts and applications in AWS
Organizations. Cloud NGFW for AWS is a managed firewall service that provides advanced
threat protection for your AWS VPCs.
Where Can I Use This? | What Do I Need? |
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Account (CSP)
- AWS Marketplace account
- User role (either tenant or administrator)
|
Overview
AWS Firewall Manager (FMS) is a security management service that allows you
to centrally configure and manage firewall rules across your accounts and
applications in AWS Organizations. Cloud NGFW for AWS is a managed firewall service
that provides advanced threat protection for your AWS VPCs.
By integrating AWS FMS with Cloud NGFW, you can centrally deploy Cloud NGFW
resources across all accounts and VPCs within your organization. This approach
provides several key benefits:
Centralized Management: Manage Cloud NGFW policies from a
central FMS location.
Consistent Enforcement: Ensure that consistent security
policies are applied across all accounts and VPCs.
Simplified Administration: Automate the deployment and
management of Cloud NGFW rules to simplify administration and respond to
compliance notifications from a single dashboard.
The AWS Firewall Manager provides a guided workflow that allows you to
deploy the Cloud NGFW as an FMS policy. This workflow helps you:
Select a deployment mode (Distributed or Centralized) and
region.
Create or select a global rulestack for your policy.
Configure NGFW endpoints.
Define the policy scope across your organization.
Limitations and Unsupported Features
The following features are not supported for firewalls deployed using AWS
FMS:
Firewall Features:
Rulestack Features:
Dynamic Address Groups
Data Loss Prevention
Management:
- You cannot associate Cloud NGFW created by FMS with
Panorama or Strata Cloud Manager for policy
management.
Tenant Version Compatibility
Cloud NGFW tenants created after July 30, 2025, are V2 tenants. The
tenants created before July 30, 2025 are V1 tenants.
The AWS firewall manager integration with Cloud NGFW depends on the Cloud
NGFW tenant version:
There is no impact on existing FMS deployments on V1 tenants.
AWS Firewall Manager currently supports the deployment of V1 firewalls
only. If you are on a V2 tenant with existing firewalls, the FMS
association will fail. If you are on a V2 tenant with no existing
firewalls, associating FMS will switch your tenant to V1 and create V1
firewalls. When you disassociate FMS, all V1 firewalls will be deleted,
and your tenant will be switched back to V2.