Cloud NGFW for AWS Isolated Deployment Model
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Cloud NGFW for AWS Pricing
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Cortex Data Lake
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
Cloud NGFW for AWS Isolated Deployment Model
Cloud NGFW for AWS isloated deployment model.
An isolated deployment model enables Cloud NGFW for AWS to secure traffic in multiple AWS
VPCs. With this model you can share the Cloud NGFW resource across multiple VPCs in
different AWS accounts.
Ingress/Egress Traffic Inspection
- The Internet Gateway (IGW) forwards the traffic destined to the public IP of the Application Load Balancer (ALB) from the ALB.
- Per the ALB subnet, any traffic going to the target group (workloads on EC2) are forwarded to the NGFW endpoint.
- The endpoint transparently sends the traffic to the firewall resource for inspection.
- If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
- Per the firewall subnet route table, traffic is forwarded to the workload servers:
- Traffic initiated from a EC2 instance and destined to the internet is first forwarded to the NGFW endpoint.
- The endpoint transparently sends the traffic to the Cloud NGFW resource for inspection.
- If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
- Per the firewall subnet route table, traffic is forwarded to the NAT gateway.
- Traffic will be forwarded to the internet gateway in accordance with the NAT gateway route table.