>
    Strata Copilot
    Enable CloudWatch Monitoring on the VM-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on AWS
    4. Deploy the VM-Series Firewall on AWS
    5. Enable CloudWatch Monitoring on the VM-Series Firewall
    Download PDF
    VM-Series

    Enable CloudWatch Monitoring on the VM-Series Firewall

    Table of Contents

    Enable CloudWatch Monitoring on the VM-Series Firewall

    Enable CloudWatch monitoring on VM-Series firewall to post the VM-Series firewalls metrics on the AWS CloudWatch service for monitoring.
    Where Can I Use This?What Do I Need?
    • AWS
    • AWS account
    • Amazon Machine Image (AMI) ID
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for AWS
    The VM-Series firewall on AWS can publish native PAN-OS metrics to AWS CloudWatch, which you can use to monitor the firewalls. These metrics allow you to assess performance and usage patterns that you can use to take action for launching or terminating instances of the VM-Series firewalls.
    The firewalls use AWS APIs to publish the metric to a namespace, which is the location on AWS where the metrics are collected at a specified time interval. When you configure the firewalls to publish metrics to AWS CloudWatch, there are two namespaces where you can view metrics— the primary namespace collects and aggregates the selected metric for all instances configured to use the namespace, and the secondary namespace that is automatically created with the suffix _dimensions allows you to filter the metrics using the hostname and AWS instance ID metadata (or dimensions) and get visibility into the usage and performance of individual VM-Series firewalls.
    You can monitor the metric in CloudWatch or create auto scaling policies to trigger alarms and take an action to manually deploy a new instance of the firewall when the monitored metric reaches a threshold value. Refer to the AWS CloudWatch and Auto Scaling Groups (ASG) documentation on best practices for setting the alarm conditions for a scale-out or scale in action.
    For a description on the PAN-OS metrics that you can publish to CloudWatch, see Custom PAN-OS Metrics Published for Monitoring.
    1. Assign the appropriate permissions for the AWS Identity and Access Management (IAM) user role that you use to deploy the VM-Series firewall on AWS.
      Whether you launch a new instance of the VM-Series firewall or upgrade an existing VM-Series firewall on AWS, the IAM role associated with your instance, must have permissions to publish metrics to CloudWatch.
      1. On the AWS console, select IAM.
      2. Edit the IAM role to grant the following permissions:
        You can copy and the paste the permissions here: 
        
									
{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
    2. Enable CloudWatch on the VM-Series firewall on AWS.
      1. Log in to the web interface on the VM-Series firewall
      2. Select DeviceVM-Series.
      3. In AWS CloudWatch Setup, click Edit (
        ) and select Enable CloudWatch Monitoring.
        1. Enter the CloudWatch Namespace to which the firewall can publish metrics. The namespace can't begin with AWS.
          The aggregated metrics for all VM-Series firewall in an HA pair or auto scaling deployment are published to the namespace you entered above. The namespace with the _dimensions suffix that is automatically created enables you to filter and view metrics for a specific VM-Series firewall using the hostname or AWS instance ID metadata attached to the firewall.
        2. Set the Update Interval to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes.
      4. Commit the changes.
        Until the firewall starts to publish metrics to CloudWatch, you can't configure alarms for PAN-OS metrics.
    3. Verify that you can see the metrics on CloudWatch.
      1. On the AWS console, select CloudWatchMetrics, to view CloudWatch metrics by category.
      2. From the Custom Metrics drop-down, select the namespace.
      3. Verify that you can see PAN-OS metrics in the viewing list.
        To filter by hostname or AWS Instance ID of a specific firewall, select _dimensions.
    4. Configure alarms and action for PAN-OS metrics on CloudWatch.
      Refer to the AWS documentation: http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html
      A VM-Series firewall with bootstrap configuration will take about 7-9 minutes to be available for service. So, here are some examples on how to set alarms that trigger auto scaling for the VM-Series firewall:
      • If you have deployed 2 instances of the VM-Series firewalls as Global Protect Gateways that secure remote users, use the GlobalProtect Gateway Active Tunnels metric. You can configure an alarm for when the number of active tunnels is greater than 300 for 15 minutes, you can deploy 2 new instances of the VM-Series firewall, which are bootstrapped and configured to serve as Global Protect Gateways.
      • If you are using the firewall to secure your workloads in AWS, use the Session Utilization metric to scale in or scale out the firewall based on resource usage. You can configure an alarm for when the session utilization metric is greater than 60% for 15 minutes, to deploy one instance of the VM-Series instance firewall. And conversely, if Session Utilization is less than 50% for 30 minutes, terminate an instance of the VM-Series firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.