List of Attributes Monitored on the AWS VPC

As you provision or modify virtual machines in your AWS VPCs, you have two ways of monitoring these instances and retrieving the tags for use as match criteria in dynamic address groups.
  • VM Information Source
    —On a next-gen firewall, you can monitor up to a total of 32 tags—14 pre-defined and 18 user-defined key-value pairs (tags).
  • AWS Plugin on Panorama
    —The Panorama plugin for Microsoft AWS allows you to connect Panorama to your AWS VPC on the public cloud and retrieve the IP address-to-tag mapping for your virtual machines. Panorama then registers the VM information to the managed Palo Alto Networks® firewall(s) that you have configured for notification. With the plugin, Panorama can retrieve a total of 32 tags for each virtual machine, 11 predefined tags and up to 21 user-defined tags.
    The maximum length of a tag can be 127 characters. If a tag is longer than 127 characters, Panorama does not retrieve the tag and register it on the firewalls.
Attributes Monitored on the AWS-VPC
VM Information Source on the Firewall
AWS Plugin on Panorama
AMI ID
ImageId.<ImageId string>
Yes
Yes
Architecture
Architecture.<Architecture string>
Yes
No
Availability Zone
AvailabilityZone.<string>
Yes
Yes
Guest OS
GuestOS.<guest OS name>
Yes
No
IAM Instance Profile
Iam-instance-profile.<instanceProfileArn>
No
Yes
Instance ID
InstanceId.<InstanceId string>
Yes
No
Instance State
InstanceState.<instance state>
Yes
No
Instance Type
InstanceType.<instance type>
Yes
No
Key Name
KeyName.<KeyName string>
Yes
Yes
Owner ID
The value for this attribute is fetched from the ENI.
Account-number.<OwnerId>
No
Yes
Placement—Tenancy, Group Name
Placement.Tenancy.<string>
Placement.GroupName.<string>
Yes
Yes
Private DNS Name
PrivateDnsName.<Private DNS Name>
Yes
No
Public DNS Name
PublicDnsName.<Public DNS Name>
Yes
Yes
Subnet ID
SubnetID.<subnetID string>
Yes
Yes
Security Group ID
Sg-id.<sg-xxxx>
No
Yes
Security Group Name
Sg-name.<SecurityGroupName>
No
Yes
VPC ID
VpcId.<VpcId string>
Yes
Yes
Tag (key, value)
aws-tag.<key>.<value>
Yes;
Up to a maximum of 18 user defined tags are supported. The user-defined tags are sorted alphabetically, and the first 18 tags are available for use on the firewalls.
Yes;
Up to a maximum of 21 user defined tags are supported. The user-defined tags are sorted alphabetically, and the first 21 tags are available for use on Panorama and the firewalls.

Related Documentation