Use Case: Use Dynamic Address Groups to Secure New EC2 Instances
within the VPC
In a dynamic environment such as the AWS-VPC where you launch new EC2 instances on demand, the administrative overhead in managing security policy can be cumbersome. Using Dynamic Address Groups in security policy allows for agility and prevents disruption in services or gaps in protection.
In this example, you can use the VM Information Source on the firewall to monitor a VPC and use Dynamic Address Groups in security policy to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the IP addresses of all instances that match the criteria defined for group membership, and then security policy is applied for the group. The security policy in this example allows internet access to all members of the group.
Instead of using VM Information Source on the firewall, you can opt to use Panorama as the central point for communicating with your VPCs. Using the AWS plugin on Panorama, you can retrieve the IP address-to-tag mapping and register the information on the managed firewalls for which you configure notification. For more details on this option, see VM Monitoring with the AWS Plugin on Panorama.
This workflow in the following section assumes that you have created the AWS VPC and deployed the VM-Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the VM-Series, see Use Case: Secure the EC2 Instances in the AWS Cloud.
- Configure the firewall to monitor the VPC.
- Select.DeviceVM Information Sources
- ClickAddand enter the following information:
- ANameto identify the VPC that you want to monitor. For example, VPC-CloudDC.
- Set theTypeto AWS VPC.
- InSource, enter the URI for the VPC. The syntax isec2.<your_region>.amazonaws.com
- Add the credentials required for the firewall to digitally sign API calls made to the AWS services. You need the following:
- Access Key ID: Enter the alphanumeric text string that uniquely identifies the user who owns or is authorized to access the AWS account.
- Secret Access Key: Enter the password and confirm your entry.
- (Optional) Modify theUpdate intervalto a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
- Enter theVPC IDthat is displayed on the VPC Dashboard in the AWS management console.
- ClickOK, andCommitthe changes.
- Verify that the connectionStatusdisplays as connected
- Tag the EC2 instances in the VPC.For a list of tags that the VM-Series firewall can monitor, see List of Attributes Monitored on the AWS VPC.A tag is a name-value pair. You can tag the EC2 instances either on the EC2 Dashboard on the AWS management console or using the AWS API or AWS CLI.In this example, we use the EC2 Dashboard to add the tag:
- Create a dynamic address group on the firewall.
- Select.ObjectAddress Groups
- ClickAddand enter aNameand aDescriptionfor the address group.
- Define the match criteria.
- ClickAdd Match Criteria, and select theAndoperator.
- Select the attributes to filter for or match against. In this example, we select the ExternalAccessAllowed tag that you just created and the subnet ID for the private subnet of the VPC.
- Use the dynamic address group in a security policy.To create a rule to allow internet access to any web server that belongs to the dynamic address group called ExternalServerAccess.
- ClickAddand enter aNamefor the rule and verify that theRule Typeis universal.
- In theSourcetab, add trust as theSource Zone.
- In the Source Address section of theSourcetab,Addthe ExternalServerAccess group you just created.
- In theDestinationtab, add untrust as theDestination Zone.
- In theService/URL Categorytab, verify that the service is set toapplication-default.
- In theActionstab, set theActionto Allow.
- In the Profile Settings section of theActionstab, selectProfilesand then attach the default profiles for antivirus, anti-spyware, and vulnerability protection.
- Verify that members of the dynamic address group are populated on the firewall.Policy will be enforced for all IP addresses that belong to this address group, and are displayed here.
- Select, and select the rule.PoliciesSecurity
- Select the drop-down arrow next to the address group link, and selectInspect. You can also verify that the match criteria is accurate.
- Click themorelink and verify that the list of registered IP addresses is displayed.
Recommended For You
Recommended videos not found.