About Cloud NGFW for AWS
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Cloud NGFW for AWS Pricing
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Cortex Data Lake
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
About Cloud NGFW for AWS
You can discover Cloud NGFW in the AWS Marketplace and consume it in your AWS Virtual Private
Clouds (VPC). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID,
URL filtering based on URL categories and geolocations, SSL/TLS Decryption, etc.
Cloud NGFW Components
Cloud NGFW for AWS
creates a number of components that work together to secure your
AWS environment.
- TheCloud NGFW tenantis an instantiation of the Cloud NGFW service associated with your AWS account when one of your AWS users subscribes to the service. Cloud NGFW designates you, the subscribing AWS user, as the administrator of Cloud NGFW tenant (the TenantAdmin user role), who can invite other users to the tenant. Based on the assigned role, other users can create Cloud NGFW resources and configure rulestacks with the tenant.
- TheCloud NGFW Resource(or simply NGFW) is associated with your VPC and can span multiple availability zones. This resource has built-in resiliency, scalability, and life-cycle management.
- To use the Cloud NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone, then createNGFW endpointson the subnets and update the VPC route tables to send the traffic through these Cloud NGFW endpoints.
- Rulestacksdefine the NGFW traffic filtering behavior such as advanced access control (App-ID, URL Filtering) and threat prevention. A rulestack includes a set of security rules and the associated objects and security profiles. To use a rulestack, you associate the rulestack with one or more NGFW resources. Cloud NGFW provides two types of rulestacks.Cloud NGFW supports two types of Rulestacks:
- Local Rulestack: Local account administrators can associate a Local Rulestack with an NGFW in their AWS account. A local rulestack includes local rules
- Global Rulestack: The AWS Firewall Manager administrator can author a Firewall Manager Service (FMS) policy and associate a Global Rulestack with it. AWS Firewall Manager manages the Global Rulestack across all these NGFWs in different AWS accounts of an AWS Organization. A Global Rulestack includes pre-rules and post-rules.
Cloud NGFW in Action
- Subscribe to the Cloud NGFW Service—Begin by subscribing to the Cloud NGFW for AWS service through the AWS Marketplace. After subscribing, you can create a Cloud NGFW Tenant. The subscribing AWS IAM user is the Tenant Administrator (TenantAdmin), which allows that user to invite additional users and assign roles. You must add your AWS account to the Cloud NGFW tenant. Adding your account grants the necessary permissions needed by Cloud NGFW to store logs, create NGFW endpoints, and access the keys needed for decryption.
- Create Rulestacks—After adding users and assigning roles in the Cloud NGFW tenant console, Local Rulestack Admins can author local rules and rulestacks.
- Create NGFWs—Deploy NGFW firewall resources to protect your VPCs. While creating your NGFWs, associate the local rulestacks you created previously.You have two options to create Cloud NGFW endpoints. In the first (service managed) option, you create a dedicated subnet in your VPC for each desired AWS availability zone, then specify those subnets when creating Cloud NGFW resources. In this option, Cloud NGFW creates the NGFW endpoints in your subnets. Alternatively, in the second (customer managed) option, you specify the desired AWS availability zones, where you want the NGFW resource to secure the traffic. In this option, Cloud NGFW creates a Cloud NGFW resource only that will manifest as VPC endpoint resources in your AWS account. You are then responsible for creating dedicated subnet in your VPC for each desired AWS availability zone, and create the VPC endpoints as well
- Update VPC Route Tables—After deploying your Cloud NGFW resource, you must Direct Traffic to Cloud NGFW for AWS by updating your VPC route tables. Traffic is then directed to the NGFW firewall resource for inspection and enforcement.
Cloud NGFW Use Cases
Cloud NGFW provides
you with the tools and functionality to secure inbound traffic,
outbound traffic, and East-West traffic.
- Inboundtraffic refers to any traffic originating outside of your AWS region and bound for resources inside your application VPCs, such as servers or load balancers. Cloud NGFW can prevent malware and vulnerabilities from entering your VPC in the inbound traffic allowed by AWS security groups.
- Outboundtraffic refers to traffic originating within your application VPC and is bound for destinations outside of the AWS region. Cloud NGFW protects outbound traffic flows by ensuring that resources in your application VPC connect to allowed services and allowed URLs while preventing exfiltration of sensitive data and information.
- East-Westtraffic is traffic that moves within an AWS region. Specifically, traffic between source and destination deployed in two different application VPCs or in two different subnets in the same VPCs. Cloud NGFW can stop the propagation of malware within your AWS environment.