Create an NGFW Resource on AWS

1. Select NGFWs.
2. Click Add Firewall.
3. Enter a descriptive Name.
4. (Optional) Enter a Description.
5. Select an AWS Account from the drop-down to associate with this NGFW.
6. Select a VPC from the drop-down.

7. In the Policy Management section, select a local rulestack from the drop-down.

8. Specify AWS availability zones or subnets. Specify whether or not the Cloud NGFW tenant will (service-managed mode) or won't (customer-managed mode) deploy NGFW endpoints.

   • Yes (service-managed)—in service-managed mode, the Cloud NGFW tenant automatically creates NGFW endpoints in the VPC subnets you specify. Perform the endpoint management for service-managed mode through Cloud NGFW console only. The endpoint management for service-managed mode can only be done by associating or disassociating a subnet. Associating a subnet creates the endpoint and disassociating a subnet removes the endpoint.
   • No (customer-managed)—in customer-managed mode, you must manually create NGFW endpoints in each availability zone you specify.

   In the Endpoint Management section, you can enable your Cloud NGFW for securing traffic in multiple AWS availability zones. You pay for each AWS availability zone that your NGFW is provisioned to secure traffic. You can manage how the endpoints are created for your NGFW in these availability zones. You pay AWS for each VPC (gateway load balancer) endpoint that you create for your NGFW.

   The Availability Zone displays the Zone ID and the corresponding Availability Zone Name in your Palo Alto Networks account. Use this information when mapping your availability zones to your AWS accounts.

9. Click Create.