Enable CloudWatch Monitoring on the VM-Series Firewall on AWS

The VM-Series firewall on AWS can publish native PAN-OS metrics to AWS CloudWatch, which you can use to monitor the firewalls. These metrics allow you to assess performance and usage patterns that you can use to take action for launching or terminating instances of the VM-Series firewalls.
The firewalls use AWS APIs to publish the metric to a namespace on AWS at a specified time interval. The namespace is the location to which CloudWatch collects and aggregates the selected metric for all instances configured to use the namespace. You can then monitor the metric in CloudWatch or create auto scaling policies to trigger alarms and take an action to manually deploy a new instance of the firewall when the monitored metric reaches a threshold value. Refer to the AWS CloudWatch and Auto Scaling Groups (ASG) documentation on best practices for setting the alarm conditions for a scale out or scale in action.
The VM-Series firewall can publish any of the following PAN-OS metrics to CloudWatch:
Metric
Description
Dataplane CPU Utilization (%)
Monitors the dataplane CPU usage to measure the traffic load on the firewall.
Dataplane Packet Buffer Utilization (%)
Monitors the dataplane buffer usage to measure buffer utilization. If you have a sudden burst in traffic, monitoring buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer and drop packets.
Session Utilization (%)
Monitors the sessions are currently active for TCP, UDP, ICMP and SSL and the packet rate, new connection establish rate, and throughput on the firewall to determine session utilization.
SSLProxyUtilization (%)
Monitors the percentage of SSL forward proxy sessions with clients for SSL/TLS decryption.
GlobalProtect Gateway Tunnel Utilization (%)
Monitors the active GlobalProtect tunnels set up on a gateway to measure tunnel utilization. Use this metric if the VM-Series firewall is deployed as a VPN gateway on AWS to secure remote users.
Total Active Sessions
Monitors the total number of sessions that are active on the firewall. An active session is a session that is on the firewall’s flow lookup table for which packets will be inspected and forwarded, as required by policy.
GlobalProtect Gateway Active Tunnels
Monitors the number of active GlobalProtect sessions on a firewall deployed as a GlobalProtect gateway. Use this metric if the VM-Series firewall is deployed a VPN gateway on AWS to secure remote users; check the datasheet for the maximum number of active tunnels supported for your firewall model.
  1. Assign the appropriate permissions for the AWS Identity and Access Management (IAM) user role that you use to deploy the VM-Series firewall on AWS.
    Whether you newly Launch the VM-Series Firewall on AWS or upgrade an existing VM-Series firewall on AWS to PAN-OS 8.0, the IAM role associated with your instance must have permissions to publish metrics to CloudWatch.
    1. On the AWS console, select IAM.
    2. Edit the IAM role to grant the following permissions:
      cw_iam_policy.png
  2. Enable CloudWatch on the VM-Series firewall on AWS.
    1. Log in to the web interface on the VM-Series firewall
    2. Select DeviceOperationsAWS CloudWatch.
    3. Select Enable CloudWatch Monitoring.
    4. Enter the CloudWatch Namespace to which the firewall can publish metrics. The namespace cannot begin with AWS.
    5. Set the Update Interval to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes.
    6. Commit the changes.
      Until the firewall starts to publish metrics to CloudWatch, you cannot configure alarms for PAN-OS metrics.
  3. Verify that you can see the metrics on CloudWatch.
    1. On the AWS console, select CloudWatchMetrics, to view CloudWatch metrics by category.
    2. From the Custom Metrics drop-down, select the namespace.
    3. Verify that you can see PAN-OS metrics in the viewing list.
  4. Configure alarms and action for PAN-OS metrics on CloudWatch.
    A VM-Series firewall with bootstrap configuration will take about 7-9 minutes to be available for service. So, here are some examples on how to set alarms that trigger auto scaling for the VM-Series firewall:
    • If you have deployed 2 instances of the VM-Series firewalls as Global Protect Gateways that secure remote users, use the GlobalProtect Gateway Active Tunnels metric. You can configure an alarm for when the number of active tunnels is greater than 300 for 15 minutes, you can deploy 2 new instances of the VM-Series firewall, which are bootstrapped and configured to serve as Global Protect Gateways.
    • If you are using the firewall to secure your workloads in AWS, use the Session Utilization metric to scale in or scale out the firewall based on resource usage. You can configure an alarm for when the session utilization metric is greater than 60% for 15 minutes, to deploy one instance of the VM-Series instance firewall. And conversely, if Session Utilization is less than 50% for 30 minutes, terminate an instance of the VM-Series firewall.

Related Documentation