VM-SERIES ON AMAZON WEB SERVICES
Many organizations are moving their application development and production workloads to Amazon Web Services (AWS) with a goal of minimizing their physical data center presence over time. The VM-Series on AWS enables you to protect applications and data on AWS with next-generation firewall and threat prevention features.
Security Challenges in the Public Cloud VM-Series on AWS Use Cases Organizations worldwide are expanding their use of AWS® at an Hybrid Cloud unprecedented pace. However, security, workflow automation, and how to build scalable, resilient cloud-centric architectures • Securely extend your application development and are key challenges that must be addressed. The VM-Series on testing environment onto AWS across a site-to-site AWS solves these challenges, enabling you to: IPsec VPN or AWS Direct Connect. • Protect your AWS workloads through unmatched applica- Segmentation Gateway tion visibility, control and advanced threat prevention. • Maintain separation of confidential data from other • Simplify management and automate security policy updates traffic for security and compliance purposes by as your AWS workloads change. controlling applications across VPCs and subnets while blocking threats. • Build secure, cloud-centric architectures that are scalable and highly available. Internet Gateway The VM-Series allows new cloud customers to protect their • Protect web-facing applications from advanced workloads with next-generation security features that deliver threats while securely enabling direct access to web- superior visibility, control and threat prevention at the appli- based developer tools and resources. cation level when compared to other cloud-oriented security solutions. Existing customers will reap the benefits of a security GlobalProtect feature set that mirrors those protecting their physical networks • Extend perimeter firewall and threat prevention and delivers a consistent security posture from the network to policies to remote users and mobile devices with the cloud. GlobalProtect.
Palo Alto Networks | VM-Series on AWS | Datasheet 1 Are Native Security Features Sufficient? When deployed in conjunction with GlobalProtect™ As part of their services offering, AWS provides users with network security for endpoints, the VM-Series on AWS security features that include security groups and a web enables you to extend your corporate security policies to application firewall (WAF). These features will help you mobile devices and users, regardless of their location. protect your AWS deployment; however, security groups are looking at traffic only from a port and IP address per- Prevent Advanced Attacks at the Application Level spective and cannot identify and control your AWS traffic Attacks, much like many applications, are capable of using based on the application identity. A WAF looks only at any port, rendering traditional prevention mechanisms HTTP/HTTPS applications and no other applications. These ineffective. The VM-Series on AWS allows you to use Threat features only provide a base level of and will not control all Prevention and WildFire™ cloud-based threat analysis ser- applications, protect against inbound threats, nor will they vice to apply application-specific threat prevention policies stop their lateral movement. As the public cloud becomes to prevent exploits, malware and previously unknown an extension of your data center, advanced security features threats (APTs). such as those available from a next-generation firewall should become a requirement. Improve Data Security With Segmentation Today’s cyberthreats commonly compromise an individual The VM-Series on AWS workstation or user and then move laterally across your The VM-Series on AWS enables you to securely implement physical or virtualized network, placing your mission-critical a cloud-first methodology while transforming your data applications and data at risk. Using application whitelisting center into a hybrid architecture that combines the scal- policies allows you to segment applications communicating ability and agility of AWS with your on-premise resources. between VPCs and across different subnets for regulatory This allows you to move your applications and data to AWS compliance. Enabling the Threat Prevention and WildFire while maintaining a security posture that is consistent with services to complement your segmentation policies will the one you may have established on your physical network. block both known and unknown threats and stop them from moving laterally from workload to workload. The VM-Series on AWS natively analyzes all traffic in a single pass to determine the application identity, the content, and the user identity. The application, content within, and the Policy Consistency with Centralized Management user are used as core elements of your security policy and are Panorama™ network security management enables you to also used for visibility, reporting and incident investigation. manage your VM-Series deployments across multiple cloud deployments, along with your physical security appliances, Improve Security Decisions With Application Visibility thereby ensuring policy consistency and cohesiveness. Rich, centralized logging and reporting capabilities provide The VM-Series on AWS provides you with the identity of visibility into virtualized applications, users and content. the application, irrespective of port, which means you have more relevant information about your AWS deployment, including the application, who the user is, and from where Automate Security Deployment and Policy Updates it emanates. This increased knowledge means you can make The VM-Series on AWS includes management features more informed policy decisions and respond to incidents that enable you to integrate security into your cloud-first more quickly. development projects. Bootstrapping automatically provi- sions a firewall with a working configuration, complete with Limit Security Exposure With Whitelisting Policies licenses and subscriptions, and then auto-registers itself with Panorama. To automate policy updates as workloads change, With the VM-Series on AWS, you can extend your firewall a fully documented XML API and Dynamic Address Groups access control policies to the application level, forcing them allow the VM-Series to consume external data in the form of to operate on specific ports, while leveraging the “deny all tags that can drive policy updates dynamically. The end result else” premise that a firewall is based on to block all others. is new applications, and next-generation security can be The added level of control becomes critically important as deployed simultaneously in an automated manner. you deploy more of your applications on AWS. Active VM-Series Monitoring with AWS CloudWatch Strengthen Security Posture With User-Based Controls VM-Series firewalls on AWS can now natively send Integration with a wide range of user repositories, such PAN-OS ® metrics to AWS CloudWatch for advanced as Microsoft® Active Directory®, LDAP and Microsoft monitoring and auto-scaling policy decisions. The Cloud- Exchange, introduces the user identity as a policy element, Watch integration enables you to monitor the capacity, complementing application whitelisting with an added health status, and availability of the firewalls with metrics access control component. User-based policies mean you such as total number of active sessions, GlobalProtect can grant access to critical applications and data based Gateway tunnel utilization, or SSL proxy utilization. With on user credentials and respective need. For example, the the CloudWatch metrics integration, the VM-Series can be app team can have full access to the development VPC, proactively monitored along with other resources deployed while the operations team has RDP/SSH access to the in your AWS environment, keeping you more informed on production VPC. the overall health of your AWS deployment and allowing you to scale security as increased EC2 workloads dictate.
Palo Alto Networks | VM-Series on AWS | Datasheet 2 Integration With AWS Auto Scaling the “friction” commonly associated with deploying and con- The VM-Series integrates with AWS Auto Scaling and figuring a next-generation firewall on AWS. As your AWS Elastic Load Balancing using several AWS services and workload traffic increases, demand for security increases as VM-Series automation features. AWS Auto Scaling in- well and the integration with AWS Auto Scaling, and Elastic tegration allows you to build a next-generation security Load Balancing will allow your VM-Series next-generation infrastructure that will dynamically, yet independently, scale firewalls to scale automatically, yet independently of your to protect your AWS workloads as their traffic patterns workloads, ensuring continual protection from cyberattacks. fluctuate. This architecture will enable you to reduce costs by utilizing the firewall capacities intelligently and Cloud-Centric High Availability efficiently based on user-defined metrics. By scaling the Any AWS deployment must be architected for resiliency to security separately from the application workloads, each eliminate the negative impact that an infrastructure com- firewall can be identically configured and managed centrally, ponent failure may have. If a failure does occur, the solution resulting in lower administrative costs. The VM-Series Auto must be able to detect and route around a failure. This is Scaling integration uses a combination of AWS Lambda, true for the security of the solution as well. When using CloudFormation templates, and Amazon CloudWatch Auto Scaling for the VM-Series on AWS, multiple firewalls services, along with bootstrapping and XML API automation are deployed in the design across two or more availability features supported by the VM-Series, to deliver an innova- zones within a VPC. If any one of the VM-Series firewalls tive, scalable, next-generation security solution on AWS. fail, two things happen: First, the AWS Load Balancer detects the failure and diverts traffic to the remaining, healthy VM-Series firewalls. Second, the AWS Auto Scaling How Auto Scaling the VM-Series on AWS Works Groups will automatically remove unhealthy firewalls and Using an AWS CloudFormation Template, an initial VM-Se- replace them with new, bootstrapped VM-Series firewalls ries firewall is deployed using a bootstrapped image stored that come up fully configured and ready to handle traffic. in AWS S3. The AWS CloudFormation Template can also Depending on the balance of performance and cost attach the VM-Series firewall to Panorama if it has been sensitivity, the health checks and Auto Scaling groups can deployed. When predefined web server traffic metrics are be tuned to be very aggressive or very conservative about exceeded, an alarm is sent to CloudWatch, which initiates a detecting and replacing failed components. This allows you scale-out event to deploy added web servers. As VM-Series to make your own cost/benefit decision when designing traffic demands increase, an AWS Lambda function collects your deployment. The VM-Series not only automatically and sends those metrics to CloudWatch, triggering a scales in and out, independently of workloads, it also is VM-Series scale-out event using the bootstrap VM-Series self-healing providing an overall, highly available solution firewall image. The VM-Series Auto Scaling on AWS solution across multiple availability zones. utilizes AWS and VM-Series services to dramatically reduce
VPC
Services Used for Auto Scaling Integration External ELB VM-Series and workload traffic metrics ASG1 ASG2 • Lambda: Traffic monitoring and firewall deployment • CloudWatch: Workload metrics VM- VM- Series Series VM- VM- Series Series • S3: Storage of bootstrapping files VM- VM- Series Series • PAN-OS APIs: Enables auto scaling integration • Bootstrapping: Automates firewall deployment Internal ELB ASG resources added/removed as needed • Panorama: Centralized management and logging. Web ASG
PANORAMA VM- Series
A�1 A�2 Region 1
Image 1: Image 1: AWS Auto Scaling integration enables the VM-Series to scale independently of workloads
Palo Alto Networks | VM-Series on AWS | Datasheet 3 VM-Series on AWS Use Cases cies to control traffic between the VPCs and across subnets. With application-level policies, you have greater control over The VM-Series can be deployed for AWS to address several application traffic moving laterally, and you can apply threat different use cases. prevention policies to block their movement as well. If traffic is flowing between VPCs in different regions across the Hybrid Cloud: Securely Enable App Dev and Test internet, encryption can be enabled for added protection. Securely migrate application development and testing onto AWS through a hybrid deployment that integrates your Internet Gateway: Protect Production Workloads existing development environment with AWS via a secure connection. This approach allows your application devel- As your AWS deployment expands to include public facing opment and testing team to get started while maintaining workloads, you can use the VM-Series on AWS as an a strong security posture. When deployed on AWS, the internet gateway to protect web-facing applications from VM-Series can act as an IPsec VPN termination point to known and unknown threats. Additionally, you can enable enable the secure communications to and from AWS. Appli- direct access to web-based developer resources, tools and cation control and threat prevention policies can be layered software updates, thereby minimizing the traffic that flows atop the IPsec VPN tunnel or AWS Direct Connect as added back to corporate and then out to the web. security elements. GlobalProtect: Extend Security to Users and Devices Segmentation Gateway: Separation for Security and GlobalProtect will enable you to extend perimeter security Compliance to your remote users and mobile devices, regardless of their High-profile breaches have shown that cybercriminals are location. GlobalProtect establishes a secure connection to adept at hiding in plain sight, bypassing perimeter controls protect the user from internet threats and enforces applica- and moving at will across networks – both physical and tion-based access control policies. Whether the need is for virtualized. An AWS VPC provides an isolation and security access to the internet, data center or SaaS applications, the boundary for your workloads. The VM-Series can augment user will enjoy the full protection provided by the platform. that separation through application-level segmentation poli-
��ter�et �atewa�� Application ��� control and threat prevention �er�es �o�i�ies �ro�e�� �o�r �e�-���in� �or��o��s� ��
��� �er�es Segmentation: Keep applications �n� ���� �or se��ri�� �n� �� �o���i�n�e ��r�oses�
���r��� Se��re�� e��en� �o�r ���� �en�er in�o AWS�
�P ��������� GlobalProtect: ��er� �o�i�� �onsis�en�� ��ross ��e ne��or�� �� AWS ��o��� �n� �o�r �e�i�es�
�A���AMA
Palo Alto Networks | VM-Series on AWS | Datasheet 4 Flexible Licensing Options The VM-Series on AWS supports both bring-your-own-license (BYOL) and consumption-based licensing via AWS Marketplace. • BYOL: Any one of the VM-Series models, along with the associated subscriptions and support, are purchased via normal Palo Alto Networks® channels and then deployed via a license authorization code through your AWS Management Console. • Consumption-based licensing: Purchase and deploy VM-Series subscription bundles directly from AWS Marketplace via your AWS Management console. ◦◦ Bundle 1 contents: VM-300 firewall license, Threat Prevention subscription (inclusive of IPS, AV, malware prevention) and Premium Support (written and spoken English only). ◦◦ Bundle 2 contents: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, malware prevention), WildFire, URL Filtering, and GlobalProtect subscriptions with Premium Support (written and spoken English only).
Performance and capacities On AWS, many factors such as the AWS Instance size and the maximum packets per second supported by it, number of cores used, AWS Placement group can impact performance. The performance and capacities listed below have been generated under controlled lab conditions using the indicated AWS Instance size, SR-IOV, AWS placement group and the following test conditions: • Firewall Throughput and IPsec VPN are measured with App-ID and User-ID features enabled utilizing 64K HTTP transactions. • Threat prevention throughput is measured with App-ID, User-ID, IPS, Anti-Virus and Anti-spyware features enabled utilizing 64K HTTP transactions. • Connections per second is measured with 0K HTTP transactions. We recommend additional testing within your environment to ensure your performance and capacity requirements are met. For a complete listing of all VM-Series features and capacities, please visit www.paloaltonetworks.com/comparefirewalls.
VM-100/ VM-300/ VM-50 VM-200 VM-1000-HV VM-500 VM-700 Model (0.4 Cores) (2 Cores) (4 Cores) (8 Cores) (16 Cores) AWS Instance size tested N/A c4.8xlarge c4.8xlarge c4.8xlarge c4.8xlarge Firewall throughput N/A 2Gbps 4Gbps 4Gbps 4Gbps (App-ID enabled) Threat prevention throughput N/A 1Gbps 2Gbps 4Gbps 4Gbps IPsec VPN throughput N/A In process* In process* In process* In process* AWS Instance size tested N/A c4.xlarge m4.xlarge m4.2xlarge m4.4xlarge Firewall throughput N/A 0.5Gbps 0.5Gbps 1Gbps 2Gbps (App-ID enabled) Threat prevention throughput N/A 0.5Gbps 0.5Gbps 1Gbps 2Gbps IPsec VPN throughput N/A In process* In process* In process* In process* VM-50 VM-100/VM-200 VM-300/VM- VM-500 VM-700 All Instance sizes supported (0.4 Cores) (2 Cores) 1000-HV (4 Cores) (8 Cores) (16 Cores) New sessions per second N/A 9K 9K 20K 40K Max sessions N/A 250K 800K 2M 10M System Requirements Cores supported N/A 0.4/2 2/4 2/8 2/16 (Min/Max) Memory (Minimum) N/A 6.5GB 9GB 16GB 56GB Disk drive capacity (Minimum) N/A 60GB 60GB 60GB 60GB c4.xlarge** m4.xlarge** m4.2xlarge** m4.4xlarge** c3.xlarge m3.xlarge c4.4xlarge c4.8xlarge Minimum AWS Instance size N/A c4.2xlarge c3.4xlarge c3.2xlarge
Licensing options N/A BYOL only BYOL or BYOL only BYOL only Marketplace
* IPsec VPN throughput data will be published upon completion of the test suite. ** Refers to recommended VM size based on CPU cores, memory and Azure prices for VMs.
4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at http://www. Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned Sales: +1.866.320.4788 herein may be trademarks of their respective companies. vm-series-on-aws- Support: +1.866.898.9087 ds-020617 www.paloaltonetworks.com