What’s New in Panorama Plugin for AWS 3.0.0
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
What’s New in Panorama Plugin for AWS 3.0.0
The AWS plugin for Panorama version 3.0.0 supports these
new capabilities:
Consult the Compatibility Matrix for Panorama plugins for public clouds to
determine the minimum software versions required to support these
features.
System Requirements
- VM-Series Plugin version 2.0.6 or later
- PanOS version 10.0.5 or later
General Enhancements
The Panorama Plugin for AWS version 3.0 introduces orchestration
for AWS autoscaling deployments. From Panorama, you can create a
security stack to redirect inbound, outbound, or east-west traffic
to secure your application stacks. The Panorama plugin user interface
aggregates the majority of networking and authentication information
for the security stack, eliminating the need to work with templates
directly.
The plugin introduce cloud formation template (CFT) hyperlinks
to configure security account and application account prerequisites.
- Use the hyperlink under Security Account to open the CFT in the AWS cloud platform to create a group and associate a policy created by the plugin.
- Use the hyperlink under Application Account to open the CFT in the AWS cloud platform to create a role and attach a policy with required permissions. Make sure that you have chosen all required permissions to create a cross-account role. Optionally, to handle a transit gateway (TGW) that is not in the security account, the cloud formation link deploys a Resource Access Manager (RAM) for the mentioned transit gateway and shares it with the security account provided in the template.
Monitoring Definition Enhancements
Monitoring Definition has been enhanced as follows:
- Along with monitoring virtual machines (VMs), you can now monitor Application Load Balancers,
Network Load Balancers, VPC endpoints, and Elastic Network Interfaces (ENIs)
associated to endpoints in the AWS cloud For more
information, see Set Up the AWS Plugin for VM Monitoring on
Panorama and Panorama Orchestrated Deployments in
AWS. You will observe a change in behavior when you reference certain tags of the Dynamic Address Group.For example: If you choose to match on a VPC tag in AWS plugin version 2.0.2 or below, the Dynamic Address Group displays only the IP address associated with the instances present in the VPC. Since the AWS plugin in 3.0.3 is enhanced to monitor the entire VPC, the Dynamic Address Group which was matching the VPC tag previously now displays the entire CIDR block associated with the VPC.Similarly, if you choose to match on a subnet tag in AWS Plugin 2.0.2, the address now is changed to the subnet instead of the individual IP of the instance located in that subnet.
- Differentiate active and passive tags based on whether or not they are used on security policies. The plugin sends only IP addresses of the active tags from the Dynamic Address Groups to the firewall.
- You can view the detailed monitoring status for each monitoring definition using the Dashboard link.
- You can view the IP address-to-tag mapping and tag-to-IP address mapping using the new Monitoring Definition Detailed Status window. You can filter tags based on AWS region and VPC IDs, and view associated IP addresses. You can also see if a tag is used on any security policy.
Deployment Orchestration
The AWS plugin for Panorama 3.0.0 simplifies the existing
Gateway Load Balancer solution by bringing all configurations in
to a single user interface. You can create, view, and update deployments
from the plugin user interface.
The plugin is validated for the following AWS regions.
- US East (N. Virginia)
- US East (Ohio)
- US West (Oregon)
- US West (N. California)
- Canada (Central)
- Europe (Frankfurt)
- Europe (London)
- Europe (Stockholm) m5.xlarge instances are not supported in the Europe (Stockholm) region.
The plugin deploys a security stack in AWS based on the configuration
information you enter in the plugin under AWSDeployments. There are two
use cases:
- The application to be secured is managed in the same AWS account as the security stack and the TGW.
- The application to be secured is managed in a different AWS
account than the security stack and TGW.
- If you want to use a TGW as a part of your deployment configuration, deploy a TGW in the same AWS account as the security stack, then enter the TGW ID in DeploymentsTransit Gateway from the plugin.
- To enable end-to-end traffic flow from your application to the security stack, make sure you create an attachment from your application to the TGW.