Cloud NGFW for AWS Flashcards
What is the Cloud NGFW Tenant?
instantiation of the Cloud NGFW service associated with an AWS customer account
When is the tenant created?
when an AWS user associated with the AWS customer account subscribes to the Cloud NGFW service
Cloud NGFW designates what as the administrator of the Cloud NGFW tenant?
- subscribing AWS Identity
- Access Management (IAM) user
Cloud NGFW can be deployed in which two different models?
- distributed
- centralized
How is Cloud NGFW deployed in the Distributed Deployment workflow?
Cloud NGFW is deployed into each VPC that requires protection
What are the benefits of Distributed Deployment?
- reduces the possibility of misconfiguration
- limits the scope of impact
- each VPC is protected individually, and the blast radius, or extent of the damage, is reduced through VPC isolation
How is Cloud NGFW deployed in the Centralized Deployment workflow?
- the Cloud NGFW is behind a transit gateway (TGW) with a dedicated security VPC
- the model provides centralized security for all virtual networks and firewalls in central/hub virtual networks protect the application workloads on other spoke virtual networks
What needs to be done on the application VPCs and TGW to redirect traffic to the security VPC for inspection?
configure route rules
What are the use cases for securing traffic with the centralized deployment?
- east-west traffic inspection (VPC to VPC)
- VPC and On-Premises
- Outbound and Inbound
What does FMS stand for?
Firewall Manager Service
What automation tools can be used to deploy Cloud NGFW for AWS?
- Terraform
- CloudFormation Template (CFT)
When onboarding an AWS account, a CloudFormation Template (CFT) is provided to help to enable what?
permissions
When deploying a CFT, what does it create?
a cross-account IAM role in the AWS account
What does the IAM role provide the Cloud NGFW with?
- permissions necessary to read VPC information required to create and manage endpoints
- send logs to logging destinations
- access certificates in the AWS Secrets Manager for traffic decryption
Can you provision resources, such as rules and rule stacks with an AWS CFT?
yes
What are the required conditions a tenant needs to meet in order to be able to provide a programmatic access?
- onboard to console
- enable programmatic access
- create AWS IAM roles
- assume AWS IAM roles
- save credentials
A tenant is onboarded through what?
- AWS Marketplace
- NGFWaaS Console
Where does TenantAdmin enable programmatic access?
from UI
AWS IAM roles are created with what?
AWS IAM principal tags assignd to Roles in customer AWS account
What permissions need to be present for the roles?
APIGatewayInvoke
When adding principle tags to IAM roles, what key-value pairs should be added under tag?
- Key=CloudNGFW, Value=CloudFirewallAdmin
- Key=CloudNGFW, Value=CloudRulestackAdmin
What should be added under Trusted Relationship?
IAM user
Which method produces a set of keys?
sts_client.asume_role(RoleArn=”arn:value”)
Which APIs should be called to get a JWT Token?
- GET:/v1/mgmt/tokens/cloudfirewalladmin
- GET:/v1/mgmt/tokens/cloudrulestackadmin
What needs to be used in the header to be able to do Firewall CRUD APIs or Rulestack APIs?
“Authorization”: “token-id”
What does the NGFW endpoint in your VPC allow access to?
NGFW resources
Which security services are available on the AWS Cloud FW?
- Threat Prevention
- Advanced URL filtering
- Decryption
- App-ID
What is built-in to the AWS Cloud FW?
resiliency, scalability, and life-cycle management
Does NGFW span multiple AWS availability zones?
yes
Is Cloud NGFW an endpoint service?
yes
How does each NGFW endpoint manifest_
as an AWS Elastic Network Interface (ENI) (with a private IP address) in the dedicated subnet that you specify
How to use the NGFW resource?
- create a dedicated subnet in your VPC for each desired availability zone
- create NGFW endpoints on the subnets
- update the VPC route tables to send the traffic through the NGFW endpoints
What endpoints are NGFW endpoints?
Gateway Load Balancer endpoints
What traffic does the east-west traffic include?
VPC-to-VPC traffic or the subnet-to-subnet traffic
What is a rulestack?
a set of security rules, associated objects and Security profiles, for enabling advanced access control (App-ID, URL Filtering) and threat prevention features
Can you associate a single rulestack to multiple firewalls?
yes
A user’s ability to create and modify a local or global rulestack depends on their level of access. What are the 3 levels of access?
- Local Administrator Access
- Global Rulestack Administrator Access
- Tenant Administrator Access
What are the privileges of a Local Administrator Access?
- local administrator can create and modify rules on local rulestacks only
- can also associate the local rulestack with an NGFW resource
What are the privileges of a Global Rulestack Administrator Access ?
- AWS Firewall Manager Administrator subscribes to the Cloud NGFW for AWS and becomes the Global Rulestack Administrator for cloud NGFW
- the Global Rulestack Administrator can create and modify global rulestacks
What are the privileges of a Tenant Administrator Access?
- Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant
- can invite other users to use the tenant, onboard AWS accounts, create NGFWs, and configure NGFW rulestacks within the tenant
What are the rulestack components?
- Objects
- Security Rules
- Security Profile
What entities can be an object?
- IP addresses
- FQDNs
- intelligent feeds
- certificates
To how many rulestacks can an object be applied to?
a single rulestack
What are the two types of rulestacks?
- Global Rulestacks
- Local Rulestacks
What type of rules can be configured in a rule stack?
- pre-rules
- post-rules
How are the rules processed in a rulestack?
- pre rules - global rulestack
- local rules - local rulestack
- post rules - global rulestack
Can you use XFF HTTP header field to enforce security policy?
yes
The XFF request header might contain multiple IP addresses that are separated by commas. Which IP addressed is used by the NGFW to enforce the policy?
the most recently added address
How are certificates needed for TLS decryption provided to the firewall?
through a certificate list object
What security profiles are predefined based on best security practices and cannot be modified?
- IPS Vulnerability Threat Protection
- Anti-Spyware Threat Protection
- Antivirus Threat Protection
Which security profiles are modifiable?
- File Blocking
- URL Categories and Filtering
What must be done prior to using Panorama for policy management tasks?
Link your Cloud NGFW tenant to the Panorama virtual appliance
What are the two configuration options?
- AWS Firewall Manager Configuration Option
- AWS Account Admin Configuration Option
What does AWS Firewall Manager Configuration Option provide?
native AWS console/API support for management and operations
How does AWS Firewall Manager Configuration Option work?
AWS Firewall Manager administrator subscribes to Cloud NGFW and deploys Cloud NGFW resources for use in multiple AWS accounts
What is AWS Account Admin Configuration Option suitable for?
organizations using custom automation tools
How does AWS Account Admin Configuration Option work?
Each AWS account administrator subscribes individually to Cloud NGFW and deploys Cloud NGFW resources for use in an AWS account
To onboard the Cloud NGFW (AWS) firewall, what are the 4 areas to configure?
- onboard an AWS account to the Cloud NGFW tenant
- create rulestacks with rules
- create the Cloud NGFW and endpoints
- specify logging options
Where are cloud NGFW endpoints created?
in each availability zone in specified VPC
What is the role of Cloud NGFW endpoints?
intercept traffic and route it to the Cloud NGFW for inspection and policy enforcement
What are the two management modes that can be used to create endpoints automatically or manually?
service-managed or customer-managed deployment
How does Service-Managed Deployment Mode work?
- Cloud NGFW tenant creates an endpoint attached to specified subnets
- Cloud NGFW retrieves a list of subnets in the specified VPC, and from that list, choose the subnets that should have an endpoint
- these subnets might be associated with individual availability zones or deployed in a security VPC and receive traffic from a transit gateway
What are the three choices of destination for your Cloud NGFW logs?
- S3
- Amazon CloudWatch
- Amazon Kinesis
How does the Customer-Managed Deployment Mode work?
- customer manually creates Cloud NGFW endpoints in each availability zone specified
- manually attach the Cloud NGFW endpoints to subnets in the chosen availability zones
- after the Cloud NGFW has been created, you must go to the AWS console to complete the Cloud NGFW endpoint-creation process
The Cloud NGFW supports all availability zones (AZs) in us-east-1, except?
us-east-1e
What needs to be used if you prefer to view logs in the Panorama console or use Application Command Center (ACC) to gain insight into Cloud NGFW traffic or generate reports?
Cortex Data Lake (CDL)
What is the mandatory component of the integration between Panorama and AWS Cloud FW?
Panorama AWS plugin
The Panorama AWS plugin internally uses which plugin to communicate with the Cloud NGFW resources?
Cloud Connector
Which PAN-OS is required to be able to integrate Panorama with AWS Cloud FW?
10.2.3 (or higher)
Which Cloud Connector plugin version is required to be able to integrate Panorama with AWS Cloud FW?
2.0.1 or later
Which AWS plugin version is required to be able to integrate Panorama with AWS Cloud FW?
5.0.1 or later
Which Panorama CLI command needs to be run after installing the Cloud Connector and AWS plugins?
request plugins cloudconnector enable cloudngfw
Which command is used to verify that CloudConnector plugin and Cloud NGFW functionality are enabled?
show plugins aws cngfw-status
There are two management modes that can be used to create endpoints. What are they?
- service-managed mode
- customer-managed mode
How are firewall endpoints created in service-managed mode?
- Cloud NGFW tenant automatically creates an endpoint in each subnet specified
- NGFW service retrieves a list of subnets from the VPC specified; from that list, you need to choose the subnets that should have an endpoint
How are firewall endpoints created in customer-managed mode?
- choose existing availability zones that need to be secured in specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen zones
- after the NGFW has been created, use the AWS console to complete the process of creating NGFW endpoints
What needs to be done after creating an NGFW and NGFW endpoints
update AWS route tables to ensure that traffic is sent to the NGFW
When creating NGFW, what needs to be specified?
a VPC, local rulestack and how and where the associated NGFW endpoints are deployed
