CloudWatch Integration for VM-Series Firewalls on AWS
The VM-Series firewall on AWS can now publish native PAN-OS metrics to AWS CloudWatch at a specified time interval. You can use these metrics to make resource-driven decisions, such as take action to launch or terminate instances of the VM-Series firewalls based on usage.
- Assign the appropriate permissions for the AWS
Identity and Access Management (IAM) user role that you use to deploy
the VM-Series firewall on AWS.
- On the AWS console, select IAMPolicies and click the Policy Name link associated with the IAM role you want to modify.
- Edit the Policy Document to include the following permissions to the IAM role.
- Enable CloudWatch on the VM-Series firewall on AWS.
Until the firewall starts to publish metrics to CloudWatch, you cannot configure alarms for PAN-OS metrics.
- Log in to the web interface on the VM-Series firewall
- Select DeviceOperationsAWS CloudWatch.
- Select Enable CloudWatch Monitoring.
- Enter the CloudWatch Namespace to which the firewall can publish metrics. The namespace cannot begin with AWS.
- Set the Update Interval to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes.
- Commit the changes.
- Verify that you can see the metrics on CloudWatch.
- On the AWS console, select CloudWatchMetrics, to view CloudWatch metrics by category.
- From the Custom Metrics drop-down, select the namespace.
- Verify that you can see PAN-OS metrics in the viewing list.
- Configure alarms and actions for PAN-OS metrics on CloudWatch. For details, refer to the AWS CloudWatch documentation .