Orchestrate a VM-Series Firewall Deployment in AWS
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- IPv6 Support on Public Cloud
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
-
- Licensing and Prerequisites for Virtual Systems Support on VM-Series
- System Requirements for Virtual Systems Support on VM-Series
- Enable Multiple Virtual Systems Support on VM-Series Firewall
- Enable Multiple Virtual Systems Support on VM-Series in Panorama Console
- Enable Multiple Virtual Systems Support Using Bootstrap Method
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
-
- Activate Credits
- Create a Deployment Profile
- Activate the Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
- Configure Link Aggregation Control Protocol
-
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use AWS Secrets Manager to Store VM-Series Certificates
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
- Intelligent Traffic Offload
- Software Cut-through Based Offload
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use Azure Key Vault to Store VM-Series Certificates
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
- Enable Session Resiliency on VM-Series for GCP
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
Orchestrate a VM-Series Firewall Deployment in AWS
Complete the following procedure to orchestrate
a VM-Series firewall deployment in AWS.
Panorama deployments
on AWS with an instance profile is not supported when deployed behind
a proxy.
- Log on to the Panorama web interface.Install Panorama plugin for AWS 3.0.1 or later.To upgrade the Panorama plugin for AWS to version 3.0.1, you must first upgrade the plugin to version 2.0.2. After you install the AWS plugin version 3.0.1 you cannot downgrade to version 2.0.x or below.If you have a Panorama HA configuration, repeat the installation/upgrade process on each Panorama peer.If you currently have a Panorama plugin for any cloud platform installed, installing (or uninstalling) an additional plugin requires a Panorama reboot so that you can commit changes.Configure IAM Roles for AWS Plugin in PanoramaSelect PanoramaPluginsAWSDeployments to Add a new deployment.Enter the generic details of the deployment in the General tab.
- Enter a Name and an optional Description to identify the deployment in Panorama and AWS cloud.
- Select an IAM Role from the drop-down.
The list displays IAM roles that has valid or partially valid deployment
permissions.Once an IAM role has been created and added to you deployment, you can edit information in the IAM (such as secret key and access key). However, you cannot edit the name of the IAM role. To change the name, you must delete the IAM and create another.
Enter the Security VPC related information in the Security VPC tab.- Select the AWS Region in which you intend to launch the deployment. The list displays regions based on the selected IAM role.
- Enter a VPC CIDR value to create resources in the Security VPC. This CIDR will be managed by the AWS plugin.
- Select two or more Availability Zones from the pre-populated list and follow the same mapping in AWS. This list is populated based on the region you selected.
Select FirewallImage and enter the following details.- License Type—The standard
license types Bring Your Own License (BYOL), Pay
As you Go-Marketplace-Bundle1, and Pay As
you Go-Marketplace-Bundle2 are provided as options in
the drop-down (based on the selected regions). If you select Bring
Your Own License, be prepared to enter a license authcode.Pay as you go Bundle 1 and Bundle 2 cannot be used with an AMI custom image.
- (Optional—Appears only if you choose Bring Your Own License license type) License Authcode—Enter the authcode for your BYOL. This authcode determines which instance types appear on the Instance Type drop-down.
- Instance Type—Choose supported instance types from the drop-down. This list is derived from the license authcode.
- Image Type—Select Marketplace Image or Custom Image.If you select Marketplace Image, select from the drop-down, PanOS Version 10.0.5 or later supported in the regions you selected when you configured the Security VPC.If you select Custom Image, enter the Amazon Machine Image (AMI) ID and select a PanOS Version 10.0.5 or later.
- Device Certificate—The device certificate is generated on the
Customer Support portal, and enables you to retrieve your site license
entitlements for AutoFocus or Strata Logging Service. Select
Disable if you are not using these licenses. To
configure the device certificate PIN, select Enable
and enter the following information:PIN ID—Enter the PIN ID.Confirm PIN ID—Re-enter the PIN ID.PIN Value—Enter the PIN.Confirm VM PIN Value—Re-enter the PIN.
Select FirewallBasic and enter the following details.- AWS Key Name—The name of a SSH key you will use to log into the firewalls after they are deployed. This key is bootstrapped into the firewall and can be used for debugging when the firewall is up and running.
- Existing Device Group—If you select No, the plugin creates format of the device group name. If you select Yes, select an existing Device Group from the drop-down list.
- Primary Panorama IP—The IP address of the Panorama you are using. The
drop-down displays public and private IP addresses on the management
interface. Select an IP address from the drop-down.If you deployed Panorama behind a proxy, you must manually enter the public IP of the primary Panorama under PanoramaSetupInterfaces.If Panorama private IP is used, routes may need to be added to the AWS Route Tables for plugin deployed firewall subnets and existing Panorama subnet, in order to facilitate connectivity between the newly deployed firewalls and Panorama.
- Secondary Panorama IP—If you have
a Panorama HA, the drop-down displays the IP addresses on the management
interface of the secondary device. Select an IP address from the
drop-down.If the secondary Panorama has a public IP address, it may not appear in the drop-down. In this case, you must manually add the IP address of the secondary Panorama.
- Min Firewalls—The minimum number of firewalls in an Auto Scaling Group (ASG). A value between 1 and 25.
- Max Firewalls—The maximum number of firewalls in an ASG. A value between 2 and 25.
- FirewallInstanceARN—From the drop-down, choose the assume RoleARN created on AWS cloud that is associated with the firewall instance to publish autoscaling metrics. The drop-down displays only the RoleARNs you entered on the SetupIAM Roles page.
(Optional) Select FirewallAdvanced and enter the following details.- Autoscaling Metric—Choose a metric from the drop-down: Data Plane CPU Util Percent (default), Active Sessions, Data Plane Packet Buffer Util Percent, or Session Util Percent.
- Scale In Threshold—Choose a value for the scale in threshold. The value depends on your chosen metric.
- Scale Out Threshold—Choose a value for the scale out threshold. The value depends on your chosen metric.
- Scale Out Threshold—Choose a value for the scale out threshold. The value depends on your chosen metric.
- Jumbo Frame—Disabled by default. You can only enable this option when preparing the initial deployment. Select Enable to enable jumbo frame support on the firewall.
Select whether to connect to a Transit Gateway to handle traffic routing across Security VPC and Application VPC.- Choose if you want to Connect to TGW.
If you select Yes, be prepared to enter a
TGW ID to which you want to attach the Security VPC.This configuration is required for Outbound or East-West traffic flows only.
- (Optional) Select a TGW ID to
which you want to attach the Security VPC.You have to share the TGW if you want to use them across accounts. You can share it using Resource Access Manager (RAM) on AWS. Create RAM based on the account where the TGW is located.
- Select Application Account Names.
If the TGW and Security VPC are in the same account, select the
Application Account with which you want to share the TGW. The plugin
creates the RAM on the Security Account to share the TGW across
the selected Application accounts. You must accept the invitation
for RAM on the account you select here.If the TGW and Security VPC are in the same account, select an Application account with which you want to share the TGW. If the TGW is in an Application account, make sure that the TGW is shared on RAM.If the TGW is in an Application account (other than the Security account):
- Make sure the TGW is shared with the Security account.
- Use the CFT hyperlink under Setup IAM RolesApplication Account Details. From the CFT, you can create the RAM for the mentioned TGW.
- On the Security account, make sure to go to RAM in the AWS console and accept the request to share the TGW.
Commit to add the deployment and push to firewalls.