Cloud NGFW for AWS - FAQ

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker
100% helpful (4/4)




Q. What is Cloud NGFW for AWS?

  1. Cloud NGFW for AWS is a fully managed cloud-native next-generation firewall service delivered by Palo Alto Networks on the Amazon Web Services (AWS) platform.

Q. What are the key benefits of Cloud NGFW for AWS?

  1. With Cloud NGFW for AWS, you have both best-in-class security and an easy, fully managed cloud-native experience.

  • Because Cloud NGFW for AWS is a Palo Alto Networks managed service, you no longer have the operational overhead of managing the infrastructure, scaling, availability, resiliency, and software/content updates.

  • Second, security teams can now easily deploy and manage Palo Alto Networks' security capabilities at scale in their AWS environment by using AWS Firewall Manager.

  • Third, Cloud NGFW seamlessly integrates with AWS services (AWS Cloudwatch, Kinesis, S3 buckets, Secrets Manager). These out-of-box integrations reduce the operational burden for security teams. They no longer need to maintain custom solutions or specialized expertise to provision and operationalize NGFWs.

  • Fourth, Cloud NGFW integrates with Panorama and Cortex Data Lake, allowing you to streamline policy management, security operations, and more

Q. What's the difference between Cloud NGFW for AWS and VM-Series?

  1. Cloud NGFW for AWS is a fully managed service on the AWS platform, powered by Palo Alto Networks software firewalls. With Cloud NGFW for AWS, you now have an NGFW deployment experience that handles the delivery of the Palo Alto Next-Generation Firewall capabilities and infrastructure in one motion. Alternatively, you can continue to use Palo Alto Networks VM-Series on AWS, particularly for advanced deployment scenarios (e.g., BGP routing, VPN termination). You decide what instance types are best suited for your environment and how best to manage upgrades, scale-out, and failover.

Q. How is Cloud NGFW for AWS different from Prisma Access?

  1. Cloud NGFW for AWS is a fully managed firewall service on the AWS platform and is used to protect your VPC traffic in AWS. In contrast, Prisma Access protects end-users and branches primarily connecting to the Internet and SaaS applications. The two are complementary solutions serving different needs.

Q. Can I use Cloud NGFW for AWS to secure workloads in other public clouds (i.e. GCP, Azure, OCI) or my on-prem environment?

  1. Cloud NGFW for AWS is a regional service that runs in the AWS platform to protect your AWS Virtual network (VPC) traffic in an AWS region. You cannot use it to secure your workloads in other public cloud environments or your on-prem environment.

Q. What is a Cloud NGFW tenant?

  1. A tenant is an instantiation of the Cloud NGFW service associated with a customer. Cloud NGFW creates a tenant when a user associated with the AWS customer account subscribes to the Cloud NGFW service. Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant.  The tenant is a multi-account, multi-region and multi-user entity. The administrator can invite other users to use the tenant. The users can onboard AWS accounts, create NGFWs and configure NGFW rulestacks within the tenant.

Q. What is a Cloud NGFW resource?

  1. A Cloud NGFW resource (or simply NGFW) provides next-generation firewall capabilities for your VPC. This resource has built-in resiliency, scalability, and life-cycle management. An NGFW spans multiple AWS availability zones. Under the hood, an NGFW is a VPC endpoint service.

Q. What are Cloud NGFW endpoints?

  1. An NGFW Endpoint in the customer's VPC intercepts and routes traffic to NGFW for inspection. To use an NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through these Cloud NGFW endpointsUnder the hood, Cloud NGFW endpoints are Gateway Load balancer endpoints

Q. What's a Cloud NGFW rulestack?

  1. A rulestack defines Cloud NGFW resource's advanced access control (App-ID, Advanced URL Filtering) and threat prevention behavior. A rulestack includes a set of security rules, associated objects, and security profiles. To use a rulestack, you associate the rulestack with one or more NGFW resources.

Q. Can I use Panorama to manage Cloud NGFW for AWS?

  1. Yes. You can use Panorama to centrally manage policies on Cloud NGFW resources. You will subscribe to the service via AWS Marketplace and create NGFW resources as they did earlier.  You then integrate these Cloud NGFW resources with a Panorama appliance. Once integrated, you can associate the Panorama Device groups with these NGFW resources and manage security rules. You can use the Panorama log viewer to see logs from Cloud NGFW. The security team can also use Panorama Application Command Center (ACC) to view the summary of applications, threats, and network activity. Please refer to the integration details here.

Q. In which AWS regions are Cloud NGFW available?

  1. The Region Table enumerates the regions where Cloud NGFW for AWS is currently available.

Q. Does Cloud NGFW for AWS offer a Service Level Agreement?

  1. Cloud NGFW for AWS offers an uptime Service Level Agreement (SLA) of 99.99%. Please refer to the Cloud NGFW for AWS Service Level Agreement.

Q. What are the known limits of Cloud NGFW for AWS?

  1. Cloud NGFW for AWS is subject to service limits for the number of NGFWs and Rulestacks that you can create and for other settings, such as the number of rules you can have in a single rulestack. For additional details about service limits, including information about requesting a service quota increase, please refer to Cloud NGFW for AWS Limits and Quota.




Q. How do I subscribe to Cloud NGFW for AWS? 

  1. You can subscribe to Cloud NGFW directly in the AWS Marketplace and create a Cloud NGFW tenant. You then onboard your AWS account to the tenant and create NGFW resources by specifying the VPCs in your account.

Q. How do I enable a Cloud NGFW resource for my VPC?

  1. You can set up an NGFW resource for your VPC using the Cloud NGFW UI, REST API, Cloud Formation, and Terraform templates. An NGFW resource is an AWS Gateway Load Balancer (GWLB) based VPC endpoint service that spans multiple AWS availability zones. It offers Palo Alto Networks next-generation firewall capabilities with built-in resiliency, scalability, life-cycle management, and AWS availability-zone (AZ) affinity. To use the NGFW resource, create a dedicated subnet (with a minimum size of /28) in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through the NGFW endpoints. Cloud NGFW for AWS inspects all traffic routed to the NGFW endpoints.

Q. Can Cloud NGFW for AWS manage security across multiple AWS accounts?

  1. Yes. Cloud NGFW for AWS is a regional service that secures network traffic at an organization and account level. Consider using AWS Firewall Manager to maintain policy and governance across multiple accounts.

Q. Can I use AWS Firewall Manager to manage Cloud NGFW? 

  1. Yes! You can use AWS Firewall Manager to manage global rulestacks across multiple AWS accounts and VPCs. 

Q. What is the difference between service-managed and customer-managed modes of creating NGFW endpoints?

  1. You can choose to create NGFW endpoints in one of these two modes. In a service-managed mode, Cloud NGFW will create and manage the NGFW endpoints on your behalf. When you create an NGFW resource, the endpoint is automatically created for you on the subnet you specify. If you delete the NGFW resource, the endpoint will also be automatically deleted. For this to work, you must grant the necessary cross-account AWS permissions when you run the CloudFormation template during the AWS account onboarding process. If you are not comfortable granting the cross-account permissions for Cloud NGFW to create endpoints, then you will create the endpoints on your own (i.e., customer-managed mode).




Q. What are the typical deployment architectures for this service?

  1. Cloud NGFW for AWS supports two primary deployment types: centralized and distributed. 

Q. How do I deploy Cloud NGFW for AWS using the centralized model?

  1. In the centralized architecture model, a dedicated security VPC connected to an AWS Transit Gateway provides a simplified and centralized approach to managing advanced access control and threat inspection of traffic. You can use the Cloud NGFW UI or AWS Firewall Manager to create an NGFW resource for the centralized security VPC. You can then configure route rules in the application VPCs and the transit gateway to redirect traffic to the security VPC for inspection. You can now inspect inbound and outbound traffic to or from Internet Gateways, Direct Connect gateways, PrivateLink, VPN Site-to-Site and Client gateways, NAT gateways, and traffic between other attached VPCs and subnets.

Q. How do I deploy Cloud NGFW for AWS using a distributed model?

  1. The distributed architecture model allows you to distribute your inspection points (NGFWs) closer to the applications in multiple VPCs while maintaining centralized security control. In the distributed model, you use the AWS Firewall Manager console/APIs to author a Firewall Manager policy that facilitates the deployment of NGFWs in multiple AWS accounts of an AWS Organization. You then add route rules in the VPC's Internet gateway to protect traffic inbound to the application load balancers and public hosts. Similarly, the customer can add route rules in subnet route tables to redirect all outbound VPC traffic to the NGFW endpoint for inspection.

Q. Does the Cloud NGFW resource perform NAT on my VPC traffic?

  1. No. In both centralized and distributed architectures, the NGFW resource acts as a bump-in-the-wire in your applications' outbound, east-west, and inbound traffic paths. The traffic packet headers and payload are kept intact. This behavior provides complete visibility into the traffic source's identity to your destinations.

Q. Can I use Cloud NGFW with my Transit Gateway (TGW)?

  1. Yes. You can deploy the Cloud NGFW endpoint within your VPC and then attach that VPC to a TGW. 

Q. Which AWS tools can I use to log and monitor my Cloud NGFW activity?

  1. You can log your Cloud NGFW activity to Amazon Cloudwatch or an Amazon S3 bucket for further analysis and investigation. You can also use Amazon Kinesis Firehose to stream your logs to a third-party provider. When using Panorama policy management for a NGFW resource, you can view your logs in Cortex Data Lake and Panorama log viewer.

Q. Does the Cloud NGFW for AWS subnet size need to change as the service scales?

  1. No. Cloud NGFW for AWS doesn't need a subnet bigger than /28.

Q. Is there a limit on the Cloud NGFW endpoints I can create for the NGFW resource?

  1. Yes. You can create up to fifty NGFW endpoints for every NGFW resource.

Q. Can I Cloud NGFW endpoints in multiple VPCs for the same NGFW resource?

  1. Yes. You can share the Cloud NGFW resource across multiple VPCs in different AWS accounts. You can create NGFW endpoints for an NGFW resource in different VPCs and route traffic to the NGFW resource for inspection. 



Q. How does Cloud NGFW for AWS protect my VPC?

  1. Cloud NGFW for AWS offers security depth and breadth by employing a two-phased approach to protecting your VPC. First, Cloud NGFW for AWS allows you to granularly control your VPC traffic and reduce your attack surface with advanced application awareness using Palo Alto Networks' flagship App-ID and URL filtering techniques. Second, on the allowed traffic, Cloud NGFW for AWS enables you to block known and unknown network threats and prevent C2 and data exfiltration using Palo Alto Networks' continuously updated threat prevention signatures and URL categories, all backed by the threat intelligence of the Unit 42 research team.

Q. How do I manage policies for my Cloud NGFW resource?

  1. When you create the NGFW resource, you specify whether you would use native rulestack or use Panorama for managing policies.
    1. As a local Cloud NGFW administrator, you can author and associate a local rulestack (with local rules) to an NGFW resource using Cloud NGFW console, APIs, TF provider or CFT.
    2.  If your Cloud NGFW tenant is linked with Panorama, you can author policies in Panorama using a Cloud device group. You can then associate the device group to a specific NGFW resource (local rulestack). You also have an option to associate the device group to a specific AWS region (global rulestack) for AWS Firewall Manager's use.
    3. If you are using an AWS Firewall Manager to manage NGFW resources, you can either use the Panorama authored global rulestack or author a new global rulestack to use it with the NGFW resources.

Q. Can Cloud NGFW resources inspect traffic between subnets in the same VPCs?

  1. Yes. You can configure your subnet route tables to redirect traffic between two subnets to the Cloud NGFW endpoint. These route rules will enable the Cloud NGFW resource to inspect traffic between two subnets in your VPC.

Q. Can Cloud NGFW resources inspect encrypted traffic?

  1. Yes. Cloud NGFW resources can inspect encrypted Internet Ingress and Egress traffic of your VPCs.  

Q. Can Cloud NGFW resources perform URL filtering based on SNI?

  1. Yes, for HTTPS traffic, Cloud NGFW for AWS can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.




Q. How can I increase my Cloud NGFW for AWS throughput?

  1. The initial (cold-start) throughput capacity of an NGFW resource is 1.5 Gbps per Availability zone. Scaling happens automatically based on your VPC traffic. When deployed within a single AWS availability zone, an NGFW resource can scale out to secure 30 Gbps traffic. When deployed in two or more AWS availability zones, an NGFW resource can scale out to secure 45 Gbps of traffic. Please note that actual throughput performance may vary depending on your rulestack complexity and related security and decryption configurations. 

Q. How does Cloud NGFW for AWS handle software updates and planned/unplanned maintenance?

  1. Each Cloud NGFW resource consists of several backend nodes in an active-active configuration behind a Gateway Load Balancer. Cloud NGFW instantiates a new node for replacement if a node fails or needs updates. Connection-draining logic is used to handle the replacement.




Q. Can I purchase Cloud NGFW for AWS through AWS Marketplaces?

  1. Yes, Cloud NGFW for AWS is available as a Pay-As-You-Go subscription  in AWS MarketplaceYou can also procure credits and add to the Cloud NGFW tenant using the SaaS Contract option in the AWS marketplace.

Q. How is Cloud NGFW for AWS priced?

  1. Cloud NGFW for AWS is priced the same way as other AWS virtual networking resources - Per Hour plus Per GB of traffic. With Cloud NGFW for AWS, you pay an hourly rate for each Availability Zone (AZ) in which an NGFW resource is provisioned. Data processing charges apply to each GB processed by the NGFW. Customers can subscribe to additional security capabilities, such as Threat Prevention and Advanced URL Filtering, as an add-on to the Per Hour and GB processed prices. You can get more details on Cloud NGFW for AWS pricing here.

Q. Do I have to pay AWS for the Gateway Load Balancer (GWLB) and endpoints that Cloud NGFW for AWS uses?

  1. Yes. You will pay AWS for each Cloud NGFW (a.k.a GWLB) endpoint you would use in your AWS account(s) to send traffic to the Cloud NGFW resource. Gateway Load Balancer endpoint pricing is available hereHowever, the Cloud NGFW for AWS consumption price includes all other required AWS infrastructure components necessary to deliver the service, including compute, storage, and Gateway Load balancer deployed in Palo Alto Networks accounts.

Q. How does a Cloud NGFW for AWS Free Trial work?

  1. When you subscribe to the Cloud NGFW through AWS Marketplace, you are automatically enrolled for a free trial. The free trial is valid for thirty days and allows you to create up to two NGFWs securing up to 100GB of traffic. 

Q. Can I purchase Cloud NGFW for AWS through an AWS Marketplace SaaS contract option?

  1. Yes, Cloud NGFW is available as a pay-as-you-go (PAYG) subscription. You can also procure credits and add to the Cloud NGFW tenant using the SaaS Contract option in the AWS marketplace. Private pricing is also available using the AWS Private offer and Consulting Partner Private Offer (CPPO) options.

Q. Can I deploy Cloud NGFW for AWS using Software NGFW credits? 

  1. Customers can currently use Cloud NGFW credits with Cloud NGFW for AWS resources. Enabling customers to use Software NGFW credits to consume Cloud NGFW is not supported. Please contact your sales team for additional details.

Q. Can I deploy Cloud NGFW for AWS using my VM-Serles ELA? 

  1. No. Cloud NGFW for AWS cannot be deployed with the VM-Series ELA. 

Rate this article:
L0 Member

you need to have a good cost estimator tool for both your VM & CNGFW series . its so difficult and complex to estimate the cost that one would expect .

Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎08-06-2023 03:42 PM
Updated by: