Stack Update with VM-Series Auto Scaling Template for AWS
A stack update allows you to modify the resources
that the VM-Series Auto Scaling template—firewall-v2.0.template—deploys.
Instead of deleting your existing deployment and redeploying the
solution, use the stack update to modify the following parameters:
License—Switch from BYOL to PAYG and vice versa or switch
from one PAYG bundle to another.
Other stack resources— Change the launch configuration parameters
such as the Amazon Machine Image (AMI) ID, the AWS instance type,
key pair for your auto scaling groups. You can also update the API
key associated with the administrative user account on the firewall.
the AMI-ID allows you to deploy new instances of the VM-Series firewalls
with a different PAN-OS version.
you deploy the VM-Series Auto Scaling template, the auto scaling
groups and the launch configuration are automatically created for
you. The launch configuration is a template that an auto scaling
group uses to launch EC2 instance, and it specifies parameters such
as the AMI ID, the instance type, key pair for your auto scaling group.
To launch VM-Series firewalls with your updated parameters, you
must first update the stack and then delete the existing auto scaling
groups in each AZ. To prevent service disruption, delete the auto
scaling group in one AZ first, and wait for the new firewall instances
to launch with the updated stack parameters. Then, verify that the
firewalls have inherited the updates you made before you proceed
to complete the changes in the other AZ.
critical applications, perform a stack update during a maintenance
You can update stack directly or create change
sets. The workflow in this document takes you through the manual
In the AWS CloudFormation console, select the
parent stack that you want to update and choose
Modify the resources that you want to update.
PAN-OS version—To modify the PAN-OS version look up the AMI ID for
the version you want to use and enter the ID.
License option—Switch from BYOL to PAYG or across PAYG bundles
1 and 2.
If you’re switching to BYOL, make sure to include
the auth code in the bootstrap package (See steps 3 and 5).
you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for
the VM-Series firewall.
Other stack resources— You can
modify the AMI ID, the instance type, security group, key pair for
the stack resources, or the API key associated with the administrative
user account on the firewall.
If you create a new administrative
user account or modify the credentials of the existing administrator
on the firewall, in order to update that stack and deploy new firewalls with
the updated API key, you need to follow the workflow in Modify
Administrative Account and Update Stack.
Acknowledge the notifications and review
the changes and click
the stack update.
Auto Scaling Groups
pick an AZ in which to delete the ASG.
Deleting an ASG automatically triggers the process of redeploying
a new ASG. The firewalls in the new ASG use the updated stack configuration.
that the updated parameters are used to launch the VM-Series firewalls in
the new ASG.
Use a phased rollout process, where you test the new ASG
thoroughly and ensure that the firealls are properly handling traffic.
Then, wait one hour before continuing to the next ASG.
Repeat steps 4 and 5 to replace
the ASG in the other AZ.