: What’s New in Panorama Plugin for AWS 2.0.0
Focus
Focus

What’s New in Panorama Plugin for AWS 2.0.0

Table of Contents

What’s New in Panorama Plugin for AWS 2.0.0

The AWS plugin for Panorama version 2.0.0 supports these new capabilities:
Consult the Compatibility Matrix for Panorama plugins for public clouds to determine the minimum software versions required to support these features.

General Enhancements

General enhancements in the AWS plugin for Panorama version 2.0.0 are as follows:
  • Ability to use the AWS Assume Role for retrieving instance and VPC meta data.
    Using an Assume Role allows you to set up a trust relationship across AWS account to enable limited access privileges—you can assume the role only if the request includes the correct sts:ExternalID.
  • If your Panorama is deployed on AWS, you can also opt to use an instance profile instead of providing the AWS credentials for the IAM role. The instance profile includes the role information and associated credentials that Panorama needs to digitally sign API calls to the AWS services.
  • User-defined tags that include empty spaces can be retrieved, provided they do not include special characters. In Known Issues in Panorama Plugin for AWS 2.0.x, see PAN-119033.

Monitor Virtual Machines

VM Monitoring has been enhanced as follows:
  • VM Monitoring is supported on AWS public cloud, AWS GovCloud, and AWS China.
  • Monitor up to 1000 VPCs in one or more AWS accounts.
  • Granularly select the AWS tags that you want Panorama to retrieve and push to the firewalls associated with the Device Groups within a Notify group.
    You can now select whether you want to send all 32 tags, or a combination of just the selected predefined tags and user-defined tags, you want to use with dynamic address groups in Security policy.
  • Dynamic address groups can include virtual machines across both private and public cloud environments, enabling you to consistently enforce Security policy for all virtual machines that match your criteria.
    If, for example, you want to retrieve IP address and tag mapping information for all virtual machine instances across AWS VPCs, Azure VNets, and your VCenter environment, you can use the Panorama plugin for AWS, and Azure and enable VM Information Sources on the firewall to monitor your VCenter environment. As long as you apply the same tags to all your virtual machines, Panorama can retrieve the IP addresses that map to the tags you have defined as the match criteria in your dynamic address group, and enforce security policy consistently across all cloud environments.

Secure Kubernetes Services in an AWS Elastic Kubernetes Cluster

AWS plugin for Panorama version 2.0.0 Elastic Kubernetes Service (EKS) capabilities enable you to secure North-South traffic to EKS clusters and monitor outbound traffic from EKS clusters:
  • The plugin enables you to secure North-South traffic in AWS EKS environments in which you have deployed VM-Series firewalls.
    After you configure the plugin on Panorama to communicate with an EKS cluster, the plugin uses the Kubernetes APIs to retrieve information from each service that has an exposed IP address or fully-qualified domain name (FQDN). With this information the plugin creates NAT rules in Panorama to enforce Security policy and ensure inbound service traffic passes through the VM-Series firewalls. To secure inbound traffic to the cluster, push your configuration to your managed VM-Series firewalls.
  • The plugin also enables you to monitor outbound traffic from EKS clusters.