: Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
Focus
Focus

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Table of Contents

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

In a dynamic environment such as the AWS-VPC where you launch new EC2 instances on demand, the administrative overhead in managing security policy can be cumbersome. Using Dynamic Address Groups in security policy allows for agility and prevents disruption in services or gaps in protection.
In this example, you can use the VM Information Source on the firewall to monitor a VPC and use Dynamic Address Groups in security policy to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the IP addresses of all instances that match the criteria defined for group membership, and then security policy is applied for the group. The security policy in this example allows internet access to all members of the group.
Instead of using VM Information Source on the firewall, you can opt to use Panorama as the central point for communicating with your VPCs. Using the AWS plugin on Panorama, you can retrieve the IP address-to-tag mapping and register the information on the managed firewalls for which you configure notification. For more details on this option, see VM Monitoring with the AWS Plugin on Panorama.
This workflow in the following section assumes that you have created the AWS VPC and deployed the VM-Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the VM-Series, see Use Case: Secure the EC2 Instances in the AWS Cloud.
  1. Configure the firewall to monitor the VPC.
    1. Select
      Device
      VM Information Sources
      .
    2. Click
      Add
      and enter the following information:
      1. A
        Name
        to identify the VPC that you want to monitor. For example, VPC-CloudDC.
      2. Set the
        Type
        to AWS VPC.
      3. In
        Source
        , enter the URI for the VPC. The syntax is
        ec2.
        <your_region>
        .amazonaws.com
      4. Add the credentials required for the firewall to digitally sign API calls made to the AWS services. You need the following:
        • Access Key ID
          : Enter the alphanumeric text string that uniquely identifies the user who owns or is authorized to access the AWS account.
        • Secret Access Key
          : Enter the password and confirm your entry.
      5. (
        Optional
        ) Modify the
        Update interval
        to a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
      6. Enter the
        VPC ID
        that is displayed on the VPC Dashboard in the AWS management console.
      7. Click
        OK
        , and
        Commit
        the changes.
      8. Verify that the connection
        Status
        displays as connected
  2. Tag the EC2 instances in the VPC.
    For a list of tags that the VM-Series firewall can monitor, see List of Attributes Monitored on the AWS VPC.
    A tag is a name-value pair. You can tag the EC2 instances either on the EC2 Dashboard on the AWS management console or using the AWS API or AWS CLI.
    In this example, we use the EC2 Dashboard to add the tag:
  3. Create a dynamic address group on the firewall.
    View the tutorial to see a big picture view of the feature.
    1. Select
      Object
      Address Groups
      .
    2. Click
      Add
      and enter a
      Name
      and a
      Description
      for the address group.
    3. Select
      Type
      as
      Dynamic
      .
    4. Define the match criteria.
      1. Click
        Add Match Criteria
        , and select the
        And
        operator.
      2. Select the attributes to filter for or match against. In this example, we select the ExternalAccessAllowed tag that you just created and the subnet ID for the private subnet of the VPC.
    5. Click
      OK
      .
    6. Click
      Commit
      .
  4. Use the dynamic address group in a security policy.
    To create a rule to allow internet access to any web server that belongs to the dynamic address group called ExternalServerAccess.
    1. Select
      Policies
      Security
      .
    2. Click
      Add
      and enter a
      Name
      for the rule and verify that the
      Rule Type
      is universal.
    3. In the
      Source
      tab, add trust as the
      Source Zone
      .
    4. In the Source Address section of the
      Source
      tab,
      Add
      the ExternalServerAccess group you just created.
    5. In the
      Destination
      tab, add untrust as the
      Destination Zone
      .
    6. In the
      Service/URL Category
      tab, verify that the service is set to
      application-default
      .
    7. In the
      Actions
      tab, set the
      Action
      to Allow.
    8. In the Profile Settings section of the
      Actions
      tab, select
      Profiles
      and then attach the default profiles for antivirus, anti-spyware, and vulnerability protection.
    9. Click
      OK
      .
    10. Click
      Commit
      .
  5. Verify that members of the dynamic address group are populated on the firewall.
    Policy will be enforced for all IP addresses that belong to this address group, and are displayed here.
    1. Select
      Policies
      Security
      , and select the rule.
    2. Select the drop-down arrow next to the address group link, and select
      Inspect
      . You can also verify that the match criteria is accurate.
    3. Click the
      more
      link and verify that the list of registered IP addresses is displayed.

Recommended For You