This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Cloud NGFW for AWS - FAQ

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cloud NGFW for AWS - FAQ

vkannan
L2 Linker

‎03-29-2022 12:58 PM - edited ‎03-09-2026 02:04 AM

100% helpful (4/4)

 

PRODUCT

 

Q. What is Cloud NGFW for AWS?

  1. Cloud NGFW for AWS is a fully managed cloud-native next-generation firewall service delivered by Palo Alto Networks on the Amazon Web Services (AWS) platform.

Q. What are the key benefits of Cloud NGFW for AWS?

  1. With Cloud NGFW for AWS, you have both best-in-class security and an easy, fully managed cloud-native experience.

  • Because Cloud NGFW for AWS is a Palo Alto Networks managed service, you no longer have the operational overhead of managing the infrastructure, scaling, availability, resiliency, and software/content updates.

  • Second, security teams can now easily deploy and manage Palo Alto Networks' security capabilities at scale in their AWS environment by using AWS Firewall Manager.

  • Third, Cloud NGFW seamlessly integrates with AWS services (AWS Cloudwatch, Kinesis, S3 buckets, Secrets Manager). These out-of-the-box integrations reduce the operational burden for security teams. They no longer need to maintain custom solutions or specialized expertise to provision and operationalize NGFWs.

  • Fourth, Cloud NGFW integrates with Panorama and Cortex Data Lake, allowing you to streamline policy management, security operations, and more.

Q. What's the difference between Cloud NGFW for AWS and VM-Series?

  1. Cloud NGFW for AWS is a fully managed service on AWS, powered by Palo Alto Networks software firewalls. With Cloud NGFW for AWS, you now have an NGFW deployment experience that handles the delivery of the Palo Alto Next-Generation Firewall capabilities and infrastructure in one motion. Alternatively, you can continue to use Palo Alto Networks VM-Series on AWS, particularly for advanced deployment scenarios (e.g., BGP routing, VPN termination). You decide what instance types are best suited for your environment and how best to manage upgrades, scale-out, and failover.

Q. How is Cloud NGFW for AWS different from Prisma Access?

  1. Cloud NGFW for AWS is a fully managed firewall service on the AWS platform that protects your VPC traffic. In contrast, Prisma Access protects end users and branches that primarily connect to the Internet and SaaS applications. The two are complementary solutions serving different needs.

Q. Can I use Cloud NGFW for AWS to secure workloads in other public clouds (i.e. GCP, Azure, OCI) or my on-prem environment?

  1. Cloud NGFW for AWS is a regional service that runs on the AWS platform to protect your AWS Virtual Private Cloud (VPC) traffic within an AWS region. You cannot use it to secure your workloads in other public cloud environments or your on-prem environment.

Q. What is a Cloud NGFW tenant?

  1. A tenant is an instantiation of the Cloud NGFW service associated with a customer. Cloud NGFW creates a tenant when a user associated with the AWS customer account subscribes to the Cloud NGFW service. Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant. The tenant is a multi-account, multi-region, and multi-user entity. The administrator can invite other users to use the tenant. The users can onboard AWS accounts, create NGFWs, and configure NGFW rulestacks within the tenant.

Q. What is a Cloud NGFW resource?

  1. A Cloud NGFW resource (or simply NGFW) provides next-generation firewall capabilities for your VPC. This resource has built-in resiliency, scalability, and life-cycle management. An NGFW spans multiple AWS availability zones. Under the hood, an NGFW is a VPC endpoint service.

Q. What are Cloud NGFW endpoints?

  1. An NGFW Endpoint in the customer's VPC intercepts and routes traffic to NGFW for inspection. To use an NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through these Cloud NGFW endpointsUnder the hood, Cloud NGFW endpoints are Gateway Load Balancer endpoints

Q. What's a Cloud NGFW rulestack?

  1. A rulestack defines the advanced access control (App-ID, Advanced URL Filtering) and threat-prevention behavior for a Cloud NGFW resource. A rulestack includes a set of security rules, associated objects, and security profiles. To use a rulestack, you associate the rulestack with one or more NGFW resources.

Q. Can I use Panorama to manage Cloud NGFW for AWS?

  1. Yes. You can use Panorama to manage policies on Cloud NGFW resources centrally. You will subscribe to the service via AWS Marketplace and create NGFW resources as they did earlier. You then integrate these Cloud NGFW resources with a Panorama appliance. Once integrated, you can associate the Panorama Device groups with these NGFW resources and manage security rules. You can use the Panorama log viewer to see logs from Cloud NGFW. The security team can also use the Panorama Application Command Center (ACC) to view summaries of applications, threats, and network activity. Please refer to the integration details here.

Q. In which AWS regions is Cloud NGFW available?

  1. The Region Table enumerates the regions where Cloud NGFW for AWS is currently available.

Q. Does Cloud NGFW for AWS offer a Service Level Agreement?

  1. Cloud NGFW for AWS offers a 99.99% uptime Service Level Agreement (SLA). Please refer to the Cloud NGFW for AWS Service Level Agreement.

Q. What are the known limits of Cloud NGFW for AWS?

  1. Cloud NGFW for AWS is subject to service limits for the number of NGFWs and Rulestacks that you can create, and for other settings, such as the number of rules you can have in a single rulestack. For additional details about service limits, including information about requesting a service quota increase, please refer to Cloud NGFW for AWS Limits and Quota.

 

GETTING STARTED 

 

Q. How do I subscribe to Cloud NGFW for AWS? 

  1. You can subscribe to Cloud NGFW directly in the AWS Marketplace and create a Cloud NGFW tenant. You then onboard your AWS account to the tenant and create NGFW resources by specifying the VPCs in your account.

Q. How do I enable a Cloud NGFW resource for my VPC?

  1. You can set up an NGFW resource for your VPC using the Cloud NGFW UI, REST API, CloudFormation, and Terraform templates. An NGFW resource is an AWS Gateway Load Balancer (GWLB) based VPC endpoint service that spans multiple AWS availability zones. It offers Palo Alto Networks' next-generation firewall capabilities with built-in resiliency, scalability, life-cycle management, and AWS availability zone (AZ) affinity. To use the NGFW resource, create a dedicated subnet (with a minimum size of /28) in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through the NGFW endpoints. Cloud NGFW for AWS inspects all traffic routed to the NGFW endpoints.

Q. Can Cloud NGFW for AWS manage security across multiple AWS accounts?

  1. Yes. Cloud NGFW for AWS is a regional service that secures network traffic at an organization and account level. Consider using AWS Firewall Manager to maintain policy and governance across multiple accounts.

Q. Can I use AWS Firewall Manager to manage Cloud NGFW? 

  1. Yes! You can use AWS Firewall Manager to manage global rulestacks across multiple AWS accounts and VPCs. 

Q. What is the difference between service-managed and customer-managed modes of creating NGFW endpoints?

  1. You can choose to create NGFW endpoints in one of these two modes. In a service-managed mode, Cloud NGFW will create and manage the NGFW endpoints on your behalf. When you create an NGFW resource, the endpoint is automatically created for you on the subnet you specify. If you delete the NGFW resource, the endpoint will also be automatically deleted. For this to work, you must grant the necessary cross-account AWS permissions when you run the CloudFormation template during the AWS account onboarding process. If you are not comfortable granting the cross-account permissions for Cloud NGFW to create endpoints, then you will create the endpoints on your own (i.e., customer-managed mode).

 

WORKING WITH CLOUD NGFW FOR AWS

 

Q. What are the typical deployment architectures for this service?

  1. As discussed here, Cloud NGFW for AWS supports two primary deployment architectures: centralized and distributed. The centralized deployment architecture has three design variants: Centralized, Combined, and Isolated.

Q. Does the Cloud NGFW resource perform NAT on my VPC traffic?

  1. Yes. Cloud NGFW now supports Egress NAT, allowing it to perform source NAT on outbound traffic. This eliminates the need for a separate AWS NAT Gateway in the VPC for egress traffic. You can continue to use the AWS NAT gateway in your VPC. In this scenario, the Cloud NGFW acts as a bump-in-the-wire, directing all inspected traffic back to its endpoint.

Q. Can I use Cloud NGFW with my Transit Gateway (TGW)?

  1. Yes. You can deploy the Cloud NGFW endpoint within your VPC and then attach that VPC to a TGW. 

Q. Which AWS tools can I use to log and monitor my Cloud NGFW activity?

  1. You can log your Cloud NGFW activity to Amazon Cloudwatch or an Amazon S3 bucket for further analysis and investigation. You can also use Amazon Kinesis Firehose to stream your logs to a third-party provider. When using Panorama policy management for a NGFW resource, you can view your logs in Cortex Data Lake and Panorama log viewer.

Q. Does the Cloud NGFW for AWS subnet size need to change as the service scales?

  1. No. Cloud NGFW for AWS doesn't need a subnet bigger than /28.

Q. Is there a limit on the Cloud NGFW endpoints I can create for the NGFW resource?

  1. Yes. You can create up to 300 NGFW endpoints for every NGFW resource.

Q. Can I Cloud NGFW endpoints in multiple VPCs for the same NGFW resource?

  1. Yes. You can share the Cloud NGFW resource across multiple VPCs in different AWS accounts. You can create NGFW endpoints for an NGFW resource in different VPCs and route traffic to the NGFW resource for inspection. 

SECURITY BREADTH AND DEPTH

 

Q. How does Cloud NGFW for AWS protect my VPC?

  1. Cloud NGFW for AWS offers security depth and breadth by employing a two-phased approach to protecting your VPC. First, Cloud NGFW for AWS allows you to granularly control your VPC traffic and reduce your attack surface with advanced application awareness using Palo Alto Networks' flagship App-ID and URL filtering techniques. Second, on the allowed traffic, Cloud NGFW for AWS enables you to block known and unknown network threats and prevent C2 and data exfiltration using Palo Alto Networks' continuously updated threat prevention signatures and URL categories, DNS security signatures, malware signatures, and DLP profiles, all backed by the threat intelligence of the Unit 42 research team.

Q. How do I manage policies for my Cloud NGFW resource?

  1. When you get started from Strata Cloud Manager, you can create Cloud NGFW resources, author polcies and manage all administrative tasks directly from Strata Cloud Manager.
  2. When you get started from the AWS Marketplace, you can create the NGFW resource using the Cloud NGFW console, APIs, TF provider, or CFT. You specify whether you would use the native rulestack, Panorama, or Strata Cloud Manager to manage policies.
    1. As a local Cloud NGFW administrator, you can author and associate a local rulestack (with local rules) to an NGFW resource using Cloud NGFW console, APIs, TF provider, or CFT.
    2.  If your Cloud NGFW tenant is linked with Panorama, you can author policies in Panorama using a Cloud device group. You can then associate the device group with a specific NGFW resource (local rulestack). You also have an option to associate the device group to a specific AWS region (global rulestack) for AWS Firewall Manager's use.
    3. You can link your Cloud NGFW tenant with Strata Cloud Manager and manage policies on Cloud NGFW resources.

Q. Can Cloud NGFW resources inspect traffic between subnets in the same VPCs?

  1. Yes. You can configure your subnet route tables to redirect traffic between two subnets to the Cloud NGFW endpoint. These route rules will enable the Cloud NGFW resource to inspect traffic between two subnets in your VPC.

Q. Can Cloud NGFW resources inspect encrypted traffic?

  1. Yes. Cloud NGFW resources can inspect encrypted Internet Ingress and Egress traffic of your VPCs.  

Q. Can Cloud NGFW resources perform URL filtering based on SNI?

  1. Yes, for HTTPS traffic, Cloud NGFW for AWS can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.

 

RESILIENCY AND SCALABILITY

 

Q. How can I increase my Cloud NGFW for AWS throughput?

  1. The initial (cold-start) throughput capacity of an NGFW resource is 1.5 Gbps per Availability zone. As discussed here,  scaling happens automatically based on your VPC traffic. When deployed within a single AWS availability zone, an NGFW resource can scale out to secure 30 Gbps traffic. When deployed in two or more AWS availability zones, an NGFW resource can scale out to secure 45 Gbps of traffic. Please note that actual throughput performance may vary depending on the complexity of your rules and related security and decryption configurations. 

Q. How does Cloud NGFW for AWS handle software updates and planned/unplanned maintenance?

  1. As discussed here, each Cloud NGFW resource consists of several backend nodes in an active-active configuration behind a Gateway Load Balancer. Cloud NGFW instantiates a new node for replacement if a node fails or needs updates. Connection-draining logic is used to handle the replacement.

 

PRICING & LICENSING

 

Q. Can I purchase Cloud NGFW for AWS through AWS Marketplaces?

  1. Yes, Cloud NGFW for AWS is available as a Pay-As-You-Go subscription  in AWS MarketplaceYou can also procure Cloud NGFW credits directly from Palo Alto Networks or its partners. Your Palo Alto Networks sales teams and its partners can send these credits to you directly or by using the AWS marketplace Private offer or AWS Consulting Partner Private Offer (CPPO) options.

Q. How is Cloud NGFW for AWS priced?

  1. Cloud NGFW for AWS is priced the same way as other AWS virtual networking resources - Per Hour plus Per GB of traffic. With Cloud NGFW for AWS, you pay an hourly rate for each Availability Zone (AZ) in which an NGFW resource is provisioned. Data processing charges apply to each GB processed by the NGFW. Customers can subscribe to additional security capabilities, such as Threat Prevention and Advanced URL Filtering, WildFire, and DLP, or Centralized management capabilities as an add-on to the Per Hour and GB processed prices. Customers configuring Egress NAT no longer pay for AWS NAT Gateway, but incur specific Palo Alto Networks data processing charges for Egress NAT traffic.
     
    You can get more details on Cloud NGFW for AWS pricing here.

Q. Do I have to pay AWS for the Gateway Load Balancer (GWLB) and endpoints that Cloud NGFW for AWS uses?

  1. Yes. You will pay AWS for each Cloud NGFW (a.k.a GWLB) endpoint you would use in your AWS account(s) to send traffic to the Cloud NGFW resource. Gateway Load Balancer endpoint pricing is available hereHowever, the Cloud NGFW for AWS consumption price includes all other required AWS infrastructure components necessary to deliver the service, including compute, storage, and Gateway Load balancer deployed in Palo Alto Networks accounts.

Q. How does a Cloud NGFW for AWS Free Trial work?

  1. When you get started from the AWS Marketplace or from Strata Cloud Manager, you are automatically enrolled for a free trial. The free trial is valid for thirty days and allows you to create up to two NGFWs securing up to 100GB of traffic. 

Q. Can I purchase Cloud NGFW for AWS through an AWS Marketplace SaaS contract option?

  1. No. Cloud NGFW is currently available as a pay-as-you-go (PAYG) subscription. You can procure and associate Cloud NGFW credits to your Cloud NGFW AWS  tenants by paying an upfront cost for a long-term contract between 1 and 5 years. You can procure these credits directly from Palo Alto Networks or its partners. Your Palo Alto Networks sales teams and its partners can send these credits to you directly or by using the AWS marketplace Private offer or AWS Consulting Partner Private Offer (CPPO) options. Your Firewall resources, policies and operations remain intact during the transition from trial to paid AWS marketplace subscription to Cloud NGFW credits 

Q. Can I deploy Cloud NGFW for AWS using Software NGFW credits? 

  1. Customers can currently use Cloud NGFW credits with Cloud NGFW for AWS resources. Enabling customers to use Software NGFW credits to consume Cloud NGFW is not supported. Please contact your sales team for additional details.

Q. Can I deploy Cloud NGFW for AWS using my VM-Serles ELA? 

  1. No. Cloud NGFW for AWS cannot be deployed with the VM-Series ELA. 



Rate this article:
(1)
Comments
LavkeshJain
L0 Member
‎10-06-2022 08:47 AM

you need to have a good cost estimator tool for both your VM & CNGFW series . its so difficult and complex to estimate the cost that one would expect .

  • 25243 Views
  • 1 comments
  • 3 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎03-09-2026 02:04 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks