See the Unseen in AWS Mirrored Traffic With VM-Series

This post is also available in: 日本語 (Japanese)

Gain Complete Visibility and Eliminate Network Blind Spots in AWS Cloud

Amazon VPC Traffic Mirroring provides a non-intrusive way to enable network visibility into your AWS deployments without requiring significant design changes to virtual network architecture.

Palo Alto Networks has built an integration of its VM-Series Virtualized Next-Generation Firewall with Amazon VPC Traffic Mirroring capability. VM-Series is the industry-leading virtualized firewall protecting your applications and data with next-generation security features that deliver superior visibility, precise control and threat prevention at the application level.

VM-Series has supported AWS cloud since 2014 with inline security protections for application workloads running in the cloud. According to Mukesh Gupta, vice president of product management at Palo Alto Networks, “Enterprises require consistent security in the cloud without sacrificing deployment flexibility and choice. Along with inline threat prevention capabilities, the integration of VM-Series with the Amazon VPC Traffic Mirroring capability gives organizations a choice to deploy the firewall out of band for application visibility and advanced threat detection in AWS cloud.”

VM-Series on AWS deployed out of band now supports two critical security outcomes in AWS cloud:

  • Granular visibility into application traffic and detection of network-borne threats through inspection of mirrored traffic.
  • Rapid detection and response against advanced attacks using an AI-driven approach, such as Cortex by Palo Alto Networks.
VM-Series integrates with AWS VPC Traffic Mirroring - the graphic shows Traffic Mirroring Rules
Figure 1: VM-Series integration with Amazon VPC Traffic Mirroring Feature


Application Visibility and Threat Detection

VM-Series on AWS can analyze, filter and process the raw data available through the VPC Traffic Mirroring capability within AWS cloud and provide contextually rich application, content and threat information. The need for extracting data out of AWS cloud for further processing is eliminated, saving cost and providing deep insight into network traffic. Based on this more in-depth inspection, customers can choose to enable alerts for a wide range of security issues, for example:

  • High priority security alerts: Attacks for known exploits (for example, an attempt to exploit CVE-2017-5638 for Apache Struts-based web servers running in AWS). Primarily, VM-Series is serving as an intrusion detection system (IDS).
  • Traffic to inappropriate, malicious destinations and command-and-control systems: Detect whether the source/destination is inappropriate or malicious, whether there are geoblocking restrictions to be met, or whether there is bitcoin traffic or an SSH session to a known command-and-control (C2) domain.

Based on the visibility and detection (in logs), you can filter for events, and enable alerts and actions that can trigger remediation using Action-Oriented log forwarding using HTTP(S). This provides a webhook to create a ticket in a service desk system or a security orchestration and response tool, such as Cortex XSOAR, or launch an AWS Lambda function, which can quarantine by shutting down the instance or lock down the Security Group.

Rapid Detection and Response Against Advanced Attacks

The VM-Series firewall supports enhanced application logging, which converts raw packet data from AWS mirrored network traffic into context-aware network activity information for storage in Palo Alto Networks cloud services, including Cortex Data Lake. Security applications, such as Cortex XDR, can start analyzing the rich data collected, using analytics and machine learning to detect stealthy attacks and expedite security investigations accurately. Identified threats can be mitigated through automated response from Cortex XSOAR and other security orchestration and response tools.

VM-Series integration with AWS VPC Traffic Mirroring, as well as the action of Cortex Data Lake, Cortex XDR and Cortex XSOAR
Figure 2: Rapid detection and response with Cortex


To learn more, we encourage you to follow these links:

An earlier version of this blog was published June 25, 2019. It has been updated to reflect new developments in Amazon VPC Traffic Mirroring and PAN-OS.