Plan the VM-Series Auto Scaling Template for AWS (v2.0 and
The items in this checklist are actions and choices you must make to implement this solution.
Planning Checklist for Templates v2.0 and v2.1
The user who deploys the VM-Series Auto Scaling template must either have administrative privileges or have the permissions listed in the iam-policy.json to launch this solution successfully. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role.
For a cross-account deployment, to access resources that are in a different AWS accounts, the IAM role for the user who deploys the application template must have full SQS access permissions and a trust relationship that authorizes her to write to the SQS queue that belongs to the firewall template.
For a deployment where the firewall template and the application template are in different accounts, the account that hosts the firewall template resources is the trusting account and the other AWS account(s) that hold the application template resources are the trusted accounts. To launch the application template in a cross-account deployment, you need the following information:
You can opt for the BYOL or PAYG licenses.
In the AWS Marketplace, search for Palo Alto Networks, and select the bundle you plan to use. The VM-Series firewalls will fail to deploy if you have not accepted the EULA for the bundle you plan to use.
Palo Alto Networks provides public S3 buckets in all AWS regions included in the supported regions list. These S3 buckets include all the templates, AWS Lambda code, and the bootstrap files that you need.
Palo Alto Networks recommends using the bootstrap files in the public S3 bucket only for evaluating this solution. For a production deployment, you must create a private S3 bucket for the bootstrap package.
The naming convention for the S3 bucket is
panw-aws-autoscale-v20-. For example, the bucket in the AWS Oregon region is panw-aws-autoscale-v20-us-west-2.
To use your private S3 bucket, you must download and copy the templates, AWS Lambda code, and the bootstrap files to your private S3 bucket. You can place all the required files for both the firewall template and the application template in one S3 bucket or place them in separate S3 buckets.
To ensure that your production environment is secure, you must customize the bootstrap.xml file with a unique administrative username and password for production deployments. The default username and password are pandemo/demopassword. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs.
Panorama is an option for administrative ease and is the best practice for managing the firewalls. It is not required to manage the auto scaling tier of VM-Series firewalls deployed in this solution.
If you want to use Panorama, you can either a Panorama virtual appliance on AWS or use an M-Series appliance or a Panorama virtual appliance inside your corporate network.
The Panorama must be in Panorama mode and not Management Only mode.
To successfully register the firewalls with Panorama, you must collect the following details:
In order to reduce the cost and scale limits of using Elastic IP addresses, the firewalls do not have public IPs. If you are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) that attaches to the Untrust subnet within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. By default, this solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch.
Recommended For You
Recommended videos not found.