**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Setting up AWS Firewall Manager policies
<a name="getting-started-fms-intro"></a>

You can use AWS Firewall Manager to enable a number of different types of security policies. The steps for getting set up are slightly different for each. 

**Topics**
+ [

# Setting up AWS Firewall Manager​ AWS WAF policies
](getting-started-fms.md)
+ [

# Setting up AWS Firewall Manager​ AWS Shield Advanced policies
](getting-started-fms-shield.md)
+ [

# Setting up AWS Firewall Manager​ Amazon VPC security group policies
](getting-started-fms-security-group.md)
+ [

# Setting up AWS Firewall Manager​ Amazon VPC network ACL policies
](getting-started-fms-network-acl.md)
+ [

# Setting up AWS Firewall Manager​ AWS Network Firewall policies
](getting-started-fms-network-firewall.md)
+ [

# Setting up AWS Firewall Manager​ DNS Firewall policies
](getting-started-fms-dns-firewall.md)
+ [

# Setting up AWS Firewall Manager​ Palo Alto Networks Cloud Next Generation Firewall policies
](getting-started-fms-cloud-ngfw.md)
+ [

# Setting up AWS Firewall Manager​ Fortigate CNF policies
](getting-started-fms-fortigate-cnf.md)

# Setting up AWS Firewall Manager​ AWS WAF policies
<a name="getting-started-fms"></a>

To use AWS Firewall Manager to enable AWS WAF rules across your organization, perform the following steps in sequence. 

**Topics**
+ [

## Step 1: Completing the prerequisites
](#complete-prereq)
+ [

## Step 2: Creating and applying an AWS WAF policy
](#get-started-fms-create-security-policy)
+ [

## Step 3: Cleaning Up
](#clean-up)

## Step 1: Completing the prerequisites
<a name="complete-prereq"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all of the prerequisites before proceeding to [Step 2: Creating and applying an AWS WAF policy](#get-started-fms-create-security-policy).

## Step 2: Creating and applying an AWS WAF policy
<a name="get-started-fms-create-security-policy"></a>

A Firewall Manager AWS WAF policy contains the rule groups that you want to apply to your resources. Firewall Manager creates a Firewall Manager web ACL in each account where you apply the policy. The individual account managers can add rules and rule groups to the resulting web ACL, in addition to the rule groups that you define here. For information about Firewall Manager AWS WAF policies, see [Using AWS WAF policies with Firewall Manager](waf-policies.md).

**To create a Firewall Manager AWS WAF policy (console)**

Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**.

1. Choose **Create policy**.

1. For **Policy type**, choose **AWS WAF**. 

1. For **Region**, choose an AWS Region. To protect Amazon CloudFront distributions, choose **Global**.

   To protect resources in multiple Regions (other than CloudFront distributions), you must create separate Firewall Manager policies for each Region.

1. Choose **Next**.

1. For **Policy name**, enter a descriptive name. Firewall Manager includes the policy name in the names of the web ACLs that it manages. The web ACL names have `FMManagedWebACLV2-` followed by the policy name that you enter here, `-`, and the web ACL creation timestamp, in UTC milliseconds. For example, `FMManagedWebACLV2-MyWAFPolicyName-1621880374078`.
**Important**  
Web ACL names can't change after creation. If you update your policy's name, Firewall Manager won't update the associated web ACL name. To have Firewall Manager create a web ACL with a different name, you must create a new policy.

1. Under **Policy rules**, for **First rule groups**, choose **Add rule groups**. Expand the **AWS managed rule groups**. For **Core rule set**, toggle **Add to web ACL**. For **AWS known bad inputs**, toggle **Add to web ACL**. Choose **Add rules**.

   For **Last rule groups**, choose **Add rule groups**. Expand the **AWS managed rule groups** and for the **Amazon IP reputation list**, toggle **Add to web ACL**. Choose **Add rules**.

   Under **First rule groups**, select **Core rule set** and choose **Move down**. AWS WAF evaluates web requests against the **AWS known bad inputs** rule group before it evaluates against the **Core rule set**. 

   You can also create your own AWS WAF rule groups if you want, using the AWS WAF console. Any rule groups that you create show up under **Your rule groups** in the **Describe policy : Add rule groups page**.

   The first and last AWS WAF rule groups that you manage through Firewall Manager have names that begin with `PREFMManaged-` or `POSTFMManaged-`, respectively, followed by the Firewall Manager policy name, and the rule group creation timestamp, in UTC milliseconds. For example, `PREFMManaged-MyWAFPolicyName-1621880555123`.

1. Leave the default action for the web ACL at **Allow**. 

1. Leave the **Policy action** at the default, to not automatically remediate noncompliant resources. You can change the option later. 

1. Choose **Next**.

1. For **Policy scope**, you provide the settings for the accounts, resource types, and tagging that identify the resources you want to apply the policy to. For this tutorial, leave the **AWS accounts** and **Resources** settings, and choose one or more resource types.

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

## Step 3: Cleaning Up
<a name="clean-up"></a>

To avoid extraneous charges, delete any unnecessary policies and resources. 

**To delete a policy (console)**

1. On the **AWS Firewall Manager policies** page, choose the radio button next to the policy name, and then choose **Delete**. 

1. In the **Delete** confirmation box, select **Delete all policy resources**, and then choose **Delete** again.

   AWS WAF removes the policy and any associated resources, like web ACLs, that it created in your account. The changes might take a few minutes to propagate to all accounts.

# Setting up AWS Firewall Manager​ AWS Shield Advanced policies
<a name="getting-started-fms-shield"></a>

You can use AWS Firewall Manager to enable AWS Shield Advanced protections across your organization. 

**Important**  
Firewall Manager doesn't support Amazon Route 53 or AWS Global Accelerator. If you need to protect these resources with Shield Advanced, you can't use a Firewall Manager policy. Instead, follow the instructions in [Adding AWS Shield Advanced protection to AWS resources](configure-new-protection.md).

To use Firewall Manager to enable Shield Advanced protection, perform the following steps in sequence. 

**Topics**
+ [

## Step 1: Completing the prerequisites
](#complete-prereq-fms-shield)
+ [

## Step 2: Creating and applying a Shield Advanced policy
](#get-started-fms-shield-create-security-policy)
+ [

## Step 3: (Optional) Authorizing the Shield Response Team (SRT)
](#get-started-fms-shield-authorize-srt)
+ [

## Step 4: Configuring Amazon SNS notifications and Amazon CloudWatch alarms
](#get-started-fms-shield-cloudwatch)

## Step 1: Completing the prerequisites
<a name="complete-prereq-fms-shield"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to [Step 2: Creating and applying a Shield Advanced policy](#get-started-fms-shield-create-security-policy).

## Step 2: Creating and applying a Shield Advanced policy
<a name="get-started-fms-shield-create-security-policy"></a>

After completing the prerequisites, you create an AWS Firewall Manager Shield Advanced policy. A Firewall Manager Shield Advanced policy contains the accounts and resources that you want to protect with Shield Advanced.

**Important**  
Firewall Manager does not support Amazon Route 53 or AWS Global Accelerator. If you need to protect these resources with Shield Advanced, you can't use a Firewall Manager policy. Instead, follow the instructions in [Adding AWS Shield Advanced protection to AWS resources](configure-new-protection.md). 

**To create a Firewall Manager Shield Advanced policy (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**.

1. Choose **Create policy**.

1. For **Policy type**, choose **Shield Advanced**. 

   To create a Shield Advanced policy, your Firewall Manager administrator account must be subscribed to Shield Advanced. If you are not subscribed, you are prompted to do so. For information about the cost for subscribing, see [AWS Shield Advanced Pricing](https://aws.amazon.com/shield/pricing/).
**Note**  
You don't need to manually subscribe each member account to Shield Advanced. Firewall Manager does this for you when it creates the policy. Each account must remain subscribed for Firewall Manager and Shield Advanced to continue to protect resources in the account.

1. For **Region**, choose an AWS Region. To protect Amazon CloudFront resources, choose **Global**.

   To protect resources in multiple Regions (other than CloudFront resources), you must create separate Firewall Manager policies for each Region.

1. Choose **Next**.

1. For **Name**, enter a descriptive name. 

1. (Global Region only) For **Global** Region policies, you can choose whether you want to manage Shield Advanced automatic application layer DDoS mitigation. For this tutorial, leave this choice at the default setting of **Ignore**.

1. For **Policy action**, choose the option that doesn't automatically remediate. 

1. Choose **Next**.

1. **AWS accounts this policy applies to** allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose **Include all accounts under my organization.** 

1. Choose the types of resources that you want to protect.

   Firewall Manager doesn't support Amazon Route 53 or AWS Global Accelerator. If you need to protect these resources with Shield Advanced, you can't use a Firewall Manager policy. Instead, follow the Shield Advanced guidance at [Adding AWS Shield Advanced protection to AWS resources](configure-new-protection.md).

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. Choose **Next**. 

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

Continue to [Step 3: (Optional) Authorizing the Shield Response Team (SRT)](#get-started-fms-shield-authorize-srt).

## Step 3: (Optional) Authorizing the Shield Response Team (SRT)
<a name="get-started-fms-shield-authorize-srt"></a>

One of the benefits of AWS Shield Advanced is support from the Shield Response Team (SRT). When you experience a potential DDoS attack, you can contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/). If necessary, the Support Center escalates your issue to the SRT. The SRT helps you analyze the suspicious activity and assists you in mitigating the issue. This mitigation often involves creating or updating AWS WAF rules and web ACLs in your account. The SRT can inspect your AWS WAF configuration and create or update AWS WAF rules and web ACLs for you, but the team needs your authorization to do so. We recommend that as part of setting up AWS Shield Advanced, you proactively provide the SRT with the needed authorization. Providing authorization ahead of time helps prevent mitigation delays in the event of an actual attack. 

You authorize and contact the SRT at the account level. That is, the account owner, not the Firewall Manager administrator, must perform the following steps to authorize the SRT to mitigate potential attacks. The Firewall Manager administrator can authorize the SRT only for accounts that they own. Likewise, only the account owner can contact the SRT for support.

**Note**  
To use the services of the SRT, you must be subscribed to the [Business Support plan](https://aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://aws.amazon.com/premiumsupport/enterprise-support/).

To authorize the SRT to mitigate potential attacks on your behalf, follow the instructions in [Managed DDoS event response with Shield Response Team (SRT) support](ddos-srt-support.md). You can change SRT access and permissions at any time by using the same steps.

Continue to [Step 4: Configuring Amazon SNS notifications and Amazon CloudWatch alarms](#get-started-fms-shield-cloudwatch).

## Step 4: Configuring Amazon SNS notifications and Amazon CloudWatch alarms
<a name="get-started-fms-shield-cloudwatch"></a>

You can continue from this step without configuring Amazon SNS notifications or CloudWatch alarms. However, configuring these alarms and notifications significantly increases your visibility into possible DDoS events.

You can monitor your protected resources for potential DDoS activity using Amazon SNS. To receive notification of possible attacks, create an Amazon SNS topic for each Region. 

**Important**  
Amazon SNS notifications of potential DDoS activity are not sent in real time and can be delayed. Additionally, if you exceed the Shield Advanced quota of 1,000 protected resources for each resource type for each account, Firewall Manager performance constraints might prevent the successful delivery of DDoS attack notifications entirely. For more information, see [AWS Shield Advanced quotas](shield-limits.md).   
To enable real-time notifications of potential DDoS activity, you can use a CloudWatch alarm. Your alarm must be based on the `DDoSDetected` metric from the account in which the protected resource exists.

**To create an Amazon SNS topic in Firewall Manager (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, under **AWS FMS**, choose **Settings**.

1. Choose **Create new topic**.

1. Enter a topic name.

1. Enter an email address that the Amazon SNS messages will be sent to, and then choose **Add email address**.

1. Choose **Update SNS configuration**.

### Configuring Amazon CloudWatch alarms
<a name="get-started-fms-shield-alarms"></a>

Shield Advanced records detection, mitigation, and top contributor metrics in CloudWatch that you can monitor. For more information, see [AWS Shield Advanced metrics](shield-metrics.md). CloudWatch incurs additional costs. For CloudWatch pricing, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/).

To create a CloudWatch alarm, follow the instructions in [Using Amazon CloudWatch Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html). By default, Shield Advanced configures CloudWatch to alert you after just one indicator of a potential DDoS event. If needed, you can use the CloudWatch console to change this setting to alert you only after multiple indicators are detected. 

**Note**  
In addition to the alarms, you can also use a CloudWatch dashboard to monitor potential DDoS activity. The dashboard collects and processes raw data from Shield Advanced into readable, near real-time metrics. You can use statistics in Amazon CloudWatch to gain a perspective on how your web application or service is performing. For more information, see [What is CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*.  
For instructions about creating a CloudWatch dashboard, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md). For information about specific Shield Advanced metrics that you can add to your dashboard, see [AWS Shield Advanced metrics](shield-metrics.md). 

When you've completed your Shield Advanced configuration, familiarize yourself with your options for viewing events at [Visibility into DDoS events with Shield Advanced](ddos-viewing-events.md).

# Setting up AWS Firewall Manager​ Amazon VPC security group policies
<a name="getting-started-fms-security-group"></a>

To use AWS Firewall Manager to enable Amazon VPC security groups across your organization, perform the following steps in sequence. 

**Topics**
+ [

## Step 1: Completing the prerequisites
](#complete-prereq-security-group)
+ [

## Step 2: Creating a security group to use in your policy
](#get-started-fms-create-security-groups)
+ [

## Step 3: Creating and applying a common security group policy
](#get-started-fms-sg-create-security-policy)

## Step 1: Completing the prerequisites
<a name="complete-prereq-security-group"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to [Step 2: Creating a security group to use in your policy](#get-started-fms-create-security-groups).

## Step 2: Creating a security group to use in your policy
<a name="get-started-fms-create-security-groups"></a>

In this step, you create a security group that you could apply across your organization using Firewall Manager. 

**Note**  
For this tutorial, you won't apply your security group policy to the resources in your organization. You'll just create the policy and see what would happen if you applied the policy's security group to your resources. You do this by disabling automatic remediation on the policy.

If you already have a general security group defined, skip this step and go to [Step 3: Creating and applying a common security group policy](#get-started-fms-sg-create-security-policy). 

**To create a security group to use in a Firewall Manager common security group policy**
+ Create a security group that you could apply to all accounts and resources in your organization, following the guidance under [Security Groups for Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/).

  For information on the security group rules options, see [Security Group Rules Reference](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html).

You are now ready to go to [Step 3: Creating and applying a common security group policy](#get-started-fms-sg-create-security-policy).

## Step 3: Creating and applying a common security group policy
<a name="get-started-fms-sg-create-security-policy"></a>

After completing the prerequisites, you create an AWS Firewall Manager common security group policy. A common security group policy provides a centrally controlled security group for your entire AWS organization. It also defines the AWS accounts and resources that the security group applies to. In addition to common security group policies, Firewall Manager supports content audit security group policies, to manage the security group rules in use in your organization, and usage audit security group policies, to manage unused and redundant security groups. For more information, see [Using security group policies in Firewall Manager to manage Amazon VPC security groups](security-group-policies.md).

For this tutorial, you create a common security group policy and set its action to not automatically remediate. This allows you to see what effect the policy would have without making changes to your AWS organization.

**To create a Firewall Manager common security group policy (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**. 

1. If you have not met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then return to this step, to create a common security group policy. 

1. Choose **Create policy**.

1. For **Policy type**, choose **Security group**. 

1. For **Security group policy type**, choose **Common security groups**.

1. For **Region**, choose an AWS Region. 

1. Choose **Next**.

1. For **Policy name**, enter a descriptive name. 

1. **Policy rules** allow you to choose how the security groups in this policy are applied and maintained. For this tutorial, leave the options unchecked. 

1. Choose **Add primary security group**, select the security group that you created for this tutorial, and choose **Add security group**.

1. For **Policy action**, choose **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** 

1. Choose **Next**.

1. **AWS accounts affected by this policy** allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose **Include all accounts under my organization.** 

1. For **Resource type**, choose one or more types, according to the resources you have defined for your AWS organization. 

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

1. When you are finished exploring, if you don't want to keep the policy you created for this tutorial, choose the policy name, choose **Delete**, choose **Clean up resources created by this policy.**, and finally choose **Delete**. 

For more information about Firewall Manager security group policies, see [Using security group policies in Firewall Manager to manage Amazon VPC security groups](security-group-policies.md).

# Setting up AWS Firewall Manager​ Amazon VPC network ACL policies
<a name="getting-started-fms-network-acl"></a>

To use AWS Firewall Manager to enable network ACLs across your organization, perform the steps in this section in sequence. 

For information about network ACLs, see [Control traffic to subnets using network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) in the *Amazon VPC User Guide*.

**Topics**
+ [

## Step 1: Completing the prerequisites
](#complete-prereq-network-acl)
+ [

## Step 2: Creating a network ACL policy
](#get-started-fms-nacl-create-security-policy)

## Step 1: Completing the prerequisites
<a name="complete-prereq-network-acl"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to [Step 2: Creating a network ACL policy](#get-started-fms-nacl-create-security-policy).

## Step 2: Creating a network ACL policy
<a name="get-started-fms-nacl-create-security-policy"></a>

After completing the prerequisites, you create a Firewall Manager network ACL policy. A network ACL policy provides a centrally controlled network ACL definition for your entire AWS organization. It also defines the AWS accounts and subnets that the network ACL applies to. 

For information about Firewall Manager network ACL policies, see [Network ACL policies](network-acl-policies.md).

For general information about Firewall Manager network ACL policies, see [Network ACL policies](network-acl-policies.md).

**Note**  
For this tutorial, you won't apply your network ACL policy to the subnets in your organization. You'll just create the policy and see what would happen if you applied the policy's network ACL to your subnets. You do this by disabling automatic remediation on the policy.

**To create a Firewall Manager network ACL policy (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**. 

1. If you have not met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then return to this step, to create a network ACL policy. 

1. Choose **Create policy**. 

1. For **Region**, choose an AWS Region. 

1. For **Policy type**, choose **Network ACL**. 

1. Choose **Next**.

1. For **Policy name**, enter a descriptive name. 

1. For **Network ACL policy rules**, define the first and last rules for both inbound and outbound traffic. 

   You define network ACL rules in Firewall Manager similar to how you define them through Amazon VPC. The only difference is that, instead of assigning rule numbers yourself, you assign the order to run each set of rules, and then Firewall Manager assigns the numbers for you when you save the policy. You can define up to 5 inbound rules, divided in any way between first and last, and you can define up to 5 outbound rules. 

   For guidance specifying network ACL rules, see [Add and delete network ACL rules](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules) in the *Amazon VPC User Guide*.

   The rules that you define in the Firewall Manager policy specify the minimum rule configuration that a network ACL must have to be compliant with the network ACL policy. For example, a network ACL's inbound rules cannot be compliant with the policy unless they start with as the policy's inbound first rules, in the same order as they're specified in the policy. For more information, see [Network ACL policies](network-acl-policies.md).

1. For **Policy action**, choose **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** 

1. Choose **Next**.

1. **AWS accounts affected by this policy** allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose **Include all accounts under my organization.** 

   The **Resource type** for a network ACL policy is always subnet. 

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

1. When you are finished exploring, if you don't want to keep the policy that you created for this tutorial, choose the policy name, choose **Delete**, choose **Clean up resources created by this policy.**, and finally choose **Delete**. 

For more information about Firewall Manager network ACL policies, see [Network ACL policies](network-acl-policies.md).

# Setting up AWS Firewall Manager​ AWS Network Firewall policies
<a name="getting-started-fms-network-firewall"></a>

To use AWS Firewall Manager to enable an AWS Network Firewall firewall across your organization, perform the following steps in sequence. For information about Firewall Manager Network Firewall policies, see [Using AWS Network Firewall policies in Firewall Manager](network-firewall-policies.md).

**Topics**
+ [

## Step 1: Completing the prerequisites
](#complete-prereq-network-firewall)
+ [

## Step 2: Creating a Network Firewall rule group to use in your policy
](#get-started-fms-create-network-firewall-rule-group)
+ [

## Step 3: Creating and applying a Network Firewall policy
](#get-started-fms-network-firewall-create-policy)

## Step 1: Completing the prerequisites
<a name="complete-prereq-network-firewall"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to the next step.

## Step 2: Creating a Network Firewall rule group to use in your policy
<a name="get-started-fms-create-network-firewall-rule-group"></a>

To follow this tutorial, you should be familiar with AWS Network Firewall and know how to configure its rule groups and firewall policies. 

You must have at least one rule group in Network Firewall that will be used in your AWS Firewall Manager policy. If you haven't already created a rule group in Network Firewall, do so now. For information about using Network Firewall, see the [AWS Network Firewall Developer Guide](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html). 

## Step 3: Creating and applying a Network Firewall policy
<a name="get-started-fms-network-firewall-create-policy"></a>

After completing the prerequisites, you create an AWS Firewall Manager Network Firewall policy. A Network Firewall policy provides a centrally controlled AWS Network Firewall firewall for your entire AWS organization. It also defines the AWS accounts and resources that the firewall applies to. 

For more information about how Firewall Manager manages your Network Firewall policies, see [Using AWS Network Firewall policies in Firewall Manager](network-firewall-policies.md).

**To create a Firewall Manager Network Firewall policy (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**. 

1. If you haven't met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then return to this step, to create a Network Firewall policy. 

1. Choose **Create security policy**.

1. For **Policy type**, choose **AWS Network Firewall**. 

1. For **Region**, choose an AWS Region. 

1. Choose **Next**.

1. For **Policy name**, enter a descriptive name. 

1. The policy configuration allows you to define the firewall policy. This is the same process as the one you use in the AWS Network Firewall console. You add the rule groups that you want to use in your policy and provide the default stateless actions. For this tutorial, configure this policy as you would a firewall policy in Network Firewall. 
**Note**  
Auto remediation happens automatically for AWS Firewall Manager Network Firewall policies, so you won't see an option to choose not to auto remediate here.

1. Choose **Next**.

1. For **Firewall endpoints**, choose **Multiple firewall endpoints**. This option provides high availability for your firewall. When you create the policy, Firewall Manager creates a firewall subnet in each Availability Zone where you have public subnets to protect. 

1. For **AWS Network Firewall route configuration**, choose **Monitor** to have Firewall Manager monitor your VPCs for route configuration violations and alert you with remediation suggestions to help you to bring the routes into compliance. Optionally, if you don't want to have your route configurations monitored by Firewall Manager and receive these alerts, choose **Off**.
**Note**  
Monitoring provides you with details about non-compliant resources due to faulty route configuration, and suggests remediation actions from the Firewall Manager `GetViolationDetails` API. For example, Network Firewall alerts you if traffic is not routed through the firewall endpoints that are created by your policy.
**Warning**  
If you choose **Monitor**, you can't change it to **Off** in the future for the same policy. You must create a new policy.

1. For **Traffic type**, select **Add to firewall policy** to route traffic through the internet gateway.

1. **AWS accounts affected by this policy** allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose **Include all accounts under my organization**. 

   The **Resource type** for a Network Firewall policy is always **VPC**. 

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

1. When you are finished exploring, if you don't want to keep the policy that you created for this tutorial, choose the policy name, choose **Delete**, choose **Clean up resources created by this policy.**, and finally choose **Delete**. 

For more information about Firewall Manager Network Firewall policies, see [Using AWS Network Firewall policies in Firewall Manager](network-firewall-policies.md).

# Setting up AWS Firewall Manager​ DNS Firewall policies
<a name="getting-started-fms-dns-firewall"></a>

To use AWS Firewall Manager to enable Amazon Route 53 Resolver DNS Firewall across your organization, perform the following steps in sequence. For information about Firewall Manager DNS Firewall policies, see [Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager](dns-firewall-policies.md).

**Topics**
+ [

## Step 1: Completing the prerequisites
](#complete-prereq-dns-firewall)
+ [

## Step 2: Creating your DNS Firewall rule groups to use in your policy
](#get-started-fms-create-dns-firewall-association)
+ [

## Step 3: Creating and applying a DNS Firewall policy
](#get-started-fms-dns-firewall-create-policy)

## Step 1: Completing the prerequisites
<a name="complete-prereq-dns-firewall"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to the next step.

## Step 2: Creating your DNS Firewall rule groups to use in your policy
<a name="get-started-fms-create-dns-firewall-association"></a>

To follow this tutorial, you should be familiar with Amazon Route 53 Resolver DNS Firewall and know how to configure its rule groups. 

You must have least one rule group in DNS Firewall that will be used in your AWS Firewall Manager policy. If you haven't already created a rule group in DNS Firewall, do so now. For information about using DNS Firewall, see [Amazon Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) in the [Amazon Route 53 Developer Guide](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html). 

## Step 3: Creating and applying a DNS Firewall policy
<a name="get-started-fms-dns-firewall-create-policy"></a>

After completing the prerequisites, you create an AWS Firewall Manager DNS Firewall policy. A DNS Firewall policy provides a set of centrally controlled DNS Firewall rule group associations for your entire AWS organization. It also defines the AWS accounts and resources that the firewall applies to. 

For more information about how Firewall Manager manages your DNS Firewall rule group associations, see [Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager](dns-firewall-policies.md).

**To create a Firewall Manager DNS Firewall policy (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**. 

1. If you haven't met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then return to this step, to create a DNS Firewall policy. 

1. Choose **Create security policy**.

1. For **Policy type**, choose **Amazon Route 53 Resolver DNS Firewall**. 

1. For **Region**, choose an AWS Region. 

1. Choose **Next**.

1. For **Policy name**, enter a descriptive name. 

1. The policy configuration allows you to define the DNS Firewall rule group associations that you want to manage from Firewall Manager. You add the rule groups that you want to use in your policy. You can define an association to evaluate first for your VPCs and one to evaluate last. For this tutorial, add one or two rule group associations, depending on your needs. 

1. Choose **Next**.

1. **AWS accounts affected by this policy** allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose **Include all accounts under my organization**. 

   The **Resource type** for a DNS Firewall policy is always **VPC**. 

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

1. When you are finished exploring, if you don't want to keep the policy that you created for this tutorial, choose the policy name, choose **Delete**, choose **Clean up resources created by this policy.**, and finally choose **Delete**. 

For more information about Firewall Manager DNS Firewall policies, see [Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager](dns-firewall-policies.md).

# Setting up AWS Firewall Manager​ Palo Alto Networks Cloud Next Generation Firewall policies
<a name="getting-started-fms-cloud-ngfw"></a>

To use AWS Firewall Manager to enable Palo Alto Networks Cloud Next Generation Firewall (NGFW) policies, perform the following steps in sequence. For information about Palo Alto Networks Cloud NGFW policies, see [Using Palo Alto Networks Cloud NGFW policies for Firewall Manager](cloud-ngfw-policies.md).

**Topics**
+ [

## Step 1: Completing the general prerequisites
](#complete-fms-prereq)
+ [

## Step 2: Completing the Palo Alto Networks Cloud NGFW policy prerequisites
](#complete-prereq-cloud-ngfw)
+ [

## Step 3: Creating and applying a Palo Alto Networks Cloud NGFW policy
](#get-started-fms-cloud-ngfw-create-policy)

## Step 1: Completing the general prerequisites
<a name="complete-fms-prereq"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to the next step.

## Step 2: Completing the Palo Alto Networks Cloud NGFW policy prerequisites
<a name="complete-prereq-cloud-ngfw"></a>

There are a couple of additional mandatory steps that you must complete in order to use Palo Alto Networks Cloud NGFW policies. Those steps are described in [Palo Alto Networks Cloud Next Generation Firewall policy prerequisites](fms-third-party-prerequisites.md#fms-cloud-ngfw-prerequisites). Complete all the prerequisites before proceeding to the next step.

## Step 3: Creating and applying a Palo Alto Networks Cloud NGFW policy
<a name="get-started-fms-cloud-ngfw-create-policy"></a>

After completing the prerequisites, you create an AWS Firewall Manager Palo Alto Networks Cloud NGFW policy.

For more information about Firewall Manager policies for Palo Alto Networks Cloud NGFW, see [Using Palo Alto Networks Cloud NGFW policies for Firewall Manager](cloud-ngfw-policies.md).

**To create a Firewall Manager policy for Palo Alto Networks Cloud NGFW (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**.

1. Choose **Create policy**.

1. For **Policy type**, choose **Palo Alto Networks Cloud NGFW**. If you haven't already subscribed to the Palo Alto Networks Cloud NGFW service in the AWS Marketplace, you'll need to do that first. To subscribe in the AWS Marketplace, choose **View AWS Marketplace details**.

1. For **Deployment model**, choose either the **Distributed model** or **Centralized model**. The deployment model determines how Firewall Manager manages endpoints for the policy. With the distributed model, Firewall Manager maintains firewall endpoints in each VPC that's within policy scope. With the centralized model, Firewall Manager maintains a single endpoint in an inspection VPC.

1. For **Region**, choose an AWS Region. To protect resources in multiple Regions, you must create separate policies for each Region. 

1. Choose **Next**.

1. For **Policy name**, enter a descriptive name.

1. In the policy configuration, choose the Palo Alto Networks Cloud NGFW firewall policy to associate with this policy. The list of Palo Alto Networks Cloud NGFW firewall policies contains all of the Palo Alto Networks Cloud NGFW firewall policies that are associated with your Palo Alto Networks Cloud NGFW tenant. For information about creating and managing Palo Alto Networks Cloud NGFW firewall policies, see the *[Deploy Palo Alto Networks Cloud NGFW for AWS with the AWS Firewall Manager](https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with-cloud-ngfw-for-aws/deploy-cloud-ngfw-for-aws-with-the-aws-firewall-manager.html)* topic in the *Palo Alto Networks Cloud NGFW for AWS deployment guide*.

1. For **Palo Alto Networks Cloud NGFW logging - optional**, optionally choose which Palo Alto Networks Cloud NGFW log type(s) to log for your policy. For information about Palo Alto Networks Cloud NGFW log types, see [Configure Logging for Palo Alto Networks Cloud NGFW on AWS](https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/create-cloud-ngfw-instances-and-endpoints/configure-logging-for-the-cloud-ngfw-on-aws.html) in the *Palo Alto Networks Cloud NGFW for AWS deployment guide*.

   For **log destination**, specify when Firewall Manager should write logs to.

1. Choose **Next**.

1. Under **Configure third-party firewall endpoint** do one of the following, depending on whether you're using the distributed or centralized deployment model to create your firewall endpoints:
   + If you're using the distributed deployment model for this policy, under **Availability Zones**, select which Availability Zones to create firewall endpoints in. You can select Availability Zones by **Availability Zone name** or by **Availability Zone ID**.
   + If you're using the centralized deployment model for this policy, in **AWS Firewall Manager endpoint configuration** under **Inspection VPC configuration**, enter the AWS account ID of the owner of the inspection VPC, and the VPC ID of the inspection VPC.
     + Under **Availability Zones**, select which Availability Zones to create firewall endpoints in. You can select Availability Zones by **Availability Zone name** or by **Availability Zone ID**.

1. Choose **Next**.

1. For **Policy scope**, under **AWS accounts this policy applies to**, choose the option as follows: 
   + If you want to apply the policy to all accounts in your organization, leave the default selection, **Include all accounts under my AWS organization**. 
   + If you want to apply the policy only to specific accounts or accounts that are in specific AWS Organizations organizational units (OUs), choose **Include only the specified accounts and organizational units**, and then add the accounts and OUs that you want to include. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. 
   + If you want to apply the policy to all but a specific set of accounts or AWS Organizations organizational units (OUs), choose **Exclude the specified accounts and organizational units, and include all others**, and then add the accounts and OUs that you want to exclude. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. 

   You can only choose one of the options. 

   After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

   The **Resource type** for Network Firewall policies is **VPC**. 

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. For **Grant cross-account access**, choose **Download CloudFormation template**. This downloads an CloudFormation template that you can use to create an CloudFormation stack. This stack creates an AWS Identity and Access Management role that grants Firewall Manager cross-account permissions to manage Palo Alto Networks Cloud NGFW resources. For information about stacks, see [Working with stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/gsg/stacks.html) in the *CloudFormation User Guide*.

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

For more information about Firewall Manager Palo Alto Networks Cloud NGFW policies, see [Using Palo Alto Networks Cloud NGFW policies for Firewall Manager](cloud-ngfw-policies.md).

# Setting up AWS Firewall Manager​ Fortigate CNF policies
<a name="getting-started-fms-fortigate-cnf"></a>

Fortigate Cloud Native Firewall (CNF) as a Service is a third-party firewall service that you can use for your AWS Firewall Manager policies. With Fortigate CNF for Firewall Manager, you can create and centrally deploy Fortigate CNF resources and policy sets across all of your AWS accounts. To use AWS Firewall Manager to enable Fortigate CNF policies, perform the following steps in sequence. For more information about Fortigate CNF policies, see [Using Fortigate Cloud Native Firewall (CNF) as a Service policies for Firewall Manager](fortigate-cnf-policies.md).

**Topics**
+ [

## Step 1: Completing the general prerequisites
](#complete-fms-prereq-fortigate-cnf)
+ [

## Step 2: Completing the Fortigate CNF policy prerequisites
](#complete-prereq-fortigate-cnf)
+ [

## Step 3: Creating and applying a Fortigate CNF policy
](#get-started-fms-fortigate-cnf-create-policy)

## Step 1: Completing the general prerequisites
<a name="complete-fms-prereq-fortigate-cnf"></a>

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to the next step.

## Step 2: Completing the Fortigate CNF policy prerequisites
<a name="complete-prereq-fortigate-cnf"></a>

There are additional mandatory steps that you must complete in order to use Fortigate CNF policies. Those steps are described in [Fortigate Cloud Native Firewall (CNF) as a Service policy prerequisites](fms-third-party-prerequisites.md#fms-fortigate-cnf-prerequisites). Complete all the prerequisites before proceeding to the next step.

## Step 3: Creating and applying a Fortigate CNF policy
<a name="get-started-fms-fortigate-cnf-create-policy"></a>

After completing the prerequisites, you create an AWS Firewall Manager Fortigate CNF policy.

For more information about Firewall Manager policies for Fortigate CNF, see [Using Fortigate Cloud Native Firewall (CNF) as a Service policies for Firewall Manager](fortigate-cnf-policies.md).

**To create a Firewall Manager policy for Fortigate CNF (console)**

1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
**Note**  
For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).

1. In the navigation pane, choose **Security policies**.

1. Choose **Create policy**.

1. For **Policy type**, choose Fortigate CNF. If you haven't already subscribed to the Fortigate CNF service in the AWS Marketplace, you'll need to do that first. To subscribe in the AWS Marketplace, choose **View AWS Marketplace details**.

1. For **Deployment model**, choose either the **Distributed model** or **Centralized model**. The deployment model determines how Firewall Manager manages endpoints for the policy. With the distributed model, Firewall Manager maintains firewall endpoints in each VPC that's within policy scope. With the centralized model, Firewall Manager maintains a single endpoint in an inspection VPC.

1. For **Region**, choose an AWS Region. To protect resources in multiple Regions, you must create separate policies for each Region. 

1. Choose **Next**.

1. In the policy configuration, choose the Fortigate CNF firewall policy to associate with this policy. The list of Fortigate CNF firewall policies contains all of the Fortigate CNF firewall policies that are associated with your Fortigate CNF tenant. For information about creating and managing Fortigate CNF firewall policies, see the [Fortigate CNF documentation](https://docs.fortinet.com/product/fortigate-cnf).

1. Choose **Next**.

1. Under **Configure third-party firewall endpoint** do one of the following, depending on whether you're using the distributed or centralized deployment model to create your firewall endpoints:
   + If you're using the distributed deployment model for this policy, under **Availability Zones**, select which Availability Zones to create firewall endpoints in. You can select Availability Zones by **Availability Zone name** or by **Availability Zone ID**.
   + If you're using the centralized deployment model for this policy, in **AWS Firewall Manager endpoint configuration** under **Inspection VPC configuration**, enter the AWS account ID of the owner of the inspection VPC, and the VPC ID of the inspection VPC.
     + Under **Availability Zones**, select which Availability Zones to create firewall endpoints in. You can select Availability Zones by **Availability Zone name** or by **Availability Zone ID**.

1. Choose **Next**.

1. For **Policy scope**, under **AWS accounts this policy applies to**, choose the option as follows: 
   + If you want to apply the policy to all accounts in your organization, leave the default selection, **Include all accounts under my AWS organization**. 
   + If you want to apply the policy only to specific accounts or accounts that are in specific AWS Organizations organizational units (OUs), choose **Include only the specified accounts and organizational units**, and then add the accounts and OUs that you want to include. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. 
   + If you want to apply the policy to all but a specific set of accounts or AWS Organizations organizational units (OUs), choose **Exclude the specified accounts and organizational units, and include all others**, and then add the accounts and OUs that you want to exclude. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. 

   You can only choose one of the options. 

   After you apply the policy, Firewall Manager automatically evaluates any new accounts against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically applies the policy to the new account.

   The **Resource type** for Fortigate CNF policies is **VPC**. 

1. For **Resources**, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags to define policy scope, see [Using the AWS Firewall Manager policy scope](policy-scope.md).

   Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value. 

1. For **Grant cross-account access**, choose **Download CloudFormation template**. This downloads an CloudFormation template that you can use to create an CloudFormation stack. This stack creates an AWS Identity and Access Management role that grants Firewall Manager cross-account permissions to manage Fortigate CNF resources. For information about stacks, see [Working with stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/gsg/stacks.html) in the *CloudFormation User Guide*. To create a stack, you'll need the account ID from the Fortigate CNF portal.

1. Choose **Next**.

1. For **Policy tags**, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Next**.

1. Review the new policy settings and return to any pages where you need to any adjustments. 

   Check to be sure that **Policy actions** is set to **Identify resources that don’t comply with the policy rules, but don’t auto remediate.** This allows you to review the changes that your policy would make before you enable them. 

1. When you are satisfied with the policy, choose **Create policy**.

   In the **AWS Firewall Manager policies** pane, your policy should be listed. It will probably indicate **Pending** under the accounts headings and it will indicate the status of the **Automatic remediation** setting. The creation of a policy can take several minutes. After the **Pending** status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see [Viewing compliance information for an AWS Firewall Manager policy](fms-compliance.md)

For more information about Firewall Manager Fortigate CNF policies, see [Using Fortigate Cloud Native Firewall (CNF) as a Service policies for Firewall Manager](fortigate-cnf-policies.md).