|
![]() ![]() |
|
![]() |
![]() |
![]() |
|
![]() |
|
![]() |
Document:VM-Series Deployment Guide
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
Last Updated:
Fri May 01 17:28:13 PDT 2020
Table of Contents
Search the Table of Contents
-
- VM-Series Models
- VM-Series Deployments
- VM-Series in High Availability
- Upgrade the VM-Series Firewall
- Upgrade the PAN-OS Software Version (Standalone Version)
- Upgrade the PAN-OS Software Version (NSX Edition)
- Upgrade the VM-Series Model
- Enable Jumbo Frames on the VM-Series Firewall
- Enable Use of Hypervisor Assigned MAC Addresses
-
- License Types—VM-Series Firewalls
- Create a Support Account
- Register the VM-Series Firewall
- Register the VM-Series Firewall (with auth code)
- Register the Usage-Based Model of the VM-Series Firewall in AWS and Azure (no auth code)
- Switch Between the BYOL and the PAYG Licenses
- Activate the License
- Activate the License for the VM-Series Firewall (Standalone Version)
- Activate the License for the VM-Series NSX Edition Firewall
- Deactivate the License(s)
- Install a License Deactivation API Key
- Deactivate a Feature License or Subscription Using the CLI
- Deactivate VM
- Licensing API
- Licenses for Cloud Security Service Providers (CSSPs)
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
- VM-Series on ESXi System Requirements and Limitations
- Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Troubleshoot ESXi Deployments
-
- About the VM-Series Firewall on the SDX Server
- System Requirements and Limitations
- Supported Deployments—VM Series Firewall on Citrix SDX
- Install the VM-Series Firewall on the SDX Server
- Secure North-South Traffic with the VM-Series Firewall
- Deploy the VM-Series Firewall Using L3 Interfaces
- Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces
- Deploy the VM-Series Firewall Before the NetScaler VPX
- Secure East-West Traffic with the VM-Series Firewall
-
- Enable SpoofGuard
- VM-Series NSX Edition Firewall Overview
- What are the Components of the NSX Edition Solution?
- How Do the Components in the NSX Edition Solution Work Together?
- What are the Benefits of the NSX Edition Solution?
- What is Multi-Tenant Support on the VM-Series NSX Edition Firewall?
- VM-Series NSX Edition Firewall Deployment Checklist
- Register the VM-Series Firewall as a Service on the NSX Manager
- Enable Communication Between the NSX Manager and Panorama
- Create Template(s), and Device Group(s) on Panorama
- Create the Service Definitions on Panorama
- Deploy the VM-Series Firewall
- Define an IP Address Pool
- Prepare the ESXi Host for the VM-Series Firewall
- Deploy the Palo Alto Networks NGFW Service
- Create Policies
- Define Policies on the NSX Manager
- Apply Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX Manager to Panorama
-
- About the VM-Series Firewall in AWS
- VM-Series Firewall in AWS GovCloud
- AWS Terminology
- Management Interface Mapping for Use with Amazon ELB
- Deployments Supported in AWS
- Deploy the VM-Series Firewall in AWS
- Obtain the AMI
- Review System Requirements and Limitations for VM-Series in AWS
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall in AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- High Availability for VM-Series Firewall in AWS
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
- Use Case: Deploy the VM-Series Firewalls to Secure Highly Available Internet-Facing Applications in AWS
- Solution Overview—Secure Highly Available Internet-Facing Applications
- Deploy the Solution Components for Highly Available Internet-Facing Applications in AWS
- Set Up the VPC
- Deploy the VM-Series Firewalls in the VPC
- Launch the VM-Series Firewalls and the NetScaler VPX
- Configure the VM-Series Firewall for Securing Outbound Access from the VPC
- Configure the Firewalls that Secure the Web Farm
- Configure the Firewall that Secures the RDS
- Deploy the Web Farm in the VPC
- Set Up the Amazon Relational Database Service (RDS)
- Configure the Citrix NetScaler VPX
- Set up Amazon Route 53
- Verify Traffic Enforcement
- Port Translation for Service Objects
- Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS
- Auto Scale VM-Series Firewalls with the Amazon ELB
- What Components Does the VM-Series Auto Scaling Template for AWS Deploy?
- How Does the VM-Series Auto Scaling Template for AWS Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS
- Launch the the VM-Series Auto Scaling Template for AWS
- Customize the Bootstrap.xml File
- Use the GitHub Bootstrap Files as Seed
- Create a new Bootstrap File from Scratch
- NAT Policy Rule and Address Objects in the Auto Scaling Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v1.2)
- Troubleshoot the VM-Series Auto Scaling CFT for AWS
- List of Attributes Monitored on the AWS VPC
-
- Supported Deployments on Hyper-V
- System Requirements on Hyper-V
- Install the VM-Series Firewall on Hyper-V
- Before You Begin
- Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager
- Provision the VM-Series Firewall on a Hyper-V host with PowerShell
- Perform Initial Configuration on the VM-Series Firewall
-
- About the VM-Series Firewall in Azure
- Deployments Supported in Azure
- Deploy the VM-Series Firewall in Azure (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Use the ARM Template to Deploy the VM-Series Firewall
- Deploy the VM-Series and Azure Application Gateway Template
- VM-Series and Azure Application Gateway Template
- Start Using the VM-Series & Azure Application Gateway Template
-
- VM-Series Deployments in OpenStack
- Components of the VM-Series for OpenStack Solution
- Heat Template for a Basic Gateway Deployment
- Heat Templates for Service Chaining and Service Scaling
- Install the VM-Series Firewall in a Basic Gateway Deployment
- Install the VM-Series Firewall with Service Chaining or Scaling
-
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the init-cfg.txt File
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on ESXi
- Bootstrap the VM-Series Firewall on Hyper-V
- Bootstrap the VM-Series Firewall on KVM
- Bootstrap the VM-Series Firewall on KVM in OpenStack
- Bootstrap the VM-Series Firewall in AWS
- Bootstrap the VM-Series Firewall in Azure
- Verify Bootstrap Completion
- Bootstrap Errors
In this example, we illustrate how you can monitor the VPC and use Dynamic Address Groups in security policy to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the IP addresses of all instances that match the criteria defined for group membership, and then security policy is applied for the group. The security policy in this example allows internet access to all members of the group.
This workflow in the following section assumes that you have created the AWS VPC and deployed the VM-Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the VM-Series, see
Use Case: Secure the EC2 Instances in the AWS Cloud .