: Enable CloudWatch Monitoring on the VM-Series Firewall
Focus
Focus

Enable CloudWatch Monitoring on the VM-Series Firewall

Table of Contents
End-of-Life (EoL)

Enable CloudWatch Monitoring on the VM-Series Firewall

The VM-Series firewall on AWS can publish native PAN-OS metrics to AWS CloudWatch, which you can use to monitor the firewalls. These metrics allow you to assess performance and usage patterns that you can use to take action for launching or terminating instances of the VM-Series firewalls.
The firewalls use AWS APIs to publish the metric to a namespace, which is the location on AWS where the metrics are collected at a specified time interval. When you configure the firewalls to publish metrics to AWS CloudWatch, there are two namespaces where you can view metrics— the primary namespace collects and aggregates the selected metric for all instances configured to use the namespace, and the secondary namespace that is automatically created with the suffix _dimensions allows you to filter the metrics using the hostname and AWS instance ID metadata (or dimensions) and get visibility into the usage and performance of individual VM-Series firewalls.
You can monitor the metric in CloudWatch or create auto scaling policies to trigger alarms and take an action to manually deploy a new instance of the firewall when the monitored metric reaches a threshold value. Refer to the AWS CloudWatch and Auto Scaling Groups (ASG) documentation on best practices for setting the alarm conditions for a scale out or scale in action.
For a description on the PAN-OS metrics that you can publish to CloudWatch, see Custom PAN-OS Metrics Published for Monitoring.
  1. Assign the appropriate permissions for the AWS Identity and Access Management (IAM) user role that you use to deploy the VM-Series firewall on AWS.
    Whether you launch a new instance of the VM-Series firewall or upgrade an existing VM-Series firewall on AWS, the IAM role associated with your instance, must have permissions to publish metrics to CloudWatch.
    1. On the AWS console, select IAM.
    2. Edit the IAM role to grant the following permissions:
      You can copy and the paste the permissions here:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": [ "*" ] } ] }
  2. Enable CloudWatch on the VM-Series firewall on AWS.
    1. Log in to the web interface on the VM-Series firewall
    2. Select DeviceVM-Series.
    3. In AWS CloudWatch Setup, click Edit (
      ) and select Enable CloudWatch Monitoring.
      1. Enter the CloudWatch Namespace to which the firewall can publish metrics. The namespace cannot begin with AWS.
        The aggregated metrics for all VM-Series firewall in an HA pair or auto scaling deployment are published to the namespace you entered above. The namespace with the _dimensions suffix that is automatically created enables you to filter and view metrics for an specific VM-Series firewall using the hostname or AWS instance ID metadata attached to the firewall.
      2. Set the Update Interval to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes.
    4. Commit the changes.
      Until the firewall starts to publish metrics to CloudWatch, you cannot configure alarms for PAN-OS metrics.
  3. Verify that you can see the metrics on CloudWatch.
    1. On the AWS console, select CloudWatchMetrics, to view CloudWatch metrics by category.
    2. From the Custom Metrics drop-down, select the namespace.
      Do not select the default VMseries namespace. This is the seeded data in the VM-Series Firewall. Make sure that you select a different namespace. Also, do not select any namespace that starts with AWS.
    3. Verify that you can see PAN-OS metrics in the viewing list.
      To filter by hostname or AWS Instance ID of a specific firewall, select _dimensions.
  4. Configure alarms and action for PAN-OS metrics on CloudWatch.
    A VM-Series firewall with bootstrap configuration will take about 7-9 minutes to be available for service. So, here are some examples on how to set alarms that trigger auto scaling for the VM-Series firewall:
    • If you have deployed 2 instances of the VM-Series firewalls as Global Protect Gateways that secure remote users, use the GlobalProtect Gateway Active Tunnels metric. You can configure an alarm for when the number of active tunnels is greater than 300 for 15 minutes, you can deploy 2 new instances of the VM-Series firewall, which are bootstrapped and configured to serve as Global Protect Gateways.
    • If you are using the firewall to secure your workloads in AWS, use the Session Utilization metric to scale in or scale out the firewall based on resource usage. You can configure an alarm for when the session utilization metric is greater than 60% for 15 minutes, to deploy one instance of the VM-Series instance firewall. And conversely, if Session Utilization is less than 50% for 30 minutes, terminate an instance of the VM-Series firewall.