What’s New in Panorama Plugin for AWS 2.0.0
Table of Contents
2.0
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
What’s New in Panorama Plugin for AWS 2.0.0
The AWS plugin for Panorama version 2.0.0 supports these
new capabilities:
- General Enhancements
- Monitor Virtual Machines
- Secure Kubernetes Services in an AWS Elastic Kubernetes Cluster
Consult the Compatibility Matrix for Panorama plugins for public clouds to
determine the minimum software versions required to support these
features.
General Enhancements
General enhancements in the AWS plugin for Panorama
version 2.0.0 are as follows:
- Ability to use the AWS Assume Role for retrieving instance and VPC meta data.Using an Assume Role allows you to set up a trust relationship across AWS account to enable limited access privileges—you can assume the role only if the request includes the correct sts:ExternalID.
- If your Panorama is deployed on AWS, you can also opt to use an instance profile instead of providing the AWS credentials for the IAM role. The instance profile includes the role information and associated credentials that Panorama needs to digitally sign API calls to the AWS services.
- User-defined tags that include empty spaces can be retrieved, provided they do not include special characters. In Known Issues in Panorama Plugin for AWS 2.0.x, see PAN-119033.
Monitor Virtual Machines
VM Monitoring has been enhanced as follows:
- VM Monitoring is supported on AWS public cloud, AWS GovCloud, and AWS China.
- Monitor up to 1000 VPCs in one or more AWS accounts.
- Granularly select the AWS tags that you want Panorama to retrieve and push to the firewalls associated with the Device Groups within a Notify group.You can now select whether you want to send all 32 tags, or a combination of just the selected predefined tags and user-defined tags, you want to use with dynamic address groups in Security policy.
- Dynamic address groups can include virtual machines across both private and public cloud environments, enabling you to consistently enforce Security policy for all virtual machines that match your criteria.If, for example, you want to retrieve IP address and tag mapping information for all virtual machine instances across AWS VPCs, Azure VNets, and your VCenter environment, you can use the Panorama plugin for AWS, and Azure and enable VM Information Sources on the firewall to monitor your VCenter environment. As long as you apply the same tags to all your virtual machines, Panorama can retrieve the IP addresses that map to the tags you have defined as the match criteria in your dynamic address group, and enforce security policy consistently across all cloud environments.
Secure Kubernetes Services in an AWS Elastic Kubernetes Cluster
AWS plugin for Panorama version 2.0.0 Elastic Kubernetes
Service (EKS) capabilities enable you to secure North-South traffic
to EKS clusters and monitor outbound traffic from EKS clusters:
- The plugin enables you to secure North-South traffic in AWS EKS environments in which you have deployed VM-Series firewalls.After you configure the plugin on Panorama to communicate with an EKS cluster, the plugin uses the Kubernetes APIs to retrieve information from each service that has an exposed IP address or fully-qualified domain name (FQDN). With this information the plugin creates NAT rules in Panorama to enforce Security policy and ensure inbound service traffic passes through the VM-Series firewalls. To secure inbound traffic to the cluster, push your configuration to your managed VM-Series firewalls.
- The plugin also enables you to monitor outbound traffic from EKS clusters.