**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# AWS Firewall Manager prerequisites
<a name="fms-prereq"></a>

This topic shows you how to get ready to administer AWS Firewall Manager. You use one Firewall Manager administrator account to manage all Firewall Manager security policies for your organization in AWS Organizations. Except where noted, perform the prerequisite steps using the account that you will use as the Firewall Manager administrator. 

Before you use Firewall Manager for the first time, perform the following steps in sequence. 

**Topics**
+ [

# Joining and configuring AWS Organizations for using Firewall Manager
](join-aws-orgs.md)
+ [

# Creating an AWS Firewall Manager default administrator account
](enable-integration.md)
+ [

# Enabling AWS Config for using Firewall Manager
](enable-config.md)
+ [

# Subscribing in the AWS Marketplace and configuring third-party settings for Firewall Manager third-party policies
](fms-third-party-prerequisites.md)
+ [

# Enabling resource sharing for Network Firewall and DNS Firewall policies with AWS RAM
](enable-ram.md)
+ [

# Using AWS Firewall Manager in Regions that are disabled by default
](enable-disabled-region.md)

# Joining and configuring AWS Organizations for using Firewall Manager
<a name="join-aws-orgs"></a>

To use Firewall Manager, your account must be a member of the organization in the AWS Organizations service where you want to use your Firewall Manager policies. 

**Note**  
For information about Organizations, see [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). 

**To establish the required AWS Organizations membership and configuration**

1. Choose an account to use as the Firewall Manager administrator for the organization in Organizations. 

1. If your chosen account isn't already a member of the organization, have it join. Follow the guidance at [Inviting an AWS account to join your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html).

1. AWS Organizations has two available feature sets: *consolidated billing features* and *all features*. To use Firewall Manager, your organization must be enabled for all features. If your organization is configured only for consolidated billing, follow the guidance at [Enabling All Features in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html).

# Creating an AWS Firewall Manager default administrator account
<a name="enable-integration"></a>

This page provides instructions for creating an AWS Firewall Manager default administrator account.

**Note**  
This procedure uses the account and organization that you chose and configured in the preceding step.

Only the organization's management account can create Firewall Manager default administrator accounts. The first administrator account that you create is the *default admininstrator* account. The default administrator account can manage third-party firewalls and has full administrative scope. When you set the default administrator account, Firewall Manager automatically sets it as an AWS Organizations delegated administrator for Firewall Manager. This allows Firewall Manager to access information about the organizational units (OUs) in the organization. You can use OUs to specify the scope of your Firewall Manager policies. For more information about setting policy scope, see the guidance for the individual policy types under [Creating an AWS Firewall Manager policy](create-policy.md). For more information about Organizations and management accounts, see [Managing the AWS Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html).

**Required settings for the organization's management account**  
The organization's management account must have the following settings in order to onboard the organization to Firewall Manager and create a default administrator: 
+ It must be a member of the organization in AWS Organizations where you want to apply your Firewall Manager policies. 

**To set the default administrator account**

1. Sign in to the Firewall Manager AWS Management Console using an existing AWS Organizations management account. 

1. Open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). 

1. In the navigation pane, choose **Settings**.

1. Type the AWS account ID of the account that you've chosen to use as the Firewall Manager administrator.
**Note**  
The default administrator has full administrative scope. Full administrative scope means that this account can apply policies to all accounts and organizational units (OUs) within the organization, take actions in all Regions, and manage all Firewall Manager policy types.

1. Choose **Create administrator account** to create the account.

For more information about managing the Firewall Manager administrator account, see [Using AWS Firewall Manager administrators](fms-administrators.md).

# Enabling AWS Config for using Firewall Manager
<a name="enable-config"></a>

To use Firewall Manager, you must enable AWS Config. 

**Note**  
You incur charges for your AWS Config settings, according to AWS Config pricing. For more information, see [Getting Started with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html).

**Note**  
In order for Firewall Manager to monitor policy compliance, AWS Config must continuously record configuration changes for protected resources. In your AWS Config configuration, the recording frequency must be set to **Continuous**, which is the default setting. 

**To enable AWS Config for Firewall Manager**

1. Enable AWS Config for each of your AWS Organizations member accounts, including the Firewall Manager administrator account. For more information, see [Getting Started with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html).

1. Enable AWS Config for each AWS Region that contains the resources that you want to protect. You can enable AWS Config manually, or you can use the CloudFormation template "Enable AWS Config" at [AWS CloudFormation StackSets Sample Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-sampletemplates.html). 

   If you don't want to enable AWS Config for all resources, then you must enable the following according to the type of Firewall Manager policies that you use: 
   + **WAF policy** – Enable Config for the resource types CloudFront Distribution, Application Load Balancer (choose **ElasticLoadBalancingV2** from the list), API Gateway, WAF WebACL, WAF Regional WebACL, and WAFv2 WebACL. To enable AWS Config to protect a CloudFront distribution, you must be in the US East (N. Virginia) Region. Other Regions don't have CloudFront as an option. 
   + **Shield policy** – Enable Config for the resource types Shield Protection, ShieldRegional Protection, Application Load Balancer, EC2 EIP, WAF WebACL, WAF Regional WebACL, and WAFv2 WebACL. 
   + **Security group policy** – Enable Config for the resource types EC2 SecurityGroup, EC2 Instance, and EC2 NetworkInterface.
   + **Network ACL policy** – Enable Config for the resource types Amazon EC2 Subnet and Amazon EC2 network ACL.
   + **Network Firewall policy** – Enable Config for the resource types NetworkFirewall FirewallPolicy, NetworkFirewall RuleGroup, EC2 VPC, EC2 InternetGateway, EC2 RouteTable, and EC2 Subnet. 
   + **DNS Firewall policy** – Enable Config for the resource type EC2 VPC and Amazon Route 53 FirewallRuleGroupAssociation. 
   + **Third-party firewall policy** – Enable Config for the resource types Amazon EC2 VPC, Amazon EC2 InternetGateway, Amazon EC2 RouteTable, Amazon EC2 Subnet, and Amazon EC2 VPCEndpoint.
**Note**  
If you configure your AWS Config recorder to use a custom IAM role, you need to make sure the IAM policy has the proper permissions to record the Firewall Manager policy's required resource types. Without the proper permissions, the required resources may not be recorded which prevents Firewall Manager from properly protecting your resources. Firewall Manager doesn't have visibility into these permission misconfigurations. For information about using IAM with AWS Config, see [IAM for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html).

# Subscribing in the AWS Marketplace and configuring third-party settings for Firewall Manager third-party policies
<a name="fms-third-party-prerequisites"></a>

Complete the following prerequisites to set up Firewall Manager third-party firewall policies.

## Fortigate Cloud Native Firewall (CNF) as a Service policy prerequisites
<a name="fms-fortigate-cnf-prerequisites"></a>

**To use Fortigate CNF for Firewall Manager**

1. Subscribe to the [Fortigate Cloud Native Firewall (CNF) as a Service](https://aws.amazon.com/marketplace/pp/prodview-vtjjha5neo52i) service in the AWS Marketplace.

1. First, register a tenant on the Fortigate CNF product portal. Then Add your Firewall Manager administrator account under your tenant on the Fortigate CNF product portal. For more information, see the [Fortigate CNF documentation](https://docs.fortinet.com/product/fortigate-cnf).

For information about working with Fortigate CNF policies, see [Using Fortigate Cloud Native Firewall (CNF) as a Service policies for Firewall Manager](fortigate-cnf-policies.md).

## Palo Alto Networks Cloud Next Generation Firewall policy prerequisites
<a name="fms-cloud-ngfw-prerequisites"></a>

**To use Palo Alto Networks Cloud NGFW for Firewall Manager**

1. Subscribe to the [Palo Alto Networks Cloud Next Generation Firewall Pay-As-You-Go](http://aws.amazon.com/marketplace/pp/prodview-nkug66dl4df4i) service in the AWS Marketplace.

1. Complete the Palo Alto Networks Cloud NGFW deployment steps listed in the [Deploy Palo Alto Networks Cloud NGFW for AWS with the AWS Firewall Manager](https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with-cloud-ngfw-for-aws/deploy-cloud-ngfw-for-aws-with-the-aws-firewall-manager.html) topic in the *Palo Alto Networks Cloud Next Generation Firewall for AWS deployment guide*.

For information about working with Palo Alto Networks Cloud NGFW policies, see [Using Palo Alto Networks Cloud NGFW policies for Firewall Manager](cloud-ngfw-policies.md).

# Enabling resource sharing for Network Firewall and DNS Firewall policies with AWS RAM
<a name="enable-ram"></a>

To manage Firewall Manager Network Firewall and DNS Firewall policies, you must enable sharing with AWS Organizations in AWS Resource Access Manager. This allows Firewall Manager to deploy protections across your accounts when you create these policy types.

**To enable sharing with AWS Organizations in AWS Resource Access Manager**
+ Follow the guidance at [Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS Resource Access Manager User Guide*. 

If you run into problems with resource sharing, see the guidance at [Resource sharing for Network Firewall and DNS Firewall policies](resource-sharing.md). 

# Using AWS Firewall Manager in Regions that are disabled by default
<a name="enable-disabled-region"></a>

To use Firewall Manager in a Region that's disabled by default, you must enable the Region for both the management account of your AWS organization and the Firewall Manager default administrator account. For information about Regions that are disabled by default and how to enable them, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference*.

**To enable a disabled Region**
+ For both the Organizations management account and the Firewall Manager default administrator account, follow the guidance at [Enabling a Region](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) in the *AWS General Reference*. 

After you follow these steps, you can configure Firewall Manager to begin protecting your resources. For more information, see [Setting up AWS Firewall Manager​ AWS WAF policies](getting-started-fms.md).