CloudWatch Integration for VM-Series Firewalls on AWS

The VM-Series firewall on AWS can now publish native PAN-OS metrics to AWS CloudWatch at a specified time interval. You can use these metrics to make resource-driven decisions, such as take action to launch or terminate instances of the VM-Series firewalls based on usage.
  1. Assign the appropriate permissions for the AWS Identity and Access Management (IAM) user role that you use to deploy the VM-Series firewall on AWS.
    Whether you launch a new instance of the VM-Series firewall or upgrade an existing VM-Seriesfirewall on AWS to PAN-OS 8.0, the IAM role associated with your instance, must have permissions to publish metrics to CloudWatch.
    1. On the AWS console, select IAMPolicies and click the Policy Name link associated with the IAM role you want to modify.
    2. Edit the Policy Document to include the following permissions to the IAM role.
    cw_iam_policy.png
  2. Enable CloudWatch on the VM-Series firewall on AWS.
    1. Log in to the web interface on the VM-Series firewall
    2. Select DeviceOperationsAWS CloudWatch.
    3. Select Enable CloudWatch Monitoring.
    4. Enter the CloudWatch Namespace to which the firewall can publish metrics. The namespace cannot begin with AWS.
    5. Set the Update Interval to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes.
    6. Commit the changes.
    Until the firewall starts to publish metrics to CloudWatch, you cannot configure alarms for PAN-OS metrics.
  3. Verify that you can see the metrics on CloudWatch.
    1. On the AWS console, select CloudWatchMetrics, to view CloudWatch metrics by category.
    2. From the Custom Metrics drop-down, select the namespace.
    3. Verify that you can see PAN-OS metrics in the viewing list.
  4. Configure alarms and actions for PAN-OS metrics on CloudWatch. For details, refer to the AWS CloudWatch documentation .

Related Documentation