The GitHub repository provides CFT version 1.1 and version 1.2. Version 1.2 is the latest and it provides the mechanism to update the PAN-OS version of the auto scaling tier of VM-Series firewalls and other resources using the CFT stack update capability. To accommodate your business needs, it also allows you to choose and switch across three licensing options, BYOL, PAYG bundle 1 and PAYG bundle 2.
CFT version 1.1 provides support for PAYG bundle 2 only.
In order to launch the CFT successfully, review this checklist before you begin.
VM-Series Auto Scaling Template for AWS Version 1.2
The items in this checklist are actions and choices you must make for implementing this solution.
Planning Checklist for Version 1.2
Verify the requirements for deploying the CFT. The CFT requires AWS Lambda and Signature versions 2 or 4 for PAN-OS 8.0; PAN-OS 7.1 requires signature version 2. Look up the list of supported regions and the AMI IDs.
Assign the appropriate permissions for the IAM user role. The user who deploys the CFT must either have administrative privileges or have the permissions listed in the iam-policy.json file to successfully launch the CFT. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role.
Create a Support Account on the Palo Alto Networks Support portal. With CFT 1.2, you can opt for the BYOL or PAYG (bundle 1 or bundle 2) licenses. For BYOL, you must register the auth code to your Palo Alto Networks support account prior to launching the CFT. For PAYG, you must register the VM-Series firewalls to activate your support entitlement.
(For PAYG) Review and accept the End User License Agreement (EULA). Required, if you are launching a VM-Series firewall in an AWS account for the first time. In the AWS Marketplace, search for Palo Alto Networks, and select the bundle you plan to use. The CFT will fail to deploy if you have not accepted the EULA for the bundle you plan to use. For example, search for VM-Series Next Generation Firewall Bundle 2.
Click Continue, and select Manual Launch. Review the agreement and click Accept Software Terms to accept the EULA.
You can now close the browser.
Download the Templates, AWS Lambda code, and the bootstrap files. Do not mix and match files across CFT versions. Get the files from the following GitHub repository at: https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2 Templates and Lambda code: panw-aws.zip firewall.template vpc-classic-v1.2.template or vpc-alb-v1.2.template. (you need only one) The vpc-classic-v1.2.template includes support for two classic ELBs; the vpc-alb-v1.2.template includes support for a classic ELB and an internal application ELB. Use the vpc-alb.template if you want to deploy an application ELB for load balancing traffic to the internal web servers and a classic ELB for internet-facing traffic. Use the vpc-classic.template if you want to deploy two classic ELBs; one for load balancing traffic to the internal web servers and another for internet-facing traffic. The solution is supported by Palo Alto Networks Technical Support as it is published. You may modify the template to suit your specific use case but Palo Alto Networks Technical Support cannot assist with issues that arise from customization. Bootstrap files: init-cfg.txt bootstrap.xml The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File.
Customize the bootstrap.xml file for your production environment. Make sure to use the bootstrap.xml file for CFT 1.2. To ensure that your production environment is secure, you must Customize the Bootstrap.xml File with a unique administrative username and password. The default username and password is pandemo/demopassword. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs.
Decide whether you want to use Panorama for centralized logging, reporting, and firewall management. Panorama is an option for administrative ease. It is not required to manage the auto scaling tier of VM-Series firewalls deployed in this solution. If you want to use Panorama, you can either use the M-Series appliance or a Panorama virtual appliance on a VMware ESXi server inside your corporate network, or use a Panorama virtual appliance on vCloud Air. To successfully register the firewalls with Panorama, you must collect the following details: API key for Panorama. So that AWS Lambda can make API requests to Panorama, you must provide an API key when you launch the CFT. As a best practice, in a production deployment, you should create a separate administrative account just for the API call and generate an associated API key. Panorama IP address. You must include the IP address in the configuration (init-cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel. VM auth key that allows Panorama to authenticate the firewalls in order to add each firewall as a managed device. You must include this key in the configuration (init-cfg.txt) file. The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM-Series firewall will be unable to register with Panorama. For details on the key, see Generate VM Auth Key. Template name and the device group name to which to assign the firewalls. You must first add a template and create a device group on Panorama, and then include the template name and the device group name in the configuration (init-cfg.txt) file.
Decide whether you want to use the AWS NAT gateway or assign an EIP address to the management interface on each VM-Series firewall. To allow the firewalls to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch, you can either deploy an AWS NAT gateway or assign an EIP address to the management interface on each firewall. The AWS NAT gateway option allows you to conserve the use of EIP addresses; you only need one EIP address per Availability Zone (AZ). Hence, you must allocate a maximum of three EIP addresses if you deploy the CFT across three AZs. When you use a NAT gateway and are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. This jump server is required because the management interface on the VM-Series firewalls has a private IP address only. If you choose to assign an EIP address to the management interface of each VM-Series firewall, you must estimate the number of EIP addresses you need to enable outbound access for the VM-Series firewalls. Based on the size of your deployment, you may need to request an increase in the maximum number of EIP addresses for the AWS region; the default limit is 5 EIP addresses per account. This estimation is crucial to the deployment because AWS Lambda requires the EIP address to successfully launch the firewall.
Get started Launch the VM-Series Auto Scaling Template for AWS (v1.2) Stack Update with VM-Series Auto Scaling Template for AWS (v1.2)
VM-Series Auto Scaling Template for AWS Version 1.1
The items in this checklist are actions and choices you must make for implementing this solution.
Planning Checklist for Version 1.1
Verify the requirements for deploying the CFT. The CFT requires AWS Lambda and Signature version 2, and is supported in the following regions: US East (N. Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney).
Assign the appropriate permissions for the IAM user role. The user who deploys the CFT must either have administrative privileges or have the permissions listed in the iam-policy.json file to successfully launch the CFT. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role.
Create a Support Account on the Palo Alto Networks Support portal. All the VM-Series firewalls deployed by CFT 1.1 support the usage-based (PAYG bundle 2) licenses. CFT 1.1 does not support the BYOL option. You must register the VM-Series firewalls to activate your support entitlement.
Review and accept the End User License Agreement (EULA). Required, if you are launching a VM-Series firewall on AWS for the first time. The CFT will fail to deploy if you have not accepted the EULA. In the AWS Marketplace, search for Palo Alto Networks, and select VM-Series Next Generation Firewall Bundle 2.
Click Continue, and select Manual Launch. Review the agreement and click Accept Software Terms to accept the EULA.
You can now close the browser.
Download the Templates, AWS Lambda code, and the bootstrap files. Do not mix and match files across CFT versions. Get the files from the following GitHub repository at: https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.1 Templates and Lambda code: panw-aws.zip firewall.template vpc-classic-v1.1.template or vpc-alb-v1.1.template. (you need only one) The vpc-classic-v1.1.template includes support for two classic ELBs; the vpc-alb-v1.1.template includes support for a classic ELB and an internal application ELB. Use the vpc-alb.template if you want to deploy an application ELB for load balancing traffic to the internal web servers and a classic ELB for internet-facing traffic. Use the vpc-classic.template if you want to deploy two classic ELBs; one for load balancing traffic to the internal web servers and another for internet-facing traffic. The solution is supported by Palo Alto Networks Technical Support as it is published. You may modify the template to suit your specific use case but Palo Alto Networks Technical Support cannot assist with issues that arise from customization. Bootstrap files: init-cfg.txt bootstrap.xml The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File.
Customize the bootstrap.xml file for your production environment. To ensure that your production environment is secure, you must Customize the Bootstrap.xml File with a unique administrative username and password. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs.
Decide whether you want to use Panorama for centralized logging, reporting, and firewall management. Panorama is an option for administrative ease. It is not required to manage the auto scaling tier of VM-Series firewalls deployed in this solution. If you want to use Panorama, you can either use the M-Series appliance or a Panorama virtual appliance on a VMware ESXi server inside your corporate network, or use a Panorama virtual appliance on vCloud Air. And, if you use Panorama, you need the following information so that the firewalls can register with Panorama: API key for an administrative user account on Panorama. AWS Lambda uses this key to make API requests to Panorama. By default, the CFT uses an API key with username and password, admin/admin. For better security, create an administrative account on Panorama and generate a new API key for the account. You must enter this key when you launch the CFT. Panorama IP address. You must include the IP address in the configuration (init-cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel. VM auth key that allows Panorama to authenticate the firewalls in order to add each firewall as a managed device. You must include this key in the configuration (init-cfg.txt) file. The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM-Series firewall will be unable to register with Panorama. For details on the key, see Generate VM Auth Key. Template name and the device group name to which to assign the firewalls. You must first add a template and create a device group on Panorama, and then include the template name and the device group name in the configuration (init-cfg.txt) file.
Decide whether you want to use the AWS NAT gateway or assign an EIP address to the management interface on each VM-Series firewall. To allow the firewalls to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch, you can either deploy an AWS NAT gateway or assign an EIP address to the management interface on each firewall. The AWS NAT gateway option allows you to conserve the use of EIP addresses; you only need one EIP address per Availability Zone (AZ). Hence, you must allocate a maximum of three EIP addresses if you deploy the CFT across three AZs. When you use a NAT gateway and are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. This jump server is required because the management interface on the VM-Series firewalls has a private IP address only. If you choose to assign an EIP address to the management interface of each VM-Series firewall, you must estimate the number of EIP addresses you need to enable outbound access for the VM-Series firewalls. Based on the size of your deployment, you may need to request an increase in the maximum number of EIP addresses for the AWS region; the default limit is 5 EIP addresses per account. This estimation is crucial to the deployment because AWS Lambda requires the EIP address to successfully launch the firewall.
Get started Launch the VM-Series Auto Scaling Template for AWS (v1.1)

Related Documentation