The VM-Series firewalls that are deployed using the auto scaling templates version 2.0 and 2.1 scale in and scale out based on custom PAN-OS metrics. The VM-Series firewalls natively publish these metrics to the Amazon CloudWatch console, and based on the metric(s) that you choose as the scaling parameter(s), you can define CloudWatch alarms and policies to dynamically deploy or terminate instances to handle the application traffic in your AWS deployment.

The firewalls publish metrics to AWS CloudWatch at a five-minute frequency (by default). When a metric that is being monitored reaches the configured threshold for the defined time interval, CloudWatch triggers an alarm and initiates an auto-scaling event.

When the auto-scaling event triggers the deployment of a new firewall, the new instance bootstraps at launch and a lambda function configures the firewall with NAT policy rules. A NAT policy rule is created for each application, and the rule references the IP addresses for each network load balancer in your deployment. When the application load balancer receives a request, it forwards the request to the firewall on the assigned TCP port. The firewall then inspects the traffic and forwards it to the corresponding network load balancer, which in turn forwards the request to a web server in its target group.