Networking requirements
The CloudFormation template performs deployment and configuration tasks that involve network traffic between the existing SMC and NGFW engines, which are installed on AWS as EC2 instances. Therefore, network traffic to/from AWS and on-premise locations must be allowed accordingly.
For more information on how to identify the necessary ports and protocols needed to allow SMC API, NGFW engines and IPSEC network traffic, see Default communication ports in the Next Generation Firewall Product Guide.