AWS Firewall Manager supports next-generation firewalls from Palo Alto Networks Cloud

AWS recently announced that Firewall Manager supports next-generation firewalls (NGFW) from Palo Alto Networks Cloud. Palo Alto Networks has partnered with the cloud provider to offer a managed firewall service designed to simplify securing AWS deployments.

Jeff Barr, vice president and chief evangelist at AWS, explains the benefits of Cloud NGFW for AWS:

Palo Alto Networks pioneered the concept of deep packet inspection in its NGFWs. Cloud NGFW for AWS can decrypt network packets, look inside, and then identify applications using signatures, protocol decoding, behavioral analysis, and heuristics. This gives you the ability to implement granular, application-centric security management that is more effective than simpler models based solely on ports, protocols, and IP addresses.

With Advanced URL Filtering, customers can create rules to identify and manage network traffic based on streams, curated lists of sites that distribute viruses, spyware, and other types of malware. Other supported Palo Alto technologies are Threat Preventionto stop known exploits and malware, and App IDto reduce the risk of attack by controlling traffic based on Layer 7 traffic classification.

Source: https://live.paloaltonetworks.com/t5/blogs/how-native-is-cloud-ngfw-for-aws/ba-p/476736

Cloud NGFW can control traffic across VPCs without inserting IPS appliances to monitor and protect cloud workloads. Using Palo Alto technology on AWS was previously possible but not easy to implement, requiring either a VPN connection or a so-called Inserting VPCs. In addition, the customer had to manage the firewall and the scaling of the infrastructure.

The cybersecurity company released a Getting Started with Cloud NGFW for AWS guide to document the configuration of the new service and explains about its tech blog:

Cloud NGFW supports a variety of deployment scenarios. You can use AWS gateways such as Internet Gateway, NAT Gateway, and Transit Gateway in conjunction with NGFW endpoint(s) and VPC routing to support distributed and centralized deployment architectures. Cloud NGFW acts as a bump in the cable in the outbound, east-west, and inbound traffic paths in these architectures. Traffic packet headers and payload remain intact, providing full visibility into the destination (no SNAT/DNAT).

Nick Matthews, Senior Product Manager at AWS, tweet on the partnership:

I think that’s pretty cool – Palo Alto as a service within AWS. We’ve been talking for years about how we could enable third-party services “like a checkbox” and it’s finally coming to fruition.

Matthew adds:

I think the elegant part here is that these firewalls appear as a single network interface in your VPC – you’re not messing with a stack of firewalls and load balancers and symmetry etc.

Amazon Firewall Manager also supports other types of firewalls: AWSWAFShield Advanced, VPC security groups, AWS Network Firewalland Route 53 DNS Resolver DNS Firewall.

AWS Firewall Manager and Cloud NGFW are regional services with Cloud NGFW currently only supported in the Northern Virginia and Northern California regions. The service is available as an à la carte subscription in the AWS Marketplace and starts at $1.637/hr plus processed traffic. Threat Prevention and Advanced URL Filtering features are priced separately.