End-of-Life (EoL)

Launch the VM-Series Auto Scaling Template for AWS (v1.1)

Use the following workflow to deploy all the components in this solution using the vpc-classic-v1.1.template or the vpc-alb-v1.1.template.
If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, you only need to deploy the VM-Series firewall at scale, use the firewall.template. The workflow for using only the firewall.tempate is not documented in this version of the document, but it is very similar.
  1. Make sure that you have completed the following tasks:
    • Reviewed and accepted the EULA.
    • Downloaded the files required to launch the VM-Series Auto Scaling template from the GitHub repository.
  2. (
    ) Modify the init-cfg.txt file.
    For more information on the bootstrapping process see Bootstrap the VM-Series Firewall; for details on the init-cfg.txt file, see Create the init-cfg.txt File.
    If you’re using Panorama to manage the firewalls, complete the following tasks:
    1. Generate the VM Auth Key on Panorama. The firewalls must include a valid key in the connection request to Panorama. Set the lifetime for the key to 8760 hours (1 year).
    2. Open the init-cfg.txt file with a text editor, such as Notepad.
    3. Add the following information as name-value pairs:
      • IP addresses for the primary Panorama and optionally a secondary Panorama. Enter:
      • Specify the template and the device group to which you want to assign the firewall. Enter:
      • VM auth key. Enter:
    4. Verify that you have not deleted the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM-Series firewall on AWS. For example, the file must include name-value pairs for the items in bold:
      The vm auth key and Panorama IP address above are example values. You need to enter the values that match your setup.
    5. Save and close the file.
  3. Change the default credentials for the VM-Series firewall administrator account defined in the bootstrap.xml file.
    Required for using the VM-Series Auto Scaling template in a production environment.
    The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch, see Customize the Bootstrap.xml File.
  4. Prepare the Amazon Simple Storage (S3) buckets for launching the VM-Series Auto Scaling template.
    Make sure to create the S3 buckets in the same region in which you plan to deploy the template.
    The VM-Series Auto Scaling template requires one S3 bucket for the VM-Series bootstrap files; and another S3 bucket for the AWS Lambda functions and the nested
    1. Create a new S3 bucket for the bootstrap files.
      1. Sign in to the AWS Management Console and open the S3 console.
      2. Click
        Create Bucket
      3. Enter a
        Bucket Name
        and a
        , and click
        . The bucket must be at the S3 root level. If you nest the bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files.
    2. Upload the bootstrap files to the S3 bucket.
      1. Click the name of bucket and then click
        Create folder
      2. Create the following folder structure for bootstrapping.
      3. Click the link to open the
      4. Select
        Add Files
        , browse to select the init-cfg.txt file and bootstrap.xml file, and click
      5. Click
        Start Upload
        to add the files to the config folder. The folder can contain only two files: init-cfg.txt and the bootstrap.xml.
    3. Create another S3 bucket and upload the AWS Lambda code and the firewall.template to the S3 bucket.
      1. Click the bucket name.
      2. Click
        Add Files
        to select the panw-aws.zip file and the firewall.template, click
      3. Click
        Start Upload
        to add the files to the S3 bucket.
  5. Select the VM-Series Auto Scaling template that you want to launch.
    1. In the AWS Management Console, select
      Create Stack
    2. Select
      Upload a template to Amazon S3
      , choose the vpc-classic-v1.template or the vpc-alb-v1.template that you downloaded previously, and click
    3. Specify the
      Stack name
      in 10 characters or less. The stack name allows you to uniquely identify all the resources that are deployed.
  6. Configure the parameters for the VPC.
    1. Enter the parameters for the
      VPC Configuration
      as follows:
      1. Enter a
        and a
        VPC CIDR
        . The default CIDR is
      2. Enter the IP address blocks for the management, untrust and trust subnets for the VM-Series firewalls in each Availability Zone. By default three subnets are allocated across three AZs. The default blocks for the management subnets are, and, Untrust subnets are, and and Trust subnets are, and
      3. For
        Do you want to create a NAT Gateway in each AZ
        , enter
        if you want the VM-Series Auto Scaling template to deploy an AWS NAT gateway. Enter
        , if you want to assign EIPs to the management interface on each firewall to enable outbound access from the VPC. If you do not plan to allocate EIPs on the management interface for each VM-Series firewall, the AWS NAT gateway is required for the firewalls to access the Palo Alto Networks Update servers, Panorama, and to publish metrics to CloudWatch.
      4. (
        Required if you opted for the AWS NAT Gateway
        ) Enter the IP address blocks for the NAT gateway in each AZ. The default assignment is,,,
      5. (
        Required if you opted for the AWS NAT Gateway
        ) Enter the IP address blocks for the Lambda functions in each AZ. The default assignment is,,,
      6. Select whether the uptime needs for your setup requires the VPC to span two or three Availability Zones in
        Number of Availability Zones for deployment
      7. Select your AZ preference from the
        Select list of Availability Zones
        drop-down. Make sure to select two or three based on the number of AZs you selected above.
  7. Select your preferences for the VM-Series firewalls.
    1. Select the EC2 instance size for the VM-Series firewall.
    2. Select the EC2
      Key pair
      (from the drop-down) for launching the firewall. To log in to the firewall or the web servers, you must provide the name of this key pair and the private key associated with it.
    3. If you want to restrict access to the firewall, specify the IP address block or IP addresses that can SSH in to the firewall. Verify your IP address before configuring it on the VM-Series Auto Scaling template to make sure that you do not lock yourself out.
  8. Specify the name of the Amazon S3 buckets.
    1. Enter the name of the S3 bucket that contains the bootstrap files.
      If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process will fail and you will not be able to log in to the firewall; ELB health checks will also fail.
    2. Enter the name of the S3 bucket that contains the firewall.template and the Lambda code that you extracted from the zip file.
  9. Specify the keys for enabling API access to the firewall and Panorama.
    1. Enter the key that the firewall will use to authenticate API calls. The default key is based on the sample bootstrap.xml file and should only be used for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key.
    2. Enter the API Key to allow AWS Lambda to make API calls to th Panorama, if you are using Panorama for centralized management. For a production deployment, you should create a separate login just for the API call and generate an associated key.
  10. Specify the name for the ELBs.
    The ELB name must be 12 characters or less. If the name is longer than 12 characters, the VM-Series Auto Scaling template will fail to deploy.
    1. Enter the name for the internet-facing (or external) classic ELB.
    2. Enter the name for the internal classic or application ELB.
  11. Configure the metric to monitor and define the thresholds for auto scaling. The custom PAN-OS metrics create CloudWatch alarms that execute auto scaling policies to scale in or scale out the VM-Series firewalls based on the thresholds you define.
    1. Select one scaling metric:
      • Active Sessions (number)—Monitors the total number of sessions that are active on the firewall. Because the firewall uses NAT in this solution, the maximum number of sessions supported is 64,000.
      • Dataplane CPU Utilization (%)—Monitors the dataplane CPU usage to measure the traffic load on the firewall.
      • Dataplane Buffer Utilization (%)—Monitors the dataplane buffer usage to measure buffer utilization. If you have a sudden burst in traffic, monitoring buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer and cause dropped packets.
    2. Enter the scaling period. This is the time interval for which a monitored metric must remain at the configured threshold to trigger a scaling event. The value is in seconds; choose one of these values for the scaling period: 60, 300, 900 (default), 3,600, 21,600, or 84,600.
    3. Enter the maximum number of VM-Series firewalls in an ASG.
    4. Enter the minimum number of VM-Series firewalls in an ASG. The minimum value of 1 means that every ASG will have at least one VM-Series firewall.
    5. Enter the thresholds for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
      For active sessions, as a best practice, set this value at a maximum of 51, 200 (80% of 64,000) to allow for scale out events to complete with a fully functioning firewall. Assess the traffic patterns for your application, and determine whether you need to set a more conservative threshold.
      For dataplane buffer utilization, set the value at a maximum of 40% so that the firewall can optimally handle a burst in traffic.
      Bootstrapping a PAN-OS firewall can take 10 to 15 minutes. Make sure to set some buffer in your scale thresholds to accommodate that boot time. For example, don't wait until the session table is 95% full before launching a new firewall in the auto scale group.
  12. Select the EC2 instance type for the web servers.
    Make sure to pick an instance size that matches the expected load on your web servers so that the internal ELB does not fluctuate hugely with variable demand. If the internal ELB fluctuates, it will trigger scaling events for the ASGs and the corresponding VM-Series firewalls.
  13. (
    ) Apply tags to identify the resources associated with the VM-Series Auto Scaling template.
    Add a name-value pair to identify and categorize the resources in this stack.
  14. Review the template settings and launch the template.
    1. Select
      I acknowledge that this template might cause AWS CloudFormation to create IAM resources
    2. Click
      to launch the template. The CREATE_IN_PROGRESS event displays.
    3. On successful deployment the status updates to CREATE_COMPLETE.
      In each AZ, the VM-Series Auto Scaling template will launch an ASG that includes one VM-Series firewall behind the external ELB. The firewalls will be bootstrapped with a NAT policy rule and a basic Security policy rule. It will also launch two web servers in an ASG behind the internal ELB.
  15. Verify that the template has launched all required resources.
    1. On the EC2 Dashboard, select
      Load Balancers
    2. Get the
      DNS name
      for the external ELB, and enter it into a web browser. For example:
      The web page will display to indicate that you have successfully launched the CloudFormation template.
    3. On the EC2 Dashboard, select
      Auto Scaling Groups
      . Verify that in each AZ, you have one ASG for the VM-Series firewalls with the minimum number of firewalls you specified in the template and the web server ASG.
      If you selected three AZs and the AWS NAT gateway, the VM-Series firewall ASG name displays this information as
      ; the details are appended to the stack name for example: VM-Auto-CFT-az3n-EB4Y7D3DMJ6E_ASG_LC_192-168-2-6
    4. Log in to the VM-Series firewall.
      It may take up to 20 minutes for the firewalls to boot up and be available to handle traffic.
      Use the EIP address, if you allocated one. If you chose the NAT gateway option, you must deploy a jump server or use Panorama to access the web interface on the firewall.
    5. Select
      on the web interface of the firewall to view logs.
      When you are finished with testing or a production deployment, the only way to ensure charges stop occurring is to completely delete the stack. Shutting down instances, or changing the ASG maximum to 0, is not sufficient as the VM-Series Auto Scaling template might automatically deploy new ASGs.
      If you are using Panorama, delete the internal ELB on AWS before you delete the stack. Deleting the internal ELB allows the VM-Series firewalls to shut down gracefully, and Panorama can remove the firewalls from the list of managed devices.

Recommended For You