Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)

A stack update allows you to modify the resources that the VM-Series Auto Scaling template—firewall-v2.0.template—deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify the following parameters:
  • License—Switch from BYOL to PAYG and vice versa or switch from one PAYG bundle to another.
  • Other stack resources— Change the launch configuration parameters such as the Amazon Machine Image (AMI) ID, the AWS instance type, key pair for your auto scaling groups. You can also update the API key associated with the administrative user account on the firewall.
    Changing the AMI-ID allows you to deploy new instances of the VM-Series firewalls with a different PAN-OS version.
When you deploy the VM-Series Auto Scaling template, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the AMI ID, the instance type, key pair for your auto scaling group. To launch VM-Series firewalls with your updated parameters, you must first update the stack and then delete the existing auto scaling groups in each AZ. To prevent service disruption, delete the auto scaling group in one AZ first, and wait for the new firewall instances to launch with the updated stack parameters. Then, verify that the firewalls have inherited the updates you made before you proceed to complete the changes in the other AZ.
For critical applications, perform a stack update during a maintenance window.
You can update stack directly or create change sets. The workflow in this document takes you through the manual stack update.
  1. In the AWS CloudFormation console, select the parent stack that you want to update and choose ActionsUpdate Stack.
    cft_12_update_stack.png
  2. Modify the resources that you want to update.
    • PAN-OS version—To modify the PAN-OS version look up the AMI ID for the version you want to use and enter the ID.
    • License option—Switch from BYOL to PAYG or across PAYG bundles 1 and 2.
    If you’re switching to BYOL, make sure to include the auth code in the bootstrap package (See steps 3 and 5).
    If you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for the VM-Series firewall.
    • Other stack resources— You can modify the AMI ID, the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall.
    If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you need to follow the workflow in Modify Administrative Account and Update Stack.
  3. Acknowledge the notifications and review the changes and click Update to initiate the stack update.
    cft_12_update_stack_progress.png
  4. On the EC2 dashboardAuto Scaling Groups and pick an AZ in which to delete the ASG.
    Deleting an ASG automatically triggers the process of redeploying a new ASG. The firewalls in the new ASG use the updated stack configuration.
    cft_12_delete_asg.png
  5. Verify that the updated parameters are used to launch the VM-Series firewalls in the new ASG.
    Use a phased rollout process, where you test the new ASG thoroughly and ensure that the firealls are properly handling traffic. Then, wait one hour before continuing to the next ASG.
  6. Repeat steps 4 and 5 to replace the ASG in the other AZ.

Related Documentation