>
    Getting Started from an AWS Firewall Manager Account
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Getting Started from the AWS Marketplace
    4. Getting Started from an AWS Firewall Manager Account
    Download PDF
    Cloud NGFW for AWS

    Getting Started from an AWS Firewall Manager Account

    Table of Contents

    Getting Started from an AWS Firewall Manager Account

    Learn how to deploy your Cloud NGFW for AWS resource using the AWS Firewall Manager.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    The AWS Firewall Manager (FMS) is a service in that allows you to centrally manage rules for AWS web application firewalls, Security Groups, and AWS Network firewalls across all member accounts of the AWS Organization. You can now use the AWS Firewall Manager to centrally deploy Cloud NGFW resources and manage rules across VPCs in different AWS accounts of your AWS Organization. AWS Firewall Manager dashboard also allows you to view and respond to compliance notifications.
    The AWS Firewall Manager provides a workflow that allows you to:
    • deploy the Cloud NGFW as a FMS policy.
    • select a deployment mode and region.
    • create a global rulestack.
    • configure NGFW endpoints.
    • define the scope of the Cloud NGFW across your organization.
    For more information, see the AWS Firewall Manager documentation.
    The Cloud NGFW supports VPC resources only within FMS policy scope.
    1. Subscribe to the Cloud NGFW for AWS service. The AWS account you use to subscribe to the Cloud NGFW service must be the same AWS Firewall Manager administrator account.
      As an IAM user in the AWS Firewall Manager account, begin by subscribing to the Cloud NGFW service through the AWS Marketplace. After completing your initial setup, return to the FMS dashboard in the AWS console. This procedure creates a Cloud NGFW tenant and automatically assigns you (the FMS administrator) with the TenantAdmin and GlobalFirewallAdmin roles.
    2. Associate the Palo Alto Cloud NGFW Service with the Firewall Manager.
      1. Log in to the AWS Console and select ServicesAWS Firewall ManagerSettings.
      2. Under Third-Party Firewall Association Status, select Palo Alto Networks Cloud NGFW.
      3. Click Associate.
    3. Select Security PoliciesCreate Policy.
    4. Choose the policy type and region.
      1. Under Third-Party Services, select Palo Alto Networks Cloud NGFW.
      2. Select your Deployment Mode—Distributed or Centralized.
      3. Select the Region.
    5. Click Next.
    6. Describe FMS policy for the Cloud NGFW on AWS.
      Provide a descriptive name for your FMS policy, configure or associate a global rulestack with the FMS policy, and configure log settings. FMS displays any existing global rulestacks (if available) and a link that takes to the Cloud NGFW console to create a global rulestack. Because the subscribing user (FMS administrator) is a GlobalRulestackAdmin, you don't have to make any changes to the user roles.
      1. Enter a descriptive Policy Name.
      2. Select or create Third Party Firewall Policy Configuration.
        In the FMS console, Third-Party Firewall Policy Configuration refers to a global rulestack in the context of the Cloud NGFW. If you have already created one or more global rulestacks, they are listed here. If you have not created a global rulestack, you can create one by clicking Create Firewall Policy. This redirects you to the Cloud NGFW console. For information about rulestacks and rulestack configuration, see rules and rulestacks.
      3. Create a Global Rulestack.
        1. Enter a descriptive Name for your rulestack.
        2. (optional) Enter a Description for your rulestack.
        3. Click Save.
        4. Return to the FMS console.
      4. Configure logging.
        You can select Traffic, Decryption, or Threat logs. For each type of log, you must specify a destination—S3 Bucket, CloudWatch log group, or Kinesis Firehose delivery stream—from the drop-down. The drop-down displays previously configured destinations in your AWS environment.
      5. Click Next.
    7. Configure NGFW endpoints.
      Cloud NGFW creates endpoints in your availability zones that need to be secured. These NGFW endpoints intercept and redirect traffic to Cloud NGFW for inspection and enforcement. The number and location of NGFW endpoints differs based on your deployment mode—distributed or centralized.
      You select the NGFW endpoint locations by choosing availability zone names or availability zone IDs. Keep in mind that availability zone names can differ between AWS accounts but availability zone IDs are consistent across all AWS accounts.
      1. Select Availability Zone Name or Availability Zone ID. This selection determines what options—names or IDs—the FMS console lists.
      2. In the Action column, click the slider to add an availability zone to the Cloud NFGW FMS policy.
      3. (Optional) Add Classless Inter-Domain Routing (CIDR) blocks to specify the subnets used by the NGFW endpoints.
        You can specify a CIDR block for each selected availability zone or create a list of CIDR blocks for the FMS to assign to the selected availability zones. Each CIDR block must be a /28 CIDR block.
        If you don't specify any CIDR blocks, the FMS will take a best effort approach to find unassigned CIDR blocks in your VPC to create subnets for the NGFW endpoints. If no CIDR blocks are available in your VPC, the FMS displays a noncompliant error.
      4. Click Next.
    8. Define Cloud NGFW FMS Policy Scope.
      Policy scope defines the AWS accounts or organizational units (OU) and resources that are covered by the Cloud NGFW FMS policy. You can apply the Cloud NGFW FMS policy rules across all AWS accounts and VPCs in your organization or specify a subset of accounts and/or VPCs.
      When you add a new AWS account or VPC to your organization, the FMS determines if your Cloud NGFW policy should be applied to that account or VPC. For example, you can apply the Cloud NGFW policy to all accounts except for a small, excluded subset. When a new account joins your organization, because it's not on the excluded list, the Cloud NGFW policy is applied.
      1. Specify the accounts to include or exclude from the Cloud NGFW FMS policy.
        You can choose to Include all accounts under my AWS organization, Include on the specified accounts and organizational units, or Exclude specific accounts and organizational units, and include all others.
        If you choose to include or exclude a subset of accounts and OUs, the FMS console displays a field that allow you to specify those accounts and OUs. Click Edit List to create your include or exclude list.
      2. Specify the VPC to include or exclude from the Cloud NGFW FMS policy.
        Similarly to the accounts and OUs, the can Include all resources that match the selected type, Include only resources that have all the specified resource tags, or Exclude resources that have all the specified resource tags, and include all others.
        If you choose to include or exclude a subset of VPCs, the FMS console displays options to provide a list of up to eight resource tags and values.
      3. Under Third Party Firewall Customer IAM Role, you can download a copy of the Cloud NGFW IAM Roles CloudFormation Template (CFT).
      4. Click Next.
      5. (Optional) Configure policy tags.
        You can apply tags (consisting of a key and optional value) to help search for and filter your Cloud NGFW resources created through the FMS.
      6. Click Next.
      7. Review your Cloud NGFW policy configuration.
      8. Click Create Policy to deploy the Cloud NGFW.

    © 2024 Palo Alto Networks, Inc. All rights reserved.