As you deploy or terminate AWS assets (such as EC2 instances) in the AWS public
cloud, you can automatically update security policy on your Palo Alto Networks® Cloud
NGFW resources so that you can secure traffic to these AWS assets.
To enable this capability from Panorama, you must configure the Panorama AWS
plugin to fetch IP/Tags that your Cloud NGFW tenant harvests from the AWS accounts you
added. Then use the AWS Panorama plugin to push these tags to the Cloud NGFW resources
by configuring the Monitoring definition and Notify them to the corresponding Device
Groups corresponding to these Palo Alto Networks Firewalls.
You can then create Panorama Dynamic Address Group objects in those Device
Groups using AWS resource tags. When you reference these tags in Dynamic Address Groups
and match against them in Security policy rules, you can consistently enforce policy
across all assets deployed within your AWS accounts.
Key Concepts
Term
Definition
Cloud Asset Tags
AWS tags configured on AWS resources.
VPC Group
A set of AWS VPCs from one or more AWS accounts.
Monitoring Definition
Associates a VPC Group with a Notify Group.
Notify Group
You can group together a set of Panorama Device Groups that
require the same set of tags.
To enable tag based policies for Cloud NGFW for AWS resources, you must prepare
your Panorama appliance for this integration by installing the AWS plugin 5.1.0 version
or above. Using cloud NGFW console, add your AWS accounts and harvest tags from the AWS
resources. Then use the Panorama plugin to query tags periodically from your Cloud NGFW
tenant and add it to the Panorama device groups to manage DAG objects and rules.
To enable Cloud NGFW Tag based policies in your Panorama appliance:
In the Cloud NGFW console, you can enable the discovery of AWS resource
tags for the desired region. Cloud NGFW will periodically collect these tags of
your AWS resources (For example: EC2, SG, and LB) in different AWS accounts and
register the information to your Cloud NGFW tenant. Cloud NGFW displays the
resource tags on resources organized by the VPCs in each AWS account.
For this purpose, you must enable monitoring in the
Inventory
Page to access data for each AWS region, to trigger the tags discovery.
The
Enable Region
button under the
Discovered VPCs
tab
appears only when you onboard your AWS account for the first time. Select
Region
from the dropdown and click
Enable Region
to enable tag
monitoring.
Alternatively, you can also select a
Region
from the dropdown
and click
Enable
toggle to enable tags monitoring.
View the Harvested Tags in the Cloud NGFW console
You can see the total number of discovered tags in the
Inventory
page
under the
Discovered Tags
tab.
Click the
Tag Name
to list the IPs associated with each tag.
Click
Check Associated Tags
to list the different tags
associated with the IP address.
In the NGFW console, the tag character limit is
127
for any AWS
resource type (key/value combined). The tags having key/value
Use the Panorama Plugin to Query Tags and Add them to the Panorama Device
Groups
You use the Panorama AWS plugin to perform the following:
Create and manage VPC Groups.
Add tags to Device Groups using Monitoring Definitions and Notify
Groups.
AWS Plugin 5.1.0 must be installed and configured on
Panorama to query AWS asset tags collected in the Cloud NGFW tenants and add
them to the Cloud Device Groups.
Create and Manage VPC Groups
When you enable monitoring, a
Default
VPC Group is created
automatically. You cannot
delete
the
Default
VPC group. A newly
discovered VPC is always put into the
Default
VPC group. If you want, you
can then move it into a different VPC group.
Alternatively, you can create new VPC groups and move these VPCs to
other VPC groups using the steps below:
If you wish to create a new
non-Default VPC group
on Panorama,
follow the steps covered in the procedure below:
In the
Panorama
Console, go to the
Panorama
tab,
and then click
AWS
.
Select
Tenant
and
Region
.
Go to
AWS
>
Cloud NGFW
>
Monitoring Definition
>
Discovered VPC.
A
VPC Group
cannot be mapped to more than 8
Device Groups. It is recommended to configure Monitoring
Definitions with VPC Groups such that a given VPC Group has
only 8 Device Groups mapped (via Notify Groups) for better
performance.
The
Default
VPC Group is created
automatically. You cannot
delete
the
Default
VPC group. A newly discovered VPC is always put into the
Default
VPC group. If required, VPCs can be moved
under a different VPC group.
Click
Set VPC Group
.
Select
VPC Group
.
Click
Save
.
Add tags to Device Groups using Monitoring Definitions and Device
Groups
To push tags learned from Cloud NGFW tenant to the Cloud NGFW
resources, ensure that you configure the
Notify Groups
and
Monitoring
definitions
to the corresponding Device Groups corresponding to these
Palo Alto Networks Firewalls. You can then view the AWS account tags harvested
from Cloud NGFW tenant in Panorama.
Create a
Notify Group
for your cloud device group following the
steps below:
In the
Panorama plugin
Console, go to
AWS
>
Notify Group
.
Click
Add
.
Enter
Name
.
Select the
Notify Group
and
Tags
.
Click
Ok
.
Create cloud
monitoring definition
associating the required
VPC group
and
Notify group
for tags learnt from Cloud NGFW.
In the
Panorama
Console, go to
AWS
>
Cloud
NGFW
>
Monitoring Definition.
Click
Add
.
Enter
Name
and
Description
.
Select the required VPC Group from the
VPC Group dropdown
menu.
Select the required notify group from the
Notify Group
dropdown
menu.
Click
OK
.
Commit
and
Push
your changes on Panorama.
Select a
Monitoring Definition
and Click
Dashboard
to view the tags harvested from Cloud NGFW
tenant.
You can now view the tags harvested in Cloud NGFW tenant.
Configure Dynamic Address Group (DAG) objects with Tags in Device Groups
You can create Dynamic Address Groups with harvested Cloud NGFW tags for
your cloud device group. For more information, see Create Dynamic Address Groups.
Following are the steps to add match criteria for your dynamic address
groups:
In the
Panorama
Console, go to
Objects
tab
On the left pane, go to
Address Groups
.
Click
Add.
Enter the
Name
of your Address Group and select Type
Dynamic
.
Click
Add match Criteria
.
You can now create
dynamic address group policies
referencing above
created DAGs for cloud device groups.
The following is an example of how DAGs are created using
AND
operator:
The Address Group displays the list of addresses that match with both
matching criteria.
The following is an example of how DAGs are created using
OR
operator:
The Address Group displays the list of addresses that match with any one of
the given matching criteria.
Following are the steps to create Dynamic Address policies referencing DAGs
for cloud device groups: