Developed by one of the biggest technological companies in the world, Amazon, the AWS Firewall Manager is a web application firewall that protects users against common web exploits and bots, and it does that by configuring and managing web application firewall rules for all users in an organization. 

The FW enables users to monitor their web requests and block or allow requests based on specified conditions. The requests are then forwarded to Amazon CloudFront distributions or an Application Load Balancer to protect users’ applications, whether they are operating on the cloud or on location.

The solution significantly simplifies the firewall configuration by integrating with Managed Rules for AWS WAF without any complications, which allows for fast adoption of preconfigured AWS rules. Users also get the ability to filter traffic by custom rules and automation and actively monitor for threats.

The official site is presented in an uninspiring way, often cluttered with textual information that is not very useful for someone who wants to quickly get familiar with the product. 

Users can visit the resource page to get additional information about the product and check out the AWS glossary, training library, case studies, and whitepapers.

Plans and pricing

AWS Firewall Manager supports six types of protection policies: AWS WAF, AWS Shield, Amazon VPC security groups, AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall, and Palo Alto Cloud Next-generation firewalls. AWS Firewall Manager protection policies are priced with a monthly fee per region.

Each of the supported protection policies costs $100.00 per policy per region with a monthly billing cycle except AWS shield, which is free and comes included with other policies. In other words, the final price will depend on the organization’s needs, the number of users and devices, and the region where the user is located.

Notably, the official site presents various billing scenarios for every protection policy so users can get acquainted with the billing method used by AWS. Furthermore, the site also offers a pricing calculator where users can easily calculate their monthly costs with AWS or opt out to contact the AWS specialists directly and get a personalized quote.

The supported payment methods include all of the major credit/debit cards.

AWS Firewall Manager

(Image credit: Amazon)

Features and Functionality

AWS Firewall Manager is a network security management tool whose goal is to centrally configure and simplify firewall rules across all accounts and applications, ensure compliance with mandatory rules, and enable rapid response to network attacks.

The solution provides the flexibility of a single deployment to manage security policies across all apps, accounts, and resources by allowing for global rules. Moreover, it supports hierarchical rules, enabling system administrators to create and deploy organization-wide rules while at the same time allowing for specific user or application rules. 

The FW Manager automatically monitors for new resources (like ALB or CloudFront) and accounts across the entire network and notifies the administrator about the discovery. The admin can then choose to apply the existing rules or develop a new set of rules and apply them to the latest resources. This can be handy when the user has to adhere to specific government regulations or if they want to block traffic from certain countries.

Another useful feature is the ability to deploy pre-configured rules from the AWS Marketplace to your network. These pre-configured rules are constantly created, monitored, and updated by the most popular vendors like Trustwave, Alert Logic, Fortinet, etc.

AWS Firewall Manager

(Image credit: Amazon)

Compared to other firewall managers, the AWS Firewall Manager lacks some advanced features, such as automatic threat response and neutralization, compliance reporting, and network modeling features.

Interface and ease of use

Since AWS Firewall Manager does not require users to install any additional software on their operating system (OS), they can use any browser to operate the firewall. However, there are some prerequisites to using the firewall manager: you have to enable AWS Organizations Full Features, enable AWS Config Recorder in all accounts, and designate an account as Firewall Manager Admin.

If you have used any of Amazon’s network products before, you will be familiar with the layout and design of the firewall manager interface and dashboard. The interface utilizes a simple design with a list of tabs on the left side of the screen where users can see all available features. 

The advantage of this type of design is that it allows for rapid response to internet attacks. It does that by giving administrators a single, simple-to-use console to monitor real-time threats and respond to them in no time.

AWS Firewall Manager

(Image credit: Amazon)

By clicking on the feature Marketplace on the left side menu, users can access the marketplace product subscription, where they can see the available products and choose to subscribe and implement specific rules to their network. Furthermore, when creating a new policy for the network, users can automatically apply any rule they are subscribed for.

Customer support

AWS Firewall Manager

(Image credit: Amazon)

AWS Support offers four support plans customers can choose from depending on their needs. 

The first and most basic support plan is the Developer Support used for testing or early development on AWS. Here users receive support during business hours and general architectural guidance as they test the product. 

Business Support for users who want 24/7 access to engineer technical support, access to Health API, and contextual architectural guidance for their use cases. This type of support is best for users running production workloads on AWS.

Enterprise On-Ramp is somewhat similar to the previous support plan. Its users will receive access to 24/7 engineer technical support, Health API and architectural guidance, and a pool of Technical Account Managers (TAMs) to coordinate access to AWS subject matter experts

The final support plan is Enterprise Support, best for users who want  24/7 access to technical support from high-quality engineers, tools, and technology to automatically manage the health of their environment, architectural guidance, and a designated TAM to coordinate access to proactive/preventative programs.

All paid AWS Support plans are billed monthly, with no long-term contracts. Monthly fees for the Developer, Business, Enterprise On-Ramp, and Enterprise Support plans are calculated based on each month’s gross AWS charges.

Users can also access the Knowledge Center, a FAQ section on common issues, for additional answers.

Competition

Cisco Secure Firewall is an intrusion detection management system combining firewall and antivirus capabilities. It encompasses a next-generation intrusion prevention system, security tasks automation, and rapid threat containment where users can proactively mitigate risks. Cisco firewall is designed to be used in companies with multiple networking platforms by providing complete control over data and bandwidth distribution.

Similarly, Palo Alto Panorama is a capable network management tool that will provide customers with a comprehensive overview of the entire network security, generated traffic, used applications, and potential risks. It significantly simplifies the network configuration and management process, although for a higher price than AWS. 

Another alternative is FireMon, which offers a comprehensive suite of security management tools that provide complete network security control, help identify vulnerabilities, and help monitor and optimize policies. The software also offers high scalability which includes the ability to add additional servers after deployment. However, it’s a complex process that requires some technical know-how.

Final verdict

AWS Firewall Manager will begin to shine once you’re in a situation requiring managing multi-account resource groups. The solution achieves this by allowing the grouping of resources by account, resource types, or assigned tags. While it considerably simplifies the network configuration process, it lacks some advanced options that the competition offers.