Creating an AWS Firewall Manager policy

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose AWS WAF.

For Region, choose an AWS Region. To protect Amazon CloudFront distributions, choose Global.

To protect resources in multiple Regions (other than CloudFront distributions), you must create separate Firewall Manager policies for each Region.

Choose Next.

For Policy name, enter a descriptive name. Firewall Manager includes the policy name in the names of the web ACLs that it manages. The web ACL names have FMManagedWebACLV2- followed by the policy name that you enter here, -, and the web ACL creation timestamp, in UTC milliseconds. For example, FMManagedWebACLV2-MyWAFPolicyName-1621880374078.

For Web request body inspection, optionally change the body size limit. For information about body inspection size limits, including pricing considerations, see Managing body inspection size limits in the AWS WAF Developer Guide.

Under Policy rules, add the rule groups that you want AWS WAF to evaluate first and last in the web ACL. To use AWS WAF managed rule group versioning, toggle Enable versioning. The individual account managers can add rules and rule groups in between your first rule groups and your last rule groups. For more information about using AWS WAF rule groups in Firewall Manager policies for AWS WAF, see AWS WAF policies.

(Optional) To customize how your web ACL uses the rule group, choose Edit. The following are common customization settings:

When you're finished with your settings, choose Save rule.

Set the default action for the web ACL. This is the action that AWS WAF takes when a web request doesn't match any of the rules in the web ACL. You can add custom headers with the Allow action, or custom responses for the Block action. For more information about default web ACL actions, see The web ACL default action. For information about setting custom web requests and responses, see Customized web requests and responses in AWS WAF.

For Logging configuration, choose Enable logging to turn on logging. Logging provides detailed information about traffic that is analyzed by your web ACL. Choose the Logging destination, and then choose the logging destination that you configured. You must choose a logging destination whose name begins with aws-waf-logs-. For information about configuring a AWS WAF logging destination, see Configuring logging for an AWS WAF policy.

(Optional) If you don't want certain fields and their values included in the logs, redact those fields. Choose the field to redact, and then choose Add. Repeat as necessary to redact additional fields. The redacted fields appear as REDACTED in the logs. For example, if you redact the URI field, the URI field in the logs will be REDACTED.

(Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under Filter logs, for each filter that you want to apply, choose Add filter, then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the Default logging behavior. For more information, see Managing logging for a web ACL in the AWS WAF Developer Guide.

You can define a Token domain list to enable token sharing between protected applications. Tokens are used by the CAPTCHA and Challenge actions and by the application integration SDKs that you implement when you use the AWS Managed Rules rule groups for AWS WAF Fraud Control account takeover prevention (ATP) and AWS WAF Bot Control.

Public suffixes aren't allowed. For example, you can't use gov.au or co.uk as a token domain.

By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see Configuring the web ACL token domain list in the AWS WAF Developer Guide.

You can only change the web ACL's CAPTCHA and challenge immunity times when you edit an existing web ACL. You can find these settings under the Firewall Manager Policy details page. For information about these settings, see Timestamp expiration: token immunity times. If you update the Association config, CAPTCHA, Challenge, or Token domain list settings in an existing policy, Firewall Manager will overwrite the your local web ACLs with the new values. However, if you don't update the policy's Association config, CAPTCHA, Challenge, or Token domain list settings, then the values in your local web ACLs will remain unchanged. For information about this option, see CAPTCHA and Challenge in AWS WAF in the AWS WAF Developer Guide.

Under Web ACL management, if you want Firewall Manager to manage unassociated web ACLs, then enable Manage unassociated web ACLs. With this option, Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL. Upon enablement of this option, Firewall Manager performs a one-time cleanup of unassociated web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unassociated web ACL. Firewall Manager only cleans up unassociated web ACLs when you first enable management of unassociated web ACLs in a policy.

For Policy action, if you want to create a web ACL in each applicable account within the organization, but not apply the web ACL to any resources yet, choose Identify resources that don't comply with the policy rules, but don't auto remediate and don't choose Manage unassociated web ACLs. You can change these options later.

If instead you want to automatically apply the policy to existing in-scope resources, choose Auto remediate any noncompliant resources. If Manage unassociated web ACLs is disabled, the Auto remediate any noncompliant resources option creates a web ACL in each applicable account within the organization and associates the web ACL with the resources in the accounts. If Manage unassociated web ACLs is enabled, the Auto remediate any noncompliant resources option only creates and associates a web ACL in accounts that have resources eligible for association to the web ACL.

When you choose Auto remediate any noncompliant resources, you can also choose to remove existing web ACL associations from in-scope resources, for the web ACLs that aren't managed by another active Firewall Manager policy. If you choose this option, Firewall Manager first associates the policy's web ACL with the resources, and then removes the prior associations. If a resource has an association with another web ACL that's managed by a different active Firewall Manager policy, this choice doesn't affect that association.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

For Resource type, choose the types of resources that you want to protect.

For Resources, if you want to protect (or exclude) only resources that have specific tags, select the appropriate option, then enter the tags to include or exclude. You can choose only one option. For more information about tags, see Working with Tag Editor.

If you enter more than one tag, a resource must have all of the tags to be included or excluded.

Choose Next.

For Policy tags, add any identifying tags that you want for the Firewall Manager policy. For more information about tags, see Working with Tag Editor.

Choose Next.

Review the new policy. To make any changes, choose Edit in the area that you want to change. This returns you to the corresponding step in the creation wizard. When you are satisfied with the policy, choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose AWS WAF Classic.

If you already created the AWS WAF Classic rule group that you want to add to the policy, choose Create an AWS Firewall Manager policy and add existing rule groups. If you want to create a new rule group, choose Create a Firewall Manager policy and add a new rule group.

For Region, choose an AWS Region. To protect Amazon CloudFront resources, choose Global.

To protect resources in multiple Regions (other than CloudFront resources), you must create separate Firewall Manager policies for each Region.

Choose Next.

If you are creating a rule group, follow the instructions in Creating an AWS WAF Classic rule group. After you create the rule group, continue with the following steps.

Enter a policy name.

If you are adding an existing rule group, use the dropdown menu to select a rule group to add, and then choose Add rule group.

A policy has two possible actions: Action set by rule group and Count. If you want to test the policy and rule group, set the action to Count. This action overrides any block action specified by the rules in the rule group. That is, if the policy's action is set to Count, those requests are only counted and not blocked. Conversely, if you set the policy's action to Action set by rule group, actions of the rule group rules are used. Choose the appropriate action.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

Choose the type of resource that you want to protect.

If you want to protect only resources with specific tags, or alternatively exclude resources with specific tags, select Use tags to include/exclude resources, enter the tags, and then choose either Include or Exclude. You can choose only one option.

If you enter more than one tag (separated by commas), if a resource has any of those tags, it is considered a match.

For more information about tags, see Working with Tag Editor.

If you want to automatically apply the policy to existing resources, choose Create and apply this policy to existing and new resources.

This option creates a web ACL in each applicable account within an AWS organization and associates the web ACL with the resources in the accounts. This option also applies the policy to all new resources that match the preceding criteria (resource type and tags). Alternatively, if you choose Create policy but do not apply the policy to existing or new resources, Firewall Manager creates a web ACL in each applicable account within the organization, but doesn't apply the web ACL to any resources. You must apply the policy to resources later. Choose the appropriate option.

For Replace existing associated web ACLs, you can choose to remove any web ACL associations that are currently defined for in-scope resources, and then replace them with associations to the web ACLs that you are creating with this policy. By default, Firewall Manager doesn't remove existing web ACL associations before it adds the new ones. If you want to remove the existing ones, choose this option.

Choose Next.

Review the new policy. To make any changes, choose Edit. When you are satisfied with the policy, choose Create and apply policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Shield Advanced.

To create a Shield Advanced policy, you must be subscribed to Shield Advanced. If you are not subscribed, you are prompted to do so. For information about the cost for subscribing, see AWS Shield Advanced Pricing.

For Region, choose an AWS Region. To protect Amazon CloudFront distributions, choose Global.

For Region choices other than Global, to protect resources in multiple Regions, you must create a separate Firewall Manager policy for each Region.

Choose Next.

For Name, enter a descriptive name.

For Global Region policies only, you can choose whether you want to manage Shield Advanced automatic application layer DDoS mitigation. For information about this Shield Advanced feature, see Shield Advanced automatic application layer DDoS mitigation.

You can choose to enable or disable automatic mitigation, or you can choose to ignore it. If you choose to ignore it, Firewall Manager doesn't manage automatic mitigation at all for the Shield Advanced protections. For more information about these policy options, see Automatic application layer DDoS mitigation.

Under Web ACL management, if you want Firewall Manager to manage unassociated web ACLs, then enable Manage unassociated web ACLs. With this option, Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL. Upon enablement of this option, Firewall Manager performs a one-time cleanup of unassociated web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager will not disassociate the resource from the web ACL. To include the web ACL in the one-time cleanup, you must first manually disassociate the resources from the web ACL and then enable Manage unassociated web ACLs.

For Policy action, we recommend creating the policy with the option that doesn't automatically remediate noncompliant resources. When you disable automatic remediation, you can assess the effects of your new policy before you apply it. When you are satisfied that the changes are what you want, then edit the policy and change the policy action to enable automatic remediation.

If instead you want to automatically apply the policy to existing in-scope resources, choose Auto remediate any noncompliant resources. This option applies Shield Advanced protections for each applicable account within the AWS organization and each applicable resource in the accounts.

For Global Region policies only, if you choose Auto remediate any noncompliant resources, you can also choose to have Firewall Manager automatically replace any existing AWS WAF Classic web ACL associations with new associations to web ACLs that were created using the latest version of AWS WAF (v2). If you choose this, Firewall Manager removes the associations with the earlier version web ACLs and creates new associations with latest version web ACLs, after creating new empty web ACLs in any in-scope accounts that don't already have them for the policy. For more information about this option, see Replace AWS WAF Classic web ACLs with latest version web ACLs.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

Choose the type of resource that you want to protect.

Firewall Manager does not support Amazon Route 53 or AWS Global Accelerator. If you need to use Shield Advanced to protect resources from these services, you can't use a Firewall Manager policy. Instead, follow the Shield Advanced guidance at Adding AWS Shield Advanced protection to AWS resources.

If you want to protect only resources with specific tags, or alternatively exclude resources with specific tags, select Use tags to include/exclude resources, enter the tags separated by commas, and then choose either Include or Exclude. You can choose only one option.

If you enter more than one tag, and if a resource has any of those tags, it is considered a match.

For more information about tags, see Working with Tag Editor.

Choose Next.

For Policy tags, add any identifying tags that you want for the Firewall Manager policy. For more information about tags, see Working with Tag Editor.

Choose Next.

Review the new policy. To make any changes, choose Edit in the area that you want to change. This returns you to the corresponding step in the creation wizard. When you are satisfied with the policy, choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Security group.

For Security group policy type, choose Common security groups.

For Region, choose an AWS Region.

Choose Next.

For Policy name, enter a friendly name.

For Policy rules, do the following:

1. From the rules option, choose the restrictions that you want to apply to the security group rules and the resources that are within policy scope. If you choose Distribute tags from the primary security group to the security groups created by this policy, then you must also select Identify and report when the security groups created by this policy become non-compliant.

   Important

   Firewall Manager won't distribute system tags added by AWS services into the replica security groups. System tags begin with the aws: prefix. Additionally, Firewall Manager won't update the tags of existing security groups or create new security groups if the policy has tags that conflict with the organization's tag policy. For information about tag policies, see Tag policies in the AWS Organizations User Guide.

   If you choose Distribute security group references from the primary security group to the security groups created by this policy, Firewall Manager only distributes the security group references if they have an active peering connection in Amazon VPC. For information about this option, see Policy rules settings.

2. For Primary security groups, choose Add primary security group, and then choose the security group that you want to use. Firewall Manager populates the list of primary security groups from all Amazon VPC instances in the Firewall Manager administrator account. The default maximum number of primary security groups for a policy is one. For information about increasing the maximum, see AWS Firewall Manager quotas.

3. For Policy action, we recommend creating the policy with the option that doesn't automatically remediate. This allows you to assess the effects of your new policy before you apply it. When you are satisfied that the changes are what you want, then edit the policy and change the policy action to enable automatic remediation of noncompliant resources.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

For Resource type, choose the types of resources that you want to protect.

If you choose EC2 instance, you can choose to include all elastic network interfaces in each Amazon EC2 instance or just the default interface in each instance. If you have more than one elastic network interface in any in-scope Amazon EC2 instance, choosing the option to include all interfaces allows Firewall Manager to apply the policy to all of them. When you enable automatic remediation, if Firewall Manager can't apply the policy to all elastic network interfaces in an Amazon EC2 instance, it marks the instance as noncompliant.

For Resources, if you want to apply the policy to all resources within the AWS accounts and resource type parameters, choose Include all resources that match the selected resource type. If you want to include or exclude specific resources, use tagging to specify the resources, and then choose the appropriate option and add the tags to the list. You can apply the policy either to all resources except those that have all the tags that you specify, or you can apply it to only those that have all the tags that you specify. For more information about tagging your resources, see Working with Tag Editor.

For Shared VPC resources, if you want to apply the policy to resources in shared VPCs, in addition to the VPCs that the accounts own, select Include resources from shared VPCs.

Choose Next.

Review the policy settings to be sure they're what you want, and then choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Security group.

For Security group policy type, choose Auditing and enforcement of security group rules.

For Region, choose an AWS Region.

Choose Next.

For Policy name, enter a friendly name.

For Policy rules, choose the managed or custom policy rules option that you want to use.

1. For Configure managed audit policy rules, do the following:

   1. For Configure security group rules to audit, select the type of security group rules that you want your audit policy to apply to.

   2. If you want to do things like audit rules based on the protocols, ports, and CIDR range settings that in your security groups, choose Audit overly permissive security group rules and select the options that you want.

      For the selection Rule allows all traffic, you can provide a custom application list to designate the applications that you want to audit. For information about custom application lists and how to use them in your policy, see Managed lists and Using managed lists.

      For selections that use protocol lists, you can use existing lists and you can create new lists. For information about protocol lists and how to use them in your policy, see Managed lists and Using managed lists.

   3. If you want to audit high-risk based on their access to either reserved or non-reserved CIDR ranges, choose Audit high risk applications and select the options that you want.

      The following selections are mutually exclusive: Applications that can access only reserved CIDR ranges and Applications allowed to access non-reserved CIDR ranges. You can select at most one of them in any policy.

      For selections that use application lists, you can use existing lists and you can create new lists. For information about application lists and how to use them in your policy, see Managed lists and Using managed lists.

   4. Use the Overrides settings to explicitly override other settings in the policy. You can choose to always allow or always deny specific security group rules, regardless of whether they comply with the other options that you've set for the policy.

      For this option, you provide an audit security group as your allowed rules or denied rules template. For Audit security groups, choose Add audit security groups, and then choose the security group that you want to use. Firewall Manager populates the list of audit security groups from all Amazon VPC instances in the Firewall Manager administrator account. The default maximum quota for the number of audit security groups for a policy is one. For information about increasing the quota, see AWS Firewall Manager quotas.

2. For Configure custom policy rules, do the following:

   1. From the rules options, choose whether to allow only the rules defined in the audit security groups or deny all the rules. For information about this choice, see Content audit security group policies.

   2. For Audit security groups, choose Add audit security groups, and then choose the security group that you want to use. Firewall Manager populates the list of audit security groups from all Amazon VPC instances in the Firewall Manager administrator account. The default maximum quota for the number of audit security groups for a policy is one. For information about increasing the quota, see AWS Firewall Manager quotas.

   3. For Policy action, you must create the policy with the option that doesn't automatically remediate. This allows you to assess the effects of your new policy before you apply it. When you are satisfied that the changes are what you want, edit the policy and change the policy action to enable automatic remediation of noncompliant resources.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

For Resource type, choose the types of resource that you want to protect.

For Resources, if you want to apply the policy to all resources within the AWS accounts and resource type parameters, choose Include all resources that match the selected resource type. If you want to include or exclude specific resources, use tagging to specify the resources, and then choose the appropriate option and add the tags to the list. You can apply the policy either to all resources except those that have all the tags that you specify, or you can apply it to only those that have all the tags that you specify. For more information about tagging your resources, see Working with Tag Editor.

Choose Next.

Review the policy settings to be sure they're what you want, and then choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Security group.

For Security group policy type, choose Auditing and cleanup of unassociated and redundant security groups.

For Region, choose an AWS Region.

Choose Next.

For Policy name, enter a friendly name.

For Policy rules, choose one or both of the options available.

For Policy action, we recommend creating the policy with the option that doesn't automatically remediate. This allows you to assess the effects of your new policy before you apply it. When you are satisfied that the changes are what you want, then edit the policy and change the policy action to enable automatic remediation of noncompliant resources.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

For Resources, if you want to apply the policy to all resources within the AWS accounts and resource type parameters, choose Include all resources that match the selected resource type. If you want to include or exclude specific resources, use tagging to specify the resources, and then choose the appropriate option and add the tags to the list. You can apply the policy either to all resources except those that have all the tags that you specify, or you can apply it to only those that have all the tags that you specify. For more information about tagging your resources, see Working with Tag Editor.

Choose Next.

If you haven't excluded the Firewall Manager administrator account from the policy scope, Firewall Manager prompts you to do this. Doing this leaves the security groups in the Firewall Manager administrator account, which you use for common and audit security group policies, under your manual control. Choose the option you want in this dialogue.

Review the policy settings to be sure they're what you want, and then choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose AWS Network Firewall.

Under Firewall management type, choose how you'd like Firewall Manager to manage the policy's firewalls. Choose from the following options:

For Region, choose an AWS Region. To protect resources in multiple Regions, you must create separate policies for each Region.

Choose Next.

For Policy name, enter a descriptive name. Firewall Manager includes the policy name in the names of the Network Firewall firewalls and firewall policies that it creates.

In the AWS Network Firewall policy configuration, configure the firewall policy as you would in Network Firewall. Add your stateless and stateful rule groups and specify the policy's default actions. You can optionally set the policy's stateful rule evaluation order and default actions, as well as logging configuration. For information about Network Firewall firewall policy management, see AWS Network Firewall firewall policies in the AWS Network Firewall Developer Guide.

When you create the Firewall Manager Network Firewall policy, Firewall Manager creates firewall policies for the accounts that are within scope. Individual account managers can add rule groups to the firewall policies, but they can't change the configuration that you provide here.

Choose Next.

Do one of the following, depending on the Firewall management type you selected in the previous step:

Choose Next.

If your policy uses a distributed firewall management type, under Route management, choose whether or not Firewall Manager will monitor and alert on the traffic that must be routed through the respective firewall endpoints.

For Traffic type, optionally add the traffic endpoints that you want to route traffic through for firewall inspection.

For Allow required cross-AZ traffic, if you enable this option then Firewall Manager treats as compliant routing that sends traffic out of an Availability Zone for inspection, for Availability Zones that don't have their own firewall endpoint. Availability Zones that have endpoints must always inspect their own traffic.

Choose Next.

For Policy scope, under AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

The Resource type for Network Firewall policies is VPC.

For Resources, if you want to protect (or exclude) only resources that have specific tags, select the appropriate option, then enter the tags to include or exclude. You can choose only one option. For more information about tags, see Working with Tag Editor.

If you enter more than one tag, a resource must have all of the tags to be included or excluded.

Choose Next.

For Policy tags, add any identifying tags that you want for the Firewall Manager policy. For more information about tags, see Working with Tag Editor.

Choose Next.

Review the new policy. To make any changes, choose Edit in the area that you want to change. This returns you to the corresponding step in the creation wizard. When you are satisfied with the policy, choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Amazon Route 53 Resolver DNS Firewall.

For Region, choose an AWS Region. To protect resources in multiple Regions, you must create separate policies for each Region.

Choose Next.

For Policy name, enter a descriptive name.

In the policy configuration, add the rule groups that you want DNS Firewall to evaluate first and last among your VPCs' rule group associations. You can add up to two rule groups to the policy.

When you create the Firewall Manager DNS Firewall policy, Firewall Manager creates the rule group associations, with the association priorities that you've provided, for the VPCs and accounts that are within scope. The individual account managers can add rule group associations in between your first and last associations, but they can't change the associations that you define here. For more information, see Amazon Route 53 Resolver DNS Firewall policies.

Choose Next.

For AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

The Resource type for DNS Firewall policies is VPC.

For Resources, if you want to protect (or exclude) only resources that have specific tags, select the appropriate option, then enter the tags to include or exclude. You can choose only one option. For more information about tags, see Working with Tag Editor.

If you enter more than one tag, a resource must have all of the tags to be included or excluded.

Choose Next.

For Policy tags, add any identifying tags that you want for the Firewall Manager policy. For more information about tags, see Working with Tag Editor.

Choose Next.

Review the new policy. To make any changes, choose Edit in the area that you want to change. This returns you to the corresponding step in the creation wizard. When you are satisfied with the policy, choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Palo Alto Networks Cloud NGFW. If you haven't already subscribed to the Palo Alto Networks Cloud NGFW service in the AWS Marketplace, you'll need to do that first. To subscribe in the AWS Marketplace, choose View AWS Marketplace details.

For Deployment model, choose either the Distributed model or Centralized model. The deployment model determines how Firewall Manager manages endpoints for the policy. With the distributed model, Firewall Manager maintains firewall endpoints in each VPC that's within policy scope. With the centralized model, Firewall Manager maintains a single endpoint in an inspection VPC.

For Region, choose an AWS Region. To protect resources in multiple Regions, you must create separate policies for each Region.

Choose Next.

For Policy name, enter a descriptive name.

In the policy configuration, choose the Palo Alto Networks Cloud NGFW firewall policy to associate with this policy. The list of Palo Alto Networks Cloud NGFW firewall policies contains all of the Palo Alto Networks Cloud NGFW firewall policies that are associated with your Palo Alto Networks Cloud NGFW tenant. For information about creating and managing Palo Alto Networks Cloud NGFW firewall policies, see the Deploy Palo Alto Networks Cloud NGFW for AWS with the AWS Firewall Manager topic in the Palo Alto Networks Cloud NGFW for AWS deployment guide.

For Palo Alto Networks Cloud NGFW logging - optional, optionally choose which Palo Alto Networks Cloud NGFW log type(s) to log for your policy. For information about Palo Alto Networks Cloud NGFW log types, see Configure Logging for Palo Alto Networks Cloud NGFW on AWS in the Palo Alto Networks Cloud NGFW for AWS deployment guide.

For log destination, specify when Firewall Manager should write logs to.

Choose Next.

Under Configure third-party firewall endpoint do one of the following, depending on whether you're using the distributed or centralized deployment model to create your firewall endpoints:

If you want to provide the CIDR blocks for Firewall Manager to use for firewall subnets in your VPCs, they must all be /28 CIDR blocks. Enter one block per line. If you omit these, Firewall Manager chooses IP addresses for you from those that are available in the VPCs.

Choose Next.

For Policy scope, under AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

The Resource type for Network Firewall policies is VPC.

For Resources, if you want to protect (or exclude) only resources that have specific tags, select the appropriate option, then enter the tags to include or exclude. You can choose only one option. For more information about tags, see Working with Tag Editor.

If you enter more than one tag, a resource must have all of the tags to be included or excluded.

For Grant cross-account access, choose Download AWS CloudFormation template. This downloads a AWS CloudFormation template that you can use to create a AWS CloudFormation stack. This stack creates an AWS Identity and Access Management role that grants Firewall Manager cross-account permissions to manage Palo Alto Networks Cloud NGFW resources. For information about stacks, see Working with stacks in the AWS CloudFormation User Guide.

Choose Next.

For Policy tags, add any identifying tags that you want for the Firewall Manager policy. For more information about tags, see Working with Tag Editor.

Choose Next.

Review the new policy. To make any changes, choose Edit in the area that you want to change. This returns you to the corresponding step in the creation wizard. When you are satisfied with the policy, choose Create policy.

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.

In the navigation pane, choose Security policies.

Choose Create policy.

For Policy type, choose Fortigate Cloud Native Firewall (CNF) as a Service. If you haven't already subscribed to the Fortigate CNF service in the AWS Marketplace, you'll need to do that first. To subscribe in the AWS Marketplace, choose View AWS Marketplace details.

For Deployment model, choose either the Distributed model or Centralized model. The deployment model determines how Firewall Manager manages endpoints for the policy. With the distributed model, Firewall Manager maintains firewall endpoints in each VPC that's within policy scope. With the centralized model, Firewall Manager maintains a single endpoint in an inspection VPC.

For Region, choose an AWS Region. To protect resources in multiple Regions, you must create separate policies for each Region.

Choose Next.

For Policy name, enter a descriptive name.

In the policy configuration, choose the Fortigate CNF firewall policy to associate with this policy. The list of Fortigate CNF firewall policies contains all of the Fortigate CNF firewall policies that are associated with your Fortigate CNF tenant. For information about creating and managing Fortigate CNF tenants, see the Fortinet documentation.

Choose Next.

Under Configure third-party firewall endpoint do one of the following, depending on whether you're using the distributed or centralized deployment model to create your firewall endpoints:

If you want to provide the CIDR blocks for Firewall Manager to use for firewall subnets in your VPCs, they must all be /28 CIDR blocks. Enter one block per line. If you omit these, Firewall Manager chooses IP addresses for you from those that are available in the VPCs.

Choose Next.

For Policy scope, under AWS accounts this policy applies to, choose the option as follows:

You can only choose one of the options.

After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

The Resource type for Network Firewall policies is VPC.

For Resources, if you want to protect (or exclude) only resources that have specific tags, select the appropriate option, then enter the tags to include or exclude. You can choose only one option. For more information about tags, see Working with Tag Editor.

If you enter more than one tag, a resource must have all of the tags to be included or excluded.

For Grant cross-account access, choose Download AWS CloudFormation template. This downloads a AWS CloudFormation template that you can use to create a AWS CloudFormation stack. This stack creates an AWS Identity and Access Management role that grants Firewall Manager cross-account permissions to manage Fortigate CNF resources. For information about stacks, see Working with stacks in the AWS CloudFormation User Guide. To create a stack, you'll need the account ID from the Fortigate CNF portal.

Choose Next.

For Policy tags, add any identifying tags that you want for the Firewall Manager policy. For more information about tags, see Working with Tag Editor.

Choose Next.

Review the new policy. To make any changes, choose Edit in the area that you want to change. This returns you to the corresponding step in the creation wizard. When you are satisfied with the policy, choose Create policy.