Native NGFW Deployment—When you subscribe to Cloud NGFW via AWS Marketplace, you procure a tenant. You can then deploy Cloud NGFW resources for your VPCs with a few clicks on the Cloud NGFW Console or using APIs. These resources come with built-in resilience, scalability, and lifecycle management. You can also use infrastructure-as-code tools such as Cloud Formation or Terraform for creating these resources. Once created, you can author security policies for these Cloud NGFW resources using Native policy management (rulestacks) or using Panorama policy management (device groups).

AWS Firewall Manager Deployment—If you currently use AWS Firewall Manager to manage security groups, or other network security features across your AWS organization, You can use the same AWS Firewall Manager to deploy NGFWs into multiple accounts and VPCs throughout an AWS organization. You can use the AWS Console, AWS APIs, or Cloud Formation to author the Firewall Manager policy configuration that deploys and manages all Cloud NGFW settings.

AWS Firewall Manager also manages the endpoint subnets, route tables, and gateway load-balancer endpoints within the VPC where the Cloud NGFW resource is deployed. When you use AWS Firewall Manager, the Cloud NGFW resource uses global rulestacks in your Cloud NGFW tenant for the security settings and rules. If you have not previously configured a global rulestack in your tenant (using Panorama policy management), AWS Firewall Manager redirects you to the Cloud NGFW console to create and manage the global rule stack using Native Policy management.

Native Policy Management—You can manage security policies on the Cloud NGFW resources by authoring Rulestacks natively using the Cloud NGFW Console or APIs. You can also use Infrastructure-as-code tools such as Cloud Formation or Terraform for creating these rulestacks. A Rulestack defines the advanced access control (App-ID, URL Filtering) and threat prevention behavior of the NGFW. A Rulestack includes a set of security rules and the associated objects and security profiles.

Panorama Policy Management—You can link your Cloud NGFW tenant with a Panorama appliance to author and manage policies for your Cloud NGFW resources. You can use Panorama Console, APIs, or Terraform to author these security policies on the Cloud device groups. The policy you author in Panorama Cloud Device group will manifest as global rulestacks in your Cloud NGFW tenant.