- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Q. What is Cloud NGFW for AWS?
Cloud NGFW for AWS is a fully managed cloud-native next-generation firewall service delivered by Palo Alto Networks on the Amazon Web Services (AWS) platform.
Q. What are the key benefits of Cloud NGFW for AWS?
With Cloud NGFW for AWS, you have both best-in-class security and an easy, fully managed cloud-native experience.
Because Cloud NGFW for AWS is a Palo Alto Networks managed service, you no longer have the operational overhead of managing the infrastructure, scaling, availability, resiliency, and software/content updates.
Second, security teams can now easily deploy and manage Palo Alto Networks' security capabilities at scale in their AWS environment by using AWS Firewall Manager.
Third, Cloud NGFW seamlessly integrates with AWS services (AWS Cloudwatch, Kinesis, S3 buckets, Secrets Manager). These out-of-box integrations reduce the operational burden for security teams. They no longer need to maintain custom solutions or specialized expertise to provision and operationalize NGFWs.
Fourth, Cloud NGFW integrates with Panorama and Cortex Data Lake, allowing you to streamline policy management, security operations, and more
Q. What's the difference between Cloud NGFW for AWS and VM-Series?
Cloud NGFW for AWS is a fully managed service on the AWS platform, powered by Palo Alto Networks software firewalls. With Cloud NGFW for AWS, you now have an NGFW deployment experience that handles the delivery of the Palo Alto Next-Generation Firewall capabilities and infrastructure in one motion. Alternatively, you can continue to use Palo Alto Networks VM-Series on AWS, particularly for advanced deployment scenarios (e.g., BGP routing, VPN termination). You decide what instance types are best suited for your environment and how best to manage upgrades, scale-out, and failover.
Q. How is Cloud NGFW for AWS different from Prisma Access?
Cloud NGFW for AWS is a fully managed firewall service on the AWS platform and is used to protect your VPC traffic in AWS. In contrast, Prisma Access protects end-users and branches primarily connecting to the Internet and SaaS applications. The two are complementary solutions serving different needs.
Q. Can I use Cloud NGFW for AWS to secure workloads in other public clouds (i.e. GCP, Azure, OCI) or my on-prem environment?
Cloud NGFW for AWS is a regional service that runs in the AWS platform to protect your AWS Virtual network (VPC) traffic in an AWS region. You cannot use it to secure your workloads in other public cloud environments or your on-prem environment.
Q. What is a Cloud NGFW tenant?
A tenant is an instantiation of the Cloud NGFW service associated with a customer. Cloud NGFW creates a tenant when a user associated with the AWS customer account subscribes to the Cloud NGFW service. Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant. The tenant is a multi-account, multi-region and multi-user entity. The administrator can invite other users to use the tenant. The users can onboard AWS accounts, create NGFWs and configure NGFW rulestacks within the tenant.
Q. What is a Cloud NGFW resource?
A Cloud NGFW resource (or simply NGFW) provides next-generation firewall capabilities for your VPC. This resource has built-in resiliency, scalability, and life-cycle management. An NGFW spans multiple AWS availability zones. Under the hood, an NGFW is a VPC endpoint service.
Q. What are Cloud NGFW endpoints?
An NGFW Endpoint in the customer's VPC intercepts and routes traffic to NGFW for inspection. To use an NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone, then create NGFW endpoints on the subnets and update the VPC route tables to send the traffic through these Cloud NGFW endpoints. Under the hood, Cloud NGFW endpoints are Gateway Load balancer endpoints.
Q. What's a Cloud NGFW rulestack?
A rulestack defines Cloud NGFW resource's advanced access control (App-ID, Advanced URL Filtering) and threat prevention behavior. A rulestack includes a set of security rules, associated objects, and security profiles. To use a rulestack, you associate the rulestack with one or more NGFW resources.
Q. Can I use Panorama to manage Cloud NGFW for AWS?
Q. In which AWS regions are Cloud NGFW available?
Q. Does Cloud NGFW for AWS offer a Service Level Agreement?
Q. What are the known limits of Cloud NGFW for AWS?
Q. How do I subscribe to Cloud NGFW for AWS?
Q. How do I enable a Cloud NGFW resource for my VPC?
Q. Can Cloud NGFW for AWS manage security across multiple AWS accounts?
Q. Can I use AWS Firewall Manager to manage Cloud NGFW?
Q. What is the difference between service-managed and customer-managed modes of creating NGFW endpoints?
Q. What are the typical deployment architectures for this service?
Q. How do I deploy Cloud NGFW for AWS using the centralized model?
Q. How do I deploy Cloud NGFW for AWS using a distributed model?
Q. Does the Cloud NGFW resource perform NAT on my VPC traffic?
Q. Can I use Cloud NGFW with my Transit Gateway (TGW)?
Q. Which AWS tools can I use to log and monitor my Cloud NGFW activity?
Q. Does the Cloud NGFW for AWS subnet size need to change as the service scales?
Q. Is there a limit on the Cloud NGFW endpoints I can create for the NGFW resource?
Q. Can I Cloud NGFW endpoints in multiple VPCs for the same NGFW resource?
Q. How does Cloud NGFW for AWS protect my VPC?
Q. How do I manage policies for my Cloud NGFW resource?
Q. Can Cloud NGFW resources inspect traffic between subnets in the same VPCs?
Q. Can Cloud NGFW resources inspect encrypted traffic?
Q. Can Cloud NGFW resources perform URL filtering based on SNI?
Q. How can I increase my Cloud NGFW for AWS throughput?
Q. How does Cloud NGFW for AWS handle software updates and planned/unplanned maintenance?
Q. Can I purchase Cloud NGFW for AWS through AWS Marketplaces?
Q. How is Cloud NGFW for AWS priced?
Q. Do I have to pay AWS for the Gateway Load Balancer (GWLB) and endpoints that Cloud NGFW for AWS uses?
Q. How does a Cloud NGFW for AWS Free Trial work?
Q. Can I purchase Cloud NGFW for AWS through an AWS Marketplace SaaS contract option?
Q. Can I deploy Cloud NGFW for AWS using Software NGFW credits?
Q. Can I deploy Cloud NGFW for AWS using my VM-Serles ELA?