AWS Firewall Manager Integration with Cloud NGFW for AWS
Focus
Focus
Cloud NGFW for AWS

AWS Firewall Manager Integration with Cloud NGFW for AWS

Table of Contents

AWS Firewall Manager Integration with Cloud NGFW for AWS

AWS Firewall Manager (FMS) is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. Cloud NGFW for AWS is a managed firewall service that provides advanced threat protection for your AWS VPCs.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for AWS
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Account (CSP)
  • AWS Marketplace account
  • User role (either tenant or administrator)

Overview

AWS Firewall Manager (FMS) is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. Cloud NGFW for AWS is a managed firewall service that provides advanced threat protection for your AWS VPCs.
By integrating AWS FMS with Cloud NGFW, you can centrally deploy Cloud NGFW resources across all accounts and VPCs within your organization. This approach provides several key benefits:
  • Centralized Management: Manage Cloud NGFW policies from a central FMS location.
  • Consistent Enforcement: Ensure that consistent security policies are applied across all accounts and VPCs.
  • Simplified Administration: Automate the deployment and management of Cloud NGFW rules to simplify administration and respond to compliance notifications from a single dashboard.
The AWS Firewall Manager provides a guided workflow that allows you to deploy the Cloud NGFW as an FMS policy. This workflow helps you:
  • Select a deployment mode (Distributed or Centralized) and region.
  • Create or select a global rulestack for your policy.
  • Configure NGFW endpoints.
  • Define the policy scope across your organization.
The AWS FMS integration with Cloud NGFW for AWS is currently supported in 16 AWS regions. For more information, see Introducing Cloud NGFW for AWS, AWS Firewall Manager, and Getting Started from an AWS Firewall Manager Account documentation.

Limitations and Unsupported Features

The following features are not supported for firewalls deployed using AWS FMS:
  • Firewall Features:
    • Multi-VPC resource sharing
    • Egress NAT
    • IPv6
    • User-ID
    • Multi Dimensional Scaling
  • Rulestack Features:
    • Dynamic Address Groups
    • Data Loss Prevention
  • Management:
    • You cannot associate Cloud NGFW created by FMS with Panorama or Strata Cloud Manager for policy management.

Tenant Version Compatibility

Cloud NGFW tenants created after July 30, 2025, are V2 tenants. The tenants created before July 30, 2025 are V1 tenants.
The AWS firewall manager integration with Cloud NGFW depends on the Cloud NGFW tenant version:
  • There is no impact on existing FMS deployments on V1 tenants.
  • AWS Firewall Manager currently supports the deployment of V1 firewalls only. If you are on a V2 tenant with existing firewalls, the FMS association will fail. If you are on a V2 tenant with no existing firewalls, associating FMS will switch your tenant to V1 and create V1 firewalls. When you disassociate FMS, all V1 firewalls will be deleted, and your tenant will be switched back to V2.