Supported Security Policy Management Features
Focus
Focus
Cloud NGFW for AWS

Supported Security Policy Management Features

Table of Contents

Supported Security Policy Management Features

The Palo Alto Networks Cloud NGFW for AWS supports the following security features.
The Palo Alto Networks Cloud NGFW for AWS supports the following security features.
Security Policy Management, Visualization, and Reporting
Description
Native Policy Management (Rulestacks)
Panorama Policy Management (Cloud Device Groups)
Strata Cloud Manager (SCM) Policy Management
Tools
You have multiple configuration options to author policies for your Cloud NGFWs.
Log Types
Cloud NGFW generates time-stamped logs that are an audit trail for network traffic events that the firewall monitors. Log entries contain artifacts, which are properties, activities, or behaviors associated with the logged event, such as the application type or the IP address of an attacker. Each log type records information for a separate event type. For example, Cloud NGFW generates a Threat log to record traffic that matches a spyware, vulnerability, or virus signature.
Log Destinations
Cloud NGFW can deliver the generated logs to AWS destinations and Strata Logging Service.
Log Visualization & Analytics
Review Cloud NGFW logs to verify a wealth of information of your VPC traffic. Some examples of this information are source, destination, URLs, Ports Protocols, App-ID, threats, Countries, URLs, etc.
Reports
Generate predefined and custom reports on applications, threats and URL activities of your VPC traffic.
Policy Analysis and Optimization
Rule usage monitoring helps you evaluate whether your policy implementation continues to match your enforcement needs.
Policy Analyzer analyzes your Cloud NGFW rules and recommends possible consolidation or removal of specific rules to meet your intended Security posture. It also checks for anomalies, such as shadows, redundancies, generalizations, correlations, and consolidations in your rulebase.
Packet Capture
Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture.
Policy & Policy Objects
Description
Native Policy Management (Rulestacks)
Panorama Policy Management (Cloud Device Groups)
Strata Cloud Manager (SCM) Policy Management
Security Policy
Security policy protects your VPC traffic from threats and disruptions. Individual Security policy rules determine whether to block or allow a VPC traffic session based on traffic attributes, such as the source and destination security zone, the source and destination IP address, the application, the user, and the service.
Address
You can specify an address object to include IPv4 addresses, an FQDN, or a wildcard address (IPv4 address followed by a slash and wildcard mask).
Address Groups
You can group specific source or destination addresses that require the same policy enforcement.
Regions
You can allow or block traffic from (or to) an IP addresses based on their geographic location such as a county. The region is available as an option when specifying the source and destination for your policies. You can choose from a standard list of countries or specify a custom region/geolocation along with its associated IP addresses
Service (Port & Protocol)
You can granularly control VPC traffic session usage to specific ports on your network (in other words, you can define the default port for the application). Cloud NGFW includes two pre-defined services—service-http and service-https— that use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. You can however, create any custom service on any TCP/UDP port of your choice.
Service Groups
You can combine services that have the same security settings into Service Groups to reduce the number of rules in Security policy .
External Dynamic List
You can granularly control your VPC traffic using a dynamic list of IP addresses, Domains, or URLs. Stored in a file hosted on an external web server. Palo Alto Networks also offers built-in (Bulletproof, High-Risk, Known Malicious, and Tor Exit IP address) EDLs. Additionally, Palo Alto Networks offers a free EDL hosting service that maintains the ever-dynamic list of IP addresses for Microsoft 365, Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). You can use these EDLs to control your VPC Ingress and Egress traffic.
Applications
You can granularly control your VPC traffic by using Palo Alto Networks App-ID™ traffic classification system that relies on application signatures to accurately identify applications in your network.
Application Group
You can group together a set of App-IDs that require the same policy enforcement.
Application Filters
You can granularly control your VPC traffic by defining an application filter that groups current App-IDs and any future App-IDs that match certain attributes. For example, You can create an Application Filter by one or more attributes—category, subcategory, technology, risk, characteristics. From now on, whenever a new App-ID is introduced to Cloud NGFW based on a content update, all new applications matching the filter criteria are automatically added to your set.
Application Override
You can configure Cloud NGFW to override the normal Application Identification (App-ID) of specific traffic passing through the firewall. As soon as the Application Override policy takes effect, all further App-ID inspection of the traffic is stopped and the session is identified with the custom application signatures you provide.
Tags
Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address groups (static and dynamic), applications, zones, services, service groups, and to policy rules.
Dynamic User Group
Allow you to create a list of users from the local database, an external database, or match criteria and group them.
Devices
Also known as the Device Dictionary, this page contains metadata for device objects.
Certificates and Decryption
Description
Native Policy Management (Rulestacks)
Panorama Policy Management (Cloud Device Groups)
Strata Cloud Manager (SCM) Policy Management
Certificates Management
Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer.
The Cloud Certificate is not yet supported by Cloud NGFW.
Decryption
Cloud NGFW can decrypt, inspect, and reencrypt your VPC Ingress and Egress traffic as a policy-based decision. You can granularly control what VPC traffic is decrypted and what traffic cannot be decrypted and the type of SSL decryption, you want to perform on the indicated traffic. To enable decryption, you set up the certificates required to act as a trusted third party to a session.
Security Services
Description
Native Policy Management (Rulestacks)
Panorama Policy Management (Cloud Device Groups)
Strata Cloud Manager (SCM) Policy Management
IPS Vulnerability Protection
Vulnerability Protection protects against on inbound threats, where an attacker is attempting to exploit a system vulnerability to breach your network, The system vulnerabilities might be in the form buffer overflows, illegal code execution etc.
Anti-Spyware
Anti-Spyware detects and blocks outbound threats, especially command-and-control (C2) activity, initiated by a (cyberattack leveraged) malware infected workloads in your AWS VPC. You can also define custom regular expression patterns to identify spyware phone home communication.
File Blocking
File Blocking allows you to granularly control file types in your VPC traffic in a specified direction (inbound/outbound/both). You can proactively block files known to carry threats or that have no real use case for upload and download.
Antivirus
Antivirus detects and protects against malware concealed in compressed files, executables, PDF files, and HTML and JavaScript viruses in your VPC traffic
WildFire Analysis
Cloud NGFW detects and forwards files, and executables in your VPC traffic to WildFire™ cloud service for analysis, and also performs inline ML analysis for certain files. If a threat is detected on the files, WildFire creates protections to block malware, and globally distributes protection for that threat in under five minutes.
URL Filtering
URL Filtering analyzes the VPC traffic and controls the URLs accessed by your VPC workloads (in both clear-text and encrypted traffic) by performing inline analysis and comparing against Palo Alto Networks managed URL categories or the custom categories you provide.
DNS Security
DNS Security protects outbound DNS requests from your VPCs against threats such as DNS tunneling, Domain Generation Algorithm (DGA) detection, malware domains, etc.
DNS Security
Data Filtering & Enterprise DLP
Data filtering detects sensitive information in your VPC traffic—such as credit card or social security numbers or internal corporate documents—and prevent this data from leaving your AWS environment.
With Enterprise DLP, you gain the benefit of Advanced Data Filtering on your VPC traffic with a pre-defined list of data patterns with the cloud-based analytics.
DLP on SCM is not currently supported.
Security Profile Groups
A security profile group is a set of security profiles treated as a unit and then easily added to security policies.
Security Zones & Protection
Description
Native Policy Management (Rulestacks)
Panorama Policy Management (Cloud Device Groups)
Strata Cloud Manager (SCM) Policy Management
Security Zones
Security zones are a logical way to group interfaces on the firewall, and Cloud NGFW endpoints to control and log the VPC traffic.
Zone Protection
Zone protection defends network security zones against flood attacks, reconnaissance attempts, packet-based attacks.
Networking Services
Description
Native Policy Management (Rulestacks)
Panorama Policy Management (Cloud Device Groups)
Strata Cloud Manager (SCM) Policy Management
XFF
Traffic to your VPC workloads might have passed more than one proxy server (such as CDN or ALB) before it reaches the Cloud NGFW. If there's an existing XFF header, these proxies append its IP address to it or adds the XFF header with its IP address. Therefore, XFF request header might contain multiple IP addresses separated by commas. Cloud NGFW uses the X-Forwarded-For (XFF) HTTP header field identifies the original client IP address. Cloud NGFW always uses the most recently added address in the XFF header to enforce policy.
XFF on SCM is not currently supported.
NAT
Palo Alto Networks firewalls can enforce destination NAT on your Ingress VPC traffic and source NAT your Egress VPC traffic.
DNS Proxy
When you configure Cloud NGFW as a DNS proxy, it acts as an intermediary between clients and servers and as a DNS server by resolving queries from its DNS cache or forwarding queries to other DNS servers. Use this page to configure the settings that determine how the firewall serves as a DNS proxy.
Interface Management
Palo Alto Networks Firewalls allow you to configure VLANs, virtual wires Link Layer Discovery Protocol (LLDP), Bidirectional Forwarding Detection (BFD) on its interfaces
QoS
Palo Alto Networks firewalls allow you to specify traffic that requires preferential treatment or bandwidth limiting. QoS rules allow you to dependably run high-priority applications and traffic under limited network capacity.
Routing Management
Palo Alto Networks Firewalls allow you to configure Static Routing and Routing Protocols (BGP, BFD, OSPF, OSPFv3, multicast, RIPv2, and filters).
IPSec Tunnel Management
Palo Alto Networks firewalls terminate IPSec tunnels and inspect tunneled traffic
GlobalProtect Management
Palo Alto Networks firewalls secure mobile workforces by specifying algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway module and client.
GRE Tunnel Management
Palo Alto Networks firewalls terminate Generic Routing Encapsulation (GRE) tunnels and inspect tunneled traffic.
SD-WAN Link Management
Palo Alto Networks firewalls bind multiple WAN connections (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, Wi-Fi) to a virtual interface and support dynamic, intelligent path selection based on applications and services and the conditions of links that each application or service is allowed to use.
Policy Based Forwarding
Palo Alto Networks firewalls Policy Based Forwarding rules allow traffic to take an alternative path for security or performance reasons. Let's say your company has two links between the corporate office and the branch office: a cheaper internet link and a more expensive leased line. For enhanced security, you can use PBF to send applications that aren’t encrypted traffic, such as FTP traffic, over the private leased line and all other traffic over the internet link. Or, for performance, you can choose to route business-critical applications over the leased line while sending all other traffic, such as web browsing, over the cheaper link.