End-of-Life (EoL)

CloudWatch Integration for VM-Series Firewalls on AWS

The VM-Series firewall on AWS can now publish native PAN-OS metrics to AWS CloudWatch at a specified time interval. You can use these metrics to make resource-driven decisions, such as take action to launch or terminate instances of the VM-Series firewalls based on usage.
  1. Assign the appropriate permissions for the AWS Identity and Access Management (IAM) user role that you use to deploy the VM-Series firewall on AWS.
    Whether you launch a new instance of the VM-Series firewall or upgrade an existing VM-Seriesfirewall on AWS to PAN-OS 8.0, the IAM role associated with your instance, must have permissions to publish metrics to CloudWatch.
    1. On the AWS console, select
      and click the
      Policy Name
      link associated with the IAM role you want to modify.
    2. Edit the
      Policy Document
      to include the following permissions to the IAM role.
  2. Enable CloudWatch on the VM-Series firewall on AWS.
    1. Log in to the web interface on the VM-Series firewall
    2. Select
      AWS CloudWatch
    3. Select
      Enable CloudWatch Monitoring
    4. Enter the
      CloudWatch Namespace
      to which the firewall can publish metrics. The namespace cannot begin with
    5. Set the
      Update Interval
      to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes.
    6. Commit
      the changes.
    Until the firewall starts to publish metrics to CloudWatch, you cannot configure alarms for PAN-OS metrics.
  3. Verify that you can see the metrics on CloudWatch.
    1. On the AWS console, select
      , to view CloudWatch metrics by category.
    2. From the Custom Metrics drop-down, select the namespace.
    3. Verify that you can see PAN-OS metrics in the viewing list.
  4. Configure alarms and actions for PAN-OS metrics on CloudWatch. For details, refer to the AWS CloudWatch documentation.

Recommended For You