Pick the workflow for the CFT version you are deploying.
If you have deployed the template v1.2 and want to update resources see Stack Update with VM-Series Auto Scaling Template for AWS (v1.2).
Launch the VM-Series Auto Scaling Template for AWS (v1.2)
Use the following workflow to deploy all the components in this solution using the vpc-classic-v1.2.template or the vpc-alb-v1.2.template.
If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, you only need to deploy the VM-Series firewall at scale, use the firewall.template. The workflow for using only the firewall.tempate is not documented in this version of the document, but it is very similar.
Launch the Template Version 1.2
Plan the VM-Series Auto Scaling Template for AWS. Make sure that you have completed the following tasks: (For PAYG only) Reviewed and accepted the EULA for the PAYG bundle you plan to use. (For BYOL only) Obtained the auth code. You will need to enter this authcode in the /license folder of the bootstrap package. For details, see Prepare the Bootstrap Package Downloaded the files required to launch the CFT from the GitHub repository.
(Optional) Modify the init-cfg.txt file. For more information on the bootstrapping process see Bootstrap the VM-Series Firewall ; for details on the init-cfg.txt file, see Create the init-cfg.txt File. If you’re using Panorama to manage the firewalls, complete the following tasks: Generate the vm-auth-key on Panorama. The firewalls must include a valid key in the connection request to Panorama. Set the lifetime for the key to 8760 hours (1 year). Open the init-cfg.txt file with a text editor, such as Notepad. Make sure that you do not alter the format as this will cause a failure in deploying the CFT. Add the following information as name-value pairs: IP addresses for the primary Panorama and optionally a secondary Panorama. Enter: panorama-server= panorama-server-2= Specify the template and the device group to which you want to assign the firewall. Enter: tplname= dgname= VM auth key. Enter: vm-auth-key= Verify that you have not deleted the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM-Series firewall on AWS. For example, the file must include name-value pairs for the items in bold: op-command-modes=mgmt-interface-swap vm-auth-key=755036225328715 panorama-server=10.5.107.20 panorama-server-2=10.5.107.21 tplname=FINANCE_TG4 dgname=finance_dg The vm auth key and Panorama IP address above are example values. You need to enter the values that match your setup. Save and close the file.
(For BYOL only) Add the license auth code in the /license folder of the bootstrap package. For more information on the bootstrapping process see Prepare the Bootstrap Package. Create a new .txt file with a text editor, such as Notepad. Add the authcode for your BYOL licenses. The auth code must support the number of firewalls that may be required for your deployment. You must use an auth code bundle instead of individual auth codes so that the firewall can simultaneously fetch all license keys associated with a firewall. If you use individual auth codes instead of a bundle, the firewall will retrieve only the license key for the first auth code included in the file.
Change the default credentials for the VM-Series firewall administrator account defined in the bootstrap.xml file. Required for using the CFT in a production environment. The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch, see Customize the Bootstrap.xml File
Prepare the Amazon Simple Storage (S3) buckets for launching the CFT. Make sure to create the S3 buckets in the same region in which you plan to deploy the template. The CFT requires one S3 bucket for the VM-Series bootstrap files; and another S3 bucket for the AWS Lambda functions and the nested firewall.template. Create a new S3 bucket for the bootstrap files. Sign in to the AWS Management Console and open the S3 console. Click Create Bucket. Enter a Bucket Name and a Region, and click Create. The bucket must be at the S3 root level. If you nest the bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files. Upload the bootstrap files to the S3 bucket. Click the name of bucket and then click Create folder. Create the following folder structure for bootstrapping.
Click the link to open the config folder. Select Actions > Upload and Add Files, browse to select the init-cfg.txt file and bootstrap.xml file, and click Open. Click Start Upload to add the files to the config folder. The folder can contain only two files: init-cfg.txt and the bootstrap.xml.
(For BYOL only) Click the link to open the license folder and upload the txt file with the auth code required for licensing the VM-Series firewalls.
Create another S3 bucket and upload the AWS Lambda code and the firewall.template to the S3 bucket. Click the bucket name. Click Add Files to select the panw-aws.zip file and the firewall.template, click Open. Click Start Upload to add the files to the S3 bucket.
Select the CFT that you want to launch. In the AWS Management Console, select CloudFormation > Create Stack. Select Upload a template to Amazon S3, choose the vpc-classic-v1.2.template or the vpc-alb-v1.2.template that you downloaded previously, and click Open and Next. Specify the Stack name in 10 characters or less. The stack name allows you to uniquely identify all the resources that are deployed using this CFT. Using a longer stack name results in a failure to successfully deploy the CFT.
Configure the parameters for the VPC. Enter the parameters for the VPC Configuration as follows: Enter a VPCName and a VPC CIDR. The default CIDR is 192.168.0.0/16. Enter the IP address blocks for the management, untrust and trust subnets for the VM-Series firewalls in each Availability Zone. By default three subnets are allocated across three AZs. The default blocks for the management subnets are 192.168.0.0/24, 192.168.10.0/24 and 192.168.20.0/24, Untrust subnets are 192.168.1.0/24, 192.168.11.0/24 and 192.168.21.0/24 and Trust subnets are 192.168.2.0/24, 192.168.12.0/24 and 192.168.22.0/24 If you modify the subnets, make sure that the management and untrust dataplane interfaces are in separate subnets. For Do you want to create a NAT Gateway in each AZ, enter Yes if you want the CFT to deploy an AWS NAT gateway. Enter No, if you want to assign EIPs to the management interface on each firewall to enable outbound access from the VPC. If you do not plan to allocate EIPs on the management interface for each VM-Series firewall, the AWS NAT gateway is required for the firewalls to access the Palo Alto Networks Update servers, Panorama, and to publish metrics to CloudWatch. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the NAT gateway in each AZ. The default assignment is 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24, 192.168.103.0/24. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the Lambda functions in each AZ. The default assignment is 192.168.200.0/24, 192.168.201.0/24, 192.168.202.0/24, 192.168.203.0/24 Select whether the uptime needs for your setup requires the VPC to span two or three Availability Zones in Number of Availability Zones for deployment. Select your AZ preference from the Select list of Availability Zones drop-down. Make sure to select two or three based on the number of AZs you selected above.
Select your preferences for the VM-Series firewalls. Select the EC2 instance size for the VM-Series firewall. Look up the AMI ID for the VM-Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN-OS version and the BYOL or PAYG licensing option you have opted to use. Copy and paste the license deactivation API key for your account. This key is required to successfully deactivate licenses on your firewalls when a scale-in event occurs. To get this key: Log in to the Customer Support Portal. From the Go To drop-down, select License API. Copy the API key. Select the EC2 Key pair (from the drop-down) for launching the firewall. To log in to the firewall or the web servers, you must provide the name of this key pair and the private key associated with it. If you want to restrict access to the firewall, specify the IP address block or IP addresses that can SSH in to the firewall. Verify your IP address before configuring it on the CFT to make sure that you do not lock yourself out.
Specify the name of the Amazon S3 buckets. Enter the name of the S3 bucket that contains the bootstrap files. If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process will fail and you will not be able to log in to the firewall; ELB health checks will also fail. Enter the name of the S3 bucket that contains the firewall.template and the Lambda code that you extracted from the zip file.
Specify the keys for enabling API access to the firewall and Panorama. Enter the key that the firewall will use to authenticate API calls. The default key is based on the sample bootstrap.xml file and should only be used for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key. Enter the API Key to allow AWS Lambda to make API calls to Panorama, if you are using Panorama for centralized management. For a production deployment, you should create a separate login just for the API call and generate an associated key.
Specify the name for the ELBs. The ELB name must be 12 characters or less. If the name is longer than 12 characters, the CFT will fail to deploy. Enter the name for the internet-facing (or external) classic ELB. Enter the name for the internal classic or application ELB.
Configure the metric to monitor and define the thresholds for auto scaling. The custom PAN-OS metrics create CloudWatch alarms that execute auto scaling policies to scale in or scale out the VM-Series firewalls based on the thresholds you define. Select one scaling metric: Active Sessions (number)—Monitors the total number of sessions that are active on the firewall. Because the firewall uses NAT in this solution, the maximum number of sessions supported is 64, 000. Dataplane CPU Utilization (%)—Monitors the dataplane CPU usage to measure the traffic load on the firewall. Dataplane Buffer Utilization (%)—Monitors the dataplane buffer usage to measure buffer utilization. If you have a sudden burst in traffic, monitoring buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer and cause dropped packets. Enter the scaling period. This is the time interval for which a monitored metric must remain at the configured threshold to trigger a scaling event. The value is in seconds; choose one of these values for the scaling period: 60, 300, 900 (default), 3,600, 21,600, or 84,600. Enter the maximum number of VM-Series firewalls in an ASG. Enter the minimum number of VM-Series firewalls in an ASG. The minimum value of 1 means that every ASG will have at least one VM-Series firewall. Enter the thresholds for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. For active sessions, as a best practice, set this value at a maximum of 51, 200 (80% of 64,000) to allow for scale out events to complete with a fully functioning firewall. Assess the traffic patterns for your application, and determine whether you need to set a more conservative threshold. For dataplane buffer utilization, set the value at a maximum of 40% so that the firewall can optimally handle a burst in traffic. Bootstrapping a PAN-OS firewall can take 10 to 15 minutes. Make sure to set some buffer in your scale thresholds to accommodate that boot time. For example, don't wait until the session table is 95% full before launching a new firewall in the auto scale group.
Select the EC2 instance type for the web servers. Make sure to pick an instance size that matches the expected load on your web servers so that the internal ELB does not fluctuate hugely with variable demand. If the internal ELB fluctuates, it will trigger scaling events for the ASGs and the corresponding VM-Series firewalls.
(Optional) Apply tags to identify the CFT resources associated with the deployment. Add a name-value pair to identify and categorize the resources in this CFT stack.
Review the template settings and launch the template. Select I acknowledge that this template might cause AWS CloudFormation to create IAM resources. Click Create to launch the template. The CREATE_IN_PROGRESS event displays. On successful deployment the status updates to CREATE_COMPLETE. In each AZ, the CFT will launch an ASG that includes one VM-Series firewall behind the external ELB. The firewalls will be bootstrapped with a NAT policy rule and a basic Security policy rule. It will also launch two web servers in an ASG behind the internal ELB.
Verify that the template has launched all required resources. To modify or update the resources for this CFT, see Stack Update with VM-Series Auto Scaling Template for AWS (v1.2) On the EC2 Dashboard, select Load Balancers. Get the DNS name for the external ELB, and enter it into a web browser. For example: http://public-elb-123456789.us-east-1.elb.amazonaws.com/ The web page will display to indicate that you have successfully launched the CloudFormation template. On the EC2 Dashboard, select Auto Scaling Groups. Verify that in each AZ, you have one ASG for the VM-Series firewalls with the minimum number of firewalls you specified in the template and the web server ASG. If you selected three AZs and the AWS NAT gateway, the VM-Series firewall ASG name displays this information as az3n ; the details are appended to the stack name for example: VM-Auto-CFT-az3n-EB4Y7D3DMJ6E_ASG_LC_192-168-2-6 Log in to the VM-Series firewall. It may take up to 20 minutes for the firewalls to boot up and be available to handle traffic. Use the EIP address, if you allocated one. If you chose the NAT gateway option, you must deploy a jump server or use Panorama to access the web interface on the firewall. Select Monitor > Logs > Traffic on the web interface of the firewall to view logs.
Launch the VM-Series Auto Scaling Template for AWS (v1.1)
Use the following workflow to deploy all the components in this solution using the vpc-classic-v1.1.template or the vpc-alb-v1.1.template.
If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, you only need to deploy the VM-Series firewall at scale, use the firewall.template. The workflow for using only the firewall.tempate is not documented in this version of the document, but it is very similar.
Launch the Template Version 1.1
Plan the VM-Series Auto Scaling Template for AWS Make sure that you have completed the following tasks: Reviewed and accepted the EULA. Downloaded the files required to launch the CFT from the GitHub repository.
(Optional) Modify the init-cfg.txt file. For more information on the bootstrapping process see Bootstrap the VM-Series Firewall ; for details on the init-cfg.txt file, see Create the init-cfg.txt File. If you’re using Panorama to manage the firewalls, complete the following tasks: Generate the vm-auth-key on Panorama. The firewalls must include a valid key in the connection request to Panorama. Set the lifetime for the key to 8760 hours (1 year). Open the init-cfg.txt file with a text editor, such as Notepad. Add the following information as name-value pairs: IP addresses for the primary Panorama and optionally a secondary Panorama. Enter: panorama-server= panorama-server-2= Specify the template and the device group to which you want to assign the firewall. Enter: tplname= dgname= VM auth key. Enter: vm-auth-key= Verify that you have not deleted the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM-Series firewall on AWS. For example, the file must include name-value pairs for the items in bold: op-command-modes=mgmt-interface-swap vm-auth-key=755036225328715 panorama-server=10.5.107.20 panorama-server-2=10.5.107.21 tplname=FINANCE_TG4 dgname=finance_dg The vm auth key and Panorama IP address above are example values. You need to enter the values that match your setup. Save and close the file.
Change the default credentials for the VM-Series firewall administrator account defined in the bootstrap.xml file. Required for using the CFT in a production environment. The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch, see Customize the Bootstrap.xml File
Prepare the Amazon Simple Storage (S3) buckets for launching the CFT. Make sure to create the S3 buckets in the same region in which you plan to deploy the template. The CFT requires one S3 bucket for the VM-Series bootstrap files; and another S3 bucket for the AWS Lambda functions and the nested firewall.template. Create a new S3 bucket for the bootstrap files. Sign in to the AWS Management Console and open the S3 console. Click Create Bucket. Enter a Bucket Name and a Region, and click Create. The bucket must be at the S3 root level. If you nest the bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files. Upload the bootstrap files to the S3 bucket. Click the name of bucket and then click Create folder. Create the following folder structure for bootstrapping.
Click the link to open the config folder. Select Actions > Upload and Add Files, browse to select the init-cfg.txt file and bootstrap.xml file, and click Open. Click Start Upload to add the files to the config folder. The folder can contain only two files: init-cfg.txt and the bootstrap.xml.
Create another S3 bucket and upload the AWS Lambda code and the firewall.template to the S3 bucket. Click the bucket name. Click Add Files to select the panw-aws.zip file and the firewall.template, click Open. Click Start Upload to add the files to the S3 bucket.
Select the CFT that you want to launch. In the AWS Management Console, select CloudFormation > Create Stack. Select Upload a template to Amazon S3, choose the vpc-classic-v1.template or the vpc-alb-v1.template that you downloaded previously, and click Open and Next. Specify the Stack name in 10 characters or less. The stack name allows you to uniquely identify all the resources that are deployed using this CFT.
Configure the parameters for the VPC. Enter the parameters for the VPC Configuration as follows: Enter a VPCName and a VPC CIDR. The default CIDR is 192.168.0.0/16. Enter the IP address blocks for the management, untrust and trust subnets for the VM-Series firewalls in each Availability Zone. By default three subnets are allocated across three AZs. The default blocks for the management subnets are 192.168.0.0/24, 192.168.10.0/24 and 192.168.20.0/24, Untrust subnets are 192.168.1.0/24, 192.168.11.0/24 and 192.168.21.0/24 and Trust subnets are 192.168.2.0/24, 192.168.12.0/24 and 192.168.22.0/24 For Do you want to create a NAT Gateway in each AZ, enter Yes if you want the CFT to deploy an AWS NAT gateway. Enter No, if you want to assign EIPs to the management interface on each firewall to enable outbound access from the VPC. If you do not plan to allocate EIPs on the management interface for each VM-Series firewall, the AWS NAT gateway is required for the firewalls to access the Palo Alto Networks Update servers, Panorama, and to publish metrics to CloudWatch. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the NAT gateway in each AZ. The default assignment is 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24, 192.168.103.0/24. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the Lambda functions in each AZ. The default assignment is 192.168.200.0/24, 192.168.201.0/24, 192.168.202.0/24, 192.168.203.0/24 Select whether the uptime needs for your setup requires the VPC to span two or three Availability Zones in Number of Availability Zones for deployment. Select your AZ preference from the Select list of Availability Zones drop-down. Make sure to select two or three based on the number of AZs you selected above.
Select your preferences for the VM-Series firewalls. Select the EC2 instance size for the VM-Series firewall. Select the EC2 Key pair (from the drop-down) for launching the firewall. To log in to the firewall or the web servers, you must provide the name of this key pair and the private key associated with it. If you want to restrict access to the firewall, specify the IP address block or IP addresses that can SSH in to the firewall. Verify your IP address before configuring it on the CFT to make sure that you do not lock yourself out.
Specify the name of the Amazon S3 buckets. Enter the name of the S3 bucket that contains the bootstrap files. If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process will fail and you will not be able to log in to the firewall; ELB health checks will also fail. Enter the name of the S3 bucket that contains the firewall.template and the Lambda code that you extracted from the zip file.
Specify the keys for enabling API access to the firewall and Panorama. Enter the key that the firewall will use to authenticate API calls. The default key is based on the sample bootstrap.xml file and should only be used for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key. Enter the API Key to allow AWS Lambda to make API calls to th Panorama, if you are using Panorama for centralized management. For a production deployment, you should create a separate login just for the API call and generate an associated key.
Specify the name for the ELBs. The ELB name must be 12 characters or less. If the name is longer than 12 characters, the CFT will fail to deploy. Enter the name for the internet-facing (or external) classic ELB. Enter the name for the internal classic or application ELB.
Configure the metric to monitor and define the thresholds for auto scaling. The custom PAN-OS metrics create CloudWatch alarms that execute auto scaling policies to scale in or scale out the VM-Series firewalls based on the thresholds you define. Select one scaling metric: Active Sessions (number)—Monitors the total number of sessions that are active on the firewall. Because the firewall uses NAT in this solution, the maximum number of sessions supported is 64, 000. Dataplane CPU Utilization (%)—Monitors the dataplane CPU usage to measure the traffic load on the firewall. Dataplane Buffer Utilization (%)—Monitors the dataplane buffer usage to measure buffer utilization. If you have a sudden burst in traffic, monitoring buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer and cause dropped packets. Enter the scaling period. This is the time interval for which a monitored metric must remain at the configured threshold to trigger a scaling event. The value is in seconds; choose one of these values for the scaling period: 60, 300, 900 (default), 3,600, 21,600, or 84,600. Enter the maximum number of VM-Series firewalls in an ASG. Enter the minimum number of VM-Series firewalls in an ASG. The minimum value of 1 means that every ASG will have at least one VM-Series firewall. Enter the thresholds for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. For active sessions, as a best practice, set this value at a maximum of 51, 200 (80% of 64,000) to allow for scale out events to complete with a fully functioning firewall. Assess the traffic patterns for your application, and determine whether you need to set a more conservative threshold. For dataplane buffer utilization, set the value at a maximum of 40% so that the firewall can optimally handle a burst in traffic. Bootstrapping a PAN-OS firewall can take 10 to 15 minutes. Make sure to set some buffer in your scale thresholds to accommodate that boot time. For example, don't wait until the session table is 95% full before launching a new firewall in the auto scale group.
Select the EC2 instance type for the web servers. Make sure to pick an instance size that matches the expected load on your web servers so that the internal ELB does not fluctuate hugely with variable demand. If the internal ELB fluctuates, it will trigger scaling events for the ASGs and the corresponding VM-Series firewalls.
(Optional) Apply tags to identify the CFT resources associated with the deployment. Add a name-value pair to identify and categorize the resources in this CFT stack.
Review the template settings and launch the template. Select I acknowledge that this template might cause AWS CloudFormation to create IAM resources. Click Create to launch the template. The CREATE_IN_PROGRESS event displays. On successful deployment the status updates to CREATE_COMPLETE. In each AZ, the CFT will launch an ASG that includes one VM-Series firewall behind the external ELB. The firewalls will be bootstrapped with a NAT policy rule and a basic Security policy rule. It will also launch two web servers in an ASG behind the internal ELB.
Verify that the template has launched all required resources. On the EC2 Dashboard, select Load Balancers. Get the DNS name for the external ELB, and enter it into a web browser. For example: http://public-elb-123456789.us-east-1.elb.amazonaws.com/ The web page will display to indicate that you have successfully launched the CloudFormation template. On the EC2 Dashboard, select Auto Scaling Groups. Verify that in each AZ, you have one ASG for the VM-Series firewalls with the minimum number of firewalls you specified in the template and the web server ASG. If you selected three AZs and the AWS NAT gateway, the VM-Series firewall ASG name displays this information as az3n ; the details are appended to the stack name for example: VM-Auto-CFT-az3n-EB4Y7D3DMJ6E_ASG_LC_192-168-2-6 Log in to the VM-Series firewall. It may take up to 20 minutes for the firewalls to boot up and be available to handle traffic. Use the EIP address, if you allocated one. If you chose the NAT gateway option, you must deploy a jump server or use Panorama to access the web interface on the firewall. Select Monitor > Logs > Traffic on the web interface of the firewall to view logs.
When you are finished with testing or a production deployment, the only way to ensure charges stop occurring is to completely delete the stack. Shutting down instances, or changing the ASG maximum to 0, is not sufficient as the CFT might automatically deploy new ASGs. If you are using Panorama, delete the internal ELB on AWS before you delete the stack. Deleting the internal ELB allows the VM-Series firewalls to shut down gracefully, and Panorama can remove the firewalls from the list of managed devices.

Related Documentation