Cloud NGFW for AWS - FAQ

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
Did you find this article helpful? Yes No
100% helpful (2/2)




Q. What is Cloud NGFW for AWS?

  1. Cloud NGFW for AWS is a fully managed cloud-native next-generation firewall service delivered by Palo Alto Networks on the Amazon Web Services (AWS) platform.

Q. What are the key benefits of Cloud NGFW for AWS?

  1. With Cloud NGFW for AWS, you have both best-in-class security and an easy, fully managed cloud-native experience.

  • Because Cloud NGFW for AWS is a Palo Alto Networks managed service, you no longer have the operational overhead of managing the infrastructure, scaling, availability, resiliency, and software/content updates.

  • Second, security teams can now easily deploy and manage Palo Alto Networks' security capabilities at scale in their AWS environment by using AWS Firewall Manager.

  • Third, Cloud NGFW seamlessly integrates with AWS services (AWS Cloudwatch, Kinesis, S3 buckets, Secrets Manager). These out-of-box integrations reduce the operational burden for security teams. They no longer need to maintain custom solutions or specialized expertise to provision and operationalize NGFWs.

Q. What's the difference between Cloud NGFW for AWS and VM-Series?

  1. Cloud NGFW for AWS is a fully managed service on the AWS platform, powered by Palo Alto Networks software firewalls. With Cloud NGFW for AWS, you now have an NGFW deployment experience that handles the delivery of the Palo Alto Next-Generation Firewall capabilities and infrastructure in one motion. Alternatively, you can continue to use Palo Alto Networks VM-Series on AWS, particularly for advanced deployment scenarios (e.g., BGP routing, VPN termination). You decide what instance types are best suited for your environment and how best to manage upgrades, scale-out, and failover.

Q. How is Cloud NGFW for AWS different from Prisma Access?

  1. Cloud NGFW for AWS is a fully managed firewall service on the AWS platform and is used to protect your VPC traffic in AWS. In contrast, Prisma Access protects end-users and branches primarily connecting to the Internet and SaaS applications. The two are complementary solutions serving different needs.

Q. Can I use Panorama to manage Cloud NGFW for AWS?

  1. Integration with Panorama management will not be available at GA. We prioritize the native AWS management experience, such as AWS Firewall Manager for centralized policy management, CloudFormation Templates, and Terraform.

Q. Can I use Cloud NGFW for AWS to secure workloads in other public clouds (i.e. GCP, Azure, OCI) or my on-prem environment?

  1. Cloud NGFW for AWS is a regional service that runs in the AWS platform to protect your AWS Virtual network (VPC) traffic in an AWS region. You cannot use it to secure your workloads in other public cloud environments or your on-prem environment.

Q. What is a Cloud NGFW tenant?

  1. A tenant is an instantiation of the Cloud NGFW service associated with a customer. Cloud NGFW creates a tenant when a user associated with the AWS customer account subscribes to the Cloud NGFW service. Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant. The administrator can invite other users to use the tenant. The users can onboard AWS accounts, create NGFWs and configure NGFW rulestacks within the tenant.

Q. What is a Cloud NGFW resource?

  1. A Cloud NGFW resource (or simply NGFW) provides next-generation firewall capabilities for your VPC. This resource has built-in resiliency, scalability, and life-cycle management. An NGFW spans multiple AWS availability zones. Under the hood, an NGFW is a VPC endpoint service.

Q. What are Cloud NGFW endpoints?

  1. An NGFW Endpoint in the customer's VPC intercepts and routes traffic to NGFW for inspection. To use an NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through these Cloud NGFW endpointsUnder the hood, Cloud NGFW endpoints are Gateway Load balancer endpoints

Q. What's a Cloud NGFW rulestack?

  1. A rulestack defines Cloud NGFW resource's advanced access control (App-ID, Advanced URL Filtering) and threat prevention behavior. A rulestack includes a set of security rules, associated objects, and security profiles. To use a rulestack, you associate the rulestack with one or more NGFW resources.

Q. In which AWS regions are Cloud NGFW available?

  1. The Region Table enumerates the regions where Cloud NGFW for AWS is currently available.

Q. Does Cloud NGFW for AWS offer a Service Level Agreement?

  1. Cloud NGFW for AWS offers an uptime Service Level Agreement (SLA) of 99.99%. Please refer to the Cloud NGFW for AWS Service Level Agreement.

Q. What are the known limits of Cloud NGFW for AWS?

  1. Cloud NGFW for AWS is subject to service limits for the number of NGFWs and Rulestacks that you can create and for other settings, such as the number of rules you can have in a single rulestack. For additional details about service limits, including information about requesting a service quota increase, please refer to Cloud NGFW for AWS Limits and Quota.




Q. How do I subscribe to Cloud NGFW for AWS? 

  1. You can subscribe to Cloud NGFW directly in the AWS Marketplace and create a Cloud NGFW tenant. You then onboard your AWS account to the tenant and create NGFW resources by specifying the VPCs in your account.

Q. How do I enable a Cloud NGFW resource for my VPC?

  1. You can set up an NGFW resource for your VPC using the Cloud NGFW UI, REST API, Cloud Formation, and Terraform templates. An NGFW resource is an AWS Gateway Load Balancer (GWLB) based VPC endpoint service that spans multiple AWS availability zones. It offers Palo Alto Networks next-generation firewall capabilities with built-in resiliency, scalability, life-cycle management, and AWS availability-zone (AZ) affinity. To use the NGFW resource, create a dedicated subnet (with a minimum size of /28) in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through the NGFW endpoints. Cloud NGFW for AWS inspects all traffic routed to the NGFW endpoints.

Q. Can Cloud NGFW for AWS manage security across multiple AWS accounts?

  1. Yes. Cloud NGFW for AWS is a regional service that secures network traffic at an organization and account level. Consider using AWS Firewall Manager to maintain policy and governance across multiple accounts.

Q. Can I use AWS Firewall Manager to manage Cloud NGFW? 

  1. Yes! You can use AWS Firewall Manager to manage global rulestacks across multiple AWS accounts and VPCs. 

Q. What is the difference between service-managed and customer-managed modes of creating NGFW endpoints?

  1. You can choose to create NGFW endpoints in one of these two modes. In a service-managed mode, Cloud NGFW will create and manage the NGFW endpoints on your behalf. When you create an NGFW resource, the endpoint is automatically created for you on the subnet you specify. If you delete the NGFW resource, the endpoint will also be automatically deleted. For this to work, you must grant the necessary cross-account AWS permissions when you run the CloudFormation template during the AWS account onboarding process. If you are not comfortable granting the cross-account permissions for Cloud NGFW to create endpoints, then you will create the endpoints on your own (i.e., customer-managed mode).




Q. What are the typical deployment models for this service?

  1. Cloud NGFW for AWS supports two primary deployment types: centralized and distributed. 

Q. How do I deploy Cloud NGFW for AWS using the centralized model?

  1. In the centralized architecture model, a dedicated security VPC connected to an AWS Transit Gateway provides a simplified and centralized approach to managing advanced access control and threat inspection of traffic. You can use the Cloud NGFW UI or AWS Firewall Manager to create an NGFW resource for the centralized security VPC. You can then configure route rules in the application VPCs and the transit gateway to redirect traffic to the security VPC for inspection. You can now inspect inbound and outbound traffic to or from Internet Gateways, Direct Connect gateways, PrivateLink, VPN Site-to-Site and Client gateways, NAT gateways, and traffic between other attached VPCs and subnets.

Q. How do I deploy Cloud NGFW for AWS using a distributed model?

  1. The distributed architecture model allows you to distribute your inspection points (NGFWs) closer to the applications in multiple VPCs while maintaining centralized security control. In the distributed model, you use the AWS Firewall Manager console/APIs to author a Firewall Manager policy that facilitates the deployment of NGFWs in multiple AWS accounts of an AWS Organization. You then add route rules in the VPC's Internet gateway to protect traffic inbound to the application load balancers and public hosts. Similarly, the customer can add route rules in subnet route tables to redirect all outbound VPC traffic to the NGFW endpoint for inspection.

Q. Does the Cloud NGFW resource perform NAT on my VPC traffic?

  1. No. In both centralized and distributed architectures, the NGFW resource acts as a bump-in-the-wire in your applications' outbound, east-west, and inbound traffic paths. The traffic packet headers and payload are kept intact. This behavior provides complete visibility into the traffic source's identity to your destinations.

Q. Can I use Cloud NGFW with my Transit Gateway (TGW)?

  1. Yes. You can deploy the Cloud NGFW endpoint within your VPC and then attach that VPC to a TGW. 

Q. Which AWS tools can I use to log and monitor my Cloud NGFW activity?

  1. You can log your Cloud NGFW activity to Amazon Cloudwatch or an Amazon S3 bucket for further analysis and investigation. You can also use Amazon Kinesis Firehose to stream your logs to a third-party provider.

Q. Does the Cloud NGFW for AWS subnet size need to change as the service scales?

  1. No. Cloud NGFW for AWS doesn't need a subnet bigger than /28.

Q. Is there a limit on the Cloud NGFW endpoints I can create for the NGFW resource?

  1. Yes. You can create up to fifty NGFW endpoints for every NGFW resource.

Q. Can I Cloud NGFW endpoints in multiple VPCs for the same NGFW resource?

  1. Yes. You can share the Cloud NGFW resource across multiple VPCs in different AWS accounts. You can create NGFW endpoints for an NGFW resource in different VPCs and route traffic to the NGFW resource for inspection. 



Q. How does Cloud NGFW for AWS protect my VPC?

  1. Cloud NGFW for AWS offers security depth and breadth by employing a two-phased approach to protecting your VPC. First, Cloud NGFW for AWS allows you to granularly control your VPC traffic and reduce your attack surface with advanced application awareness using Palo Alto Networks' flagship App-ID and URL filtering techniques. Second, on the allowed traffic, Cloud NGFW for AWS enables you to block known and unknown network threats and prevent C2 and data exfiltration using Palo Alto Networks' continuously updated threat prevention signatures and URL categories, all backed by the threat intelligence of the Unit 42 research team.

Q. What are the different types of rulestacks, and what are they used for?

  1. There are two types of rulestacks: global and local. As an AWS Firewall Manager administrator, you can author and enforce a global rulestack on all NGFW resources in your AWS organization. A global rulestack consists of pre-rules and post-rules. As a local AWS account administrator, you can associate a local rulestack (with local rules) to an NGFW resource in your AWS account.

Q. Can Cloud NGFW resources inspect traffic between subnets in the same VPCs?

  1. Yes. You can configure your subnet route tables to redirect traffic between two subnets to the Cloud NGFW endpoint. These route rules will enable the Cloud NGFW resource to inspect traffic between two subnets in your VPC.

Q. Can Cloud NGFW resources inspect encrypted traffic?

  1. Yes. Cloud NGFW resources can inspect encrypted Internet Ingress and Egress traffic of your VPCs.  

Q. Can Cloud NGFW resources perform URL filtering based on SNI?

  1. Yes, for HTTPS traffic, Cloud NGFW for AWS can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.




Q. How can I increase my Cloud NGFW for AWS throughput?

  1. The initial (cold-start) throughput capacity of an NGFW resource is 1.5 Gbps per Availability zone. Scaling happens automatically based on your VPC traffic. When deployed within a single AWS availability zone, an NGFW resource can scale out to secure 30 Gbps traffic. When deployed in two or more AWS availability zones, an NGFW resource can scale out to secure 45 Gbps of traffic. Please note that actual throughput performance may vary depending on your rulestack complexity and related security and decryption configurations. 

Q. How does Cloud NGFW for AWS handle software updates and planned/unplanned maintenance?

  1. Each Cloud NGFW resource consists of several backend nodes in an active-active configuration behind a Gateway Load Balancer. Cloud NGFW instantiates a new node for replacement if a node fails or needs updates. Connection-draining logic is used to handle the replacement.




Q. Can I purchase Cloud NGFW for AWS through AWS Marketplaces?

  1. Yes, Cloud NGFW for AWS is available as a Pay-As-You-Go subscription in AWS Marketplace.

Q. How is Cloud NGFW for AWS priced?

  1. Cloud NGFW for AWS is priced the same way as other AWS virtual networking resources - Per Hour plus Per GB of traffic. With Cloud NGFW for AWS, you pay an hourly rate for each Availability Zone (AZ) in which an NGFW resource is provisioned. Data processing charges apply to each GB processed by the NGFW. Customers can subscribe to additional security capabilities, such as Threat Prevention and Advanced URL Filtering, as an add-on to the Per Hour price. You can get more details on Cloud NGFW for AWS pricing here.

Q. Do I have to pay AWS for the Gateway Load Balancer (GWLB) and endpoints that Cloud NGFW for AWS uses?

  1. Yes. You will pay AWS for each Cloud NGFW (a.k.a GWLB) endpoint you would use in your AWS account(s) to send traffic to the Cloud NGFW resource. Gateway Load Balancer endpoint pricing is available hereHowever, the Cloud NGFW for AWS consumption price includes all other required AWS infrastructure components necessary to deliver the service, including compute, storage, and Gateway Load balancer deployed in Palo Alto Networks accounts.

Q. How does a Cloud NGFW for AWS Free Trial work?

  1. When you subscribe to the Cloud NGFW through AWS Marketplace, you are automatically enrolled for a free trial. The free trial is valid for seven days and allows you to create up to two NGFWs securing up to 100GB of traffic. 

Q. Can I purchase Cloud NGFW for AWS through an AWS Marketplace SaaS contract option?

  1. Yes, Cloud NGFW is available as a pay-as-you-go (PAYG) subscription and as a SaaS Contract in the AWS marketplace.

Q. Can I deploy Cloud NGFW for AWS using Software NGFW credits? 

  1. At launch, Cloud NGFW will be available as a pay-as-you-go (PAYG) subscription in the AWS marketplace. Enabling customers to use Software NGFW credits to consume Cloud NGFW is under consideration.

Q. Can I deploy Cloud NGFW for AWS using my VM-Serles ELA? 

  1. No. Cloud NGFW for AWS cannot be deployed with the VM-Series ELA. 

Rate this article:
L0 Member

you need to have a good cost estimator tool for both your VM & CNGFW series . its so difficult and complex to estimate the cost that one would expect .

Register or Sign-in
Article Dashboard
Version history
Last update:
‎11-21-2022 12:50 AM
Updated by: