What’s New in Panorama Plugin for AWS 3.0.0

The AWS plugin for Panorama version 3.0.0 supports these new capabilities:
Consult the Compatibility Matrix for Panorama plugins for public clouds to determine the minimum software versions required to support these features.

System Requirements

  • VM-Series Plugin version 2.0.6 or later
  • PanOS version 10.0.5 or later

General Enhancements

The Panorama Plugin for AWS version 3.0 introduces orchestration for AWS autoscaling deployments. From Panorama, you can create a security stack to redirect inbound, outbound, or east-west traffic to secure your application stacks. The Panorama plugin user interface aggregates the majority of networking and authentication information for the security stack, eliminating the need to work with templates directly.
The plugin introduce cloud formation template (CFT) hyperlinks to configure security account and application account prerequisites.
  • Use the hyperlink under Security Account to open the CFT in the AWS cloud platform to create a group and associate a policy created by the plugin.
  • Use the hyperlink under Application Account to open the CFT in the AWS cloud platform to create a role and attach a policy with required permissions. Make sure that you have chosen all required permissions to create a cross-account role. Optionally, to handle a transit gateway (TGW) that is not in the security account, the cloud formation link deploys a Resource Access Manager (RAM) for the mentioned transit gateway and shares it with the security account provided in the template.

Monitoring Definition Enhancements

Monitoring Definition has been enhanced as follows:
  • Along with monitoring virtual machines (VMs), you can now monitor Application Load Balancers, Network Load Balancers, endpoints, and Elastic Network Interfaces (ENIs) associated to endpoints in the AWS cloud.
  • Differentiate active and passive tags based on whether or not they are used on security policies. The plugin sends only IP addresses of the active tags from the Dynamic Address Groups to the firewall.
  • You can view the detailed monitoring status for each monitoring definition using the
  • You can view the IP address-to-tag mapping and tag-to-IP address mapping using the new
    Monitoring Definition Detailed Status
    window. You can filter tags based on AWS region and VPC IDs, and view associated IP addresses. You can also see if a tag is used on any security policy.

Deployment Orchestration

The AWS plugin for Panorama 3.0.0 simplifies the existing Gateway Load Balancer solution by bringing all configurations in to a single user interface. You can create, view, and update deployments from the plugin user interface.
The plugin is validated for the following AWS regions.
  • US East (N. Virginia)
  • US East (Ohio)
  • US West (Oregon)
  • US West (N. California)
  • Canada (Central)
  • Europe (Frankfurt)
  • Europe (London)
  • Europe (Stockholm)
    m5.xlarge instances are not supported in the Europe (Stockholm) region.
The plugin deploys a security stack in AWS based on the configuration information you enter in the plugin under
. There are two use cases:
  • The application to be secured is managed in the same AWS account as the security stack and the TGW.
  • The application to be secured is managed in a different AWS account than the security stack and TGW.
    • If you want to use a TGW as a part of your deployment configuration, deploy a TGW in the same AWS account as the security stack, then enter the TGW ID in
      Transit Gateway
      from the plugin.
    • To enable end-to-end traffic flow from your application to the security stack, make sure you create an attachment from your application to the TGW.

Recommended For You