: What’s New in Panorama Plugin for AWS 3.0.0
Focus
Focus

What’s New in Panorama Plugin for AWS 3.0.0

Table of Contents

What’s New in Panorama Plugin for AWS 3.0.0

The AWS plugin for Panorama version 3.0.0 supports these new capabilities:
Consult the Compatibility Matrix for Panorama plugins for public clouds to determine the minimum software versions required to support these features.

System Requirements

  • VM-Series Plugin version 2.0.6 or later
  • PanOS version 10.0.5 or later

General Enhancements

The Panorama Plugin for AWS version 3.0 introduces orchestration for AWS autoscaling deployments. From Panorama, you can create a security stack to redirect inbound, outbound, or east-west traffic to secure your application stacks. The Panorama plugin user interface aggregates the majority of networking and authentication information for the security stack, eliminating the need to work with templates directly.
The plugin introduce cloud formation template (CFT) hyperlinks to configure security account and application account prerequisites.
  • Use the hyperlink under Security Account to open the CFT in the AWS cloud platform to create a group and associate a policy created by the plugin.
  • Use the hyperlink under Application Account to open the CFT in the AWS cloud platform to create a role and attach a policy with required permissions. Make sure that you have chosen all required permissions to create a cross-account role. Optionally, to handle a transit gateway (TGW) that is not in the security account, the cloud formation link deploys a Resource Access Manager (RAM) for the mentioned transit gateway and shares it with the security account provided in the template.

Monitoring Definition Enhancements

Monitoring Definition has been enhanced as follows:
  • Along with monitoring virtual machines (VMs), you can now monitor Application Load Balancers, Network Load Balancers, VPC endpoints, and Elastic Network Interfaces (ENIs) associated to endpoints in the AWS cloud For more information, see Set Up the AWS Plugin for VM Monitoring on Panorama and Panorama Orchestrated Deployments in AWS.
    You will observe a change in behavior when you reference certain tags of the Dynamic Address Group.
    For example: If you choose to match on a VPC tag in AWS plugin version 2.0.2 or below, the Dynamic Address Group displays only the IP address associated with the instances present in the VPC. Since the AWS plugin in 3.0.3 is enhanced to monitor the entire VPC, the Dynamic Address Group which was matching the VPC tag previously now displays the entire CIDR block associated with the VPC.
    Similarly, if you choose to match on a subnet tag in AWS Plugin 2.0.2, the address now is changed to the subnet instead of the individual IP of the instance located in that subnet.
  • Differentiate active and passive tags based on whether or not they are used on security policies. The plugin sends only IP addresses of the active tags from the Dynamic Address Groups to the firewall.
  • You can view the detailed monitoring status for each monitoring definition using the Dashboard link.
  • You can view the IP address-to-tag mapping and tag-to-IP address mapping using the new Monitoring Definition Detailed Status window. You can filter tags based on AWS region and VPC IDs, and view associated IP addresses. You can also see if a tag is used on any security policy.

Deployment Orchestration

The AWS plugin for Panorama 3.0.0 simplifies the existing Gateway Load Balancer solution by bringing all configurations in to a single user interface. You can create, view, and update deployments from the plugin user interface.
The plugin is validated for the following AWS regions.
  • US East (N. Virginia)
  • US East (Ohio)
  • US West (Oregon)
  • US West (N. California)
  • Canada (Central)
  • Europe (Frankfurt)
  • Europe (London)
  • Europe (Stockholm)
    m5.xlarge instances are not supported in the Europe (Stockholm) region.
The plugin deploys a security stack in AWS based on the configuration information you enter in the plugin under AWSDeployments. There are two use cases:
  • The application to be secured is managed in the same AWS account as the security stack and the TGW.
  • The application to be secured is managed in a different AWS account than the security stack and TGW.
    • If you want to use a TGW as a part of your deployment configuration, deploy a TGW in the same AWS account as the security stack, then enter the TGW ID in DeploymentsTransit Gateway from the plugin.
    • To enable end-to-end traffic flow from your application to the security stack, make sure you create an attachment from your application to the TGW.