Working with AWS Firewall Manager policies

AWS Firewall Manager provides the following types of policies:

AWS WAF policy – Firewall Manager supports AWS WAF and AWS WAF Classic policies. For both versions, you define which resources are protected by the policy.
- For the AWS WAF policy, you can define a set of rule groups to run first in the web ACL and a set of rule groups to run last. In the accounts where you apply the web ACL, the account owner can add rules and rule groups to run in between the two Firewall Manager rule group sets.
- For AWS WAF Classic, you create a policy that defines a single rule group.
Shield Advanced policy – This policy applies AWS Shield Advanced protection to specified accounts and resources.
Amazon VPC security group policy – This type of policy gives you control over security groups that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of rules across your organization.
Network Firewall policy – This policy applies AWS Network Firewall protection to your organization's VPCs.
Amazon Route 53 Resolver DNS Firewall policy – This policy applies DNS Firewall protections to your organization's VPCs.
Third-party firewall policy – This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the AWS Marketplace console at AWS Marketplace.
- Palo Alto Networks Cloud NGFW policy – This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
- Fortigate Cloud Native Firewall (CNF) as a Service policy – This policy applies Fortigate Cloud Native Firewall (CNF) as a Service protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.

A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.

If you add a new account to an organization that you created with AWS Organizations, Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.

General settings for AWS Firewall Manager policies

AWS Firewall Manager managed policies have some common settings and behaviors. For all, you specify a name and define the scope of the policy, and you can use resource tagging to control policy scope. You can choose to view the accounts and resources that are out of compliance without taking corrective action or to automatically remediate noncompliant resources.

For information about policy scope, see AWS Firewall Manager policy scope.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Step 3: Create and apply a Fortigate CNF policy

Creating a policy