Ability to use the AWS Command Line Interface (AWS CLI) and the AWS Management Console.Ability to create an IAM role and attach it to an Amazon EC2 instance.Ability to create an IAM policy and attach it to a role.Ability to create and edit security groups.Ability to log into an Amazon EC2 instance via SSH using an SSH key.Ability to create and edit files on the BASH command line.Familiarity writing and building AWS Lambda functions.Administrator access to the PAN VM-Series admin console.IAM privileges to create an Amazon SNS topic.IAM privileges to create and edit AWS Lambda functions.IAM privileges to create a Kinesis Data Stream. AWS Identity and Access Management (IAM) privileges to launch Amazon Elastic Compute Cloud (Amazon EC2) instances.Prerequisitesīefore beginning this process, ensure you have or can do the following: Also, read this blog post to learn how to enable custom actions in AWS Security Hub. See the CloudWatch Events documentation for details on automating remediations to configuration changes. However, this post only focuses on detecting the changes, publishing events to AWS Security Hub, and sending notifications via email. With enough planning, you could even perform automated remediations to any unwanted changes on your firewall. Our solution enables you to take action on any configuration changes made to your Palo Alto Networks VM-Series firewall. If so, we publish a security finding to AWS Security Hub and use Amazon Simple Notification Service (Amazon SNS) to send alerts. We use Lambda to check if one of our predetermined fields has had a change made. We connect an Amazon Kinesis Data Stream to the Amazon CloudWatch Logs, and process the stream events with AWS Lambda. This t2.micro instance has rsyslog enabled forward logs to Amazon CloudWatch. Our solution consists of a PAN VM-Series firewall and low-cost Amazon Linux 2 t2.micro instance, deployed to subnets in a VPC. This approach will not affect how you deploy this solution however, you may notice the WorkSpaces I used in some of the screenshots.įigure 1 – Our solution uses AWS native services to monitor PAN VM-Series firewall. To validate the technical components of this blog, I used an Amazon WorkSpace for access to the VPC, instead of the common bastion host method. You can apply this solution with no additional changes if you also have firewalls deployed in an internal, or cross-VPC configuration. This solution assumes you have a Palo Alto Networks VM-Series firewall deployed to a public subnet in an Amazon Virtual Private Cloud (VPC). The PAN VM-Series firewall is available on AWS Marketplace. Palo Alto Networks is an AWS Partner Network (APN) Advanced Technology Partner with AWS Competencies in Networking, Security, and Containers. In this post, I will show you how to use AWS native services to monitor your Palo Alto Networks VM-Series firewall as if it were just another AWS environment. Wouldn’t it be great if you could monitor your PAN VM-Series firewall deployment in a similar fashion with Amazon Web Services (AWS) native services? If changes are detected, it notifies you and allows you to take action on these events, either manually or in an automated fashion. Customers are choosing the PAN VM-Series firewall to secure the environments that are vital for their competitiveness and innovation.Ĭustomers also enjoy huge benefits from monitoring their cloud resources with AWS Config, which uses Amazon CloudTrail Logs to monitor your environment for changes. VM-Series virtual firewalls provide all the capabilities of the Palo Alto Networks (PAN) next-generation hardware firewall in a virtual machine form factor. Closely monitoring these devices is a necessary component of the defense in depth strategy required to protect cloud environments from unwanted changes, and keep your workloads in a compliant state. Your firewall, by design, is exposed to the internet and all the good and bad that comes with it.
0 Comments
Leave a Reply. |