VM-Series for Amazon Web Services Specsheet

PALO ALTO NETWORKS: VM-Series for Amazon Web Services Specsheet

VM-Series for Amazon Web Services

Key Security Features:

Palo Alto Networks® VM-Series APP WEB DB firewalls gives your organization the EC2 EC2 EC2 flexibility to maintain next-generation EC2 EC2 EC2 SUBNET1 SUBNET2 SUBNET3 security services across your Virtual EC2 EC2 EC2 Private Cloud (VPC) instances within Amazon Web Services (AWS). private • Identify and control traffic flowing into,

and across your VPC, limit application AWS VM-SERIES access based on users, block known Management public and unknown threats. Management • Automate security policy updates so trafﬁc over VPN that it keeps pace with changes in Panorama your VPC . Corporate • Isolate and segment mission critical Datacenter Panorama applications and data using Zero Users Security Trust principles (never trust, always Admin verify). Amazon Web Services (AWS) offers a broad set of global compute, application, storage and deployment services that allows you to quickly and efficiently expand your cloud computing initiatives by establishing a Virtual Private Cloud (VPC) within AWS. As you look to migrate your mission critical applications and data to your VPC, security should be taken into account.

Specifically, what security features do you need to protect your VPC and can the deployment of those security features keep pace with the changes in your virtual workloads deployed over your Elastic Cloud Compute (EC2) instances? The VM-Series for AWS addresses these key challenges with the same next-generation firewall and advanced threat prevention features that are available on our physical form-factor appliances and a native set of automation features that dynamically updates your security policies as your EC2 instances change.

The VM-Series for AWS natively analyzes all traffic in a single pass to determine the application identity, the content within, and who the user is. The application, content and the user identity are then used as integral components of your security policy, allowing you to isolate your mission critical applications and protect them from known and unknown cyber threats.

To ensure security keeps pace with changes in your VPC, native automation features such as VM monitoring, dynamic address groups allow you to proactively monitor changes in your EC2 instances, automatically feeding that context directly into policy, thereby eliminating the policy lag time between a change made in the virtualized infrastructure and the time that change gets incorporated into the firewall’s security policy. PALO ALTO NETWORKS: VM-Series for Amazon Web Services Specsheet

VM-SERIES FOR AWS USE CASE: PERIMETER GATEWAY Establishing a VPC is not significantly

different than building out a new APP WEB DB physical network, complete with a

new perimeter firewall. In this use EC2 EC2 EC2 EC2 EC2 EC2 SUBNET1 SUBNET2 case, the VM-Series can be deployed SUBNET3 as your gateway firewall, securing EC2 EC2 EC2 your VPC based on application, regardless of port, inspecting the traffic for both known and unknown private threats while controlling access based on user identity. As new EC2

workloads are added or change, VM AWS VM-SERIES Monitoring and Dynamic Address Management public Groups will enable your security policies to keep pace with any User access Management respective EC2 changes. over Internet trafﬁc over VPN Panorama Corporate Datacenter

Panorama Users Security Admin

VM-SERIES FOR AWS USE CASE: IPSEC VPN TO CORPORATE NETWORK Your VPC is an extension of your corporate computing environment, enabling you to scale rapidly while minimizing capital and operational expenses. In this use case, the VM-Series supports the exact same features that are supported in our physical form factor appliances, including standards-based site-to-site IPSec VPN. The VM-Series can be configured to establish an IPSec VPN connection, with access controlled based on application, respective content, and user identity. In effect, you are able to extend the same policies that control your corporate network to your VPC. Here too, automation features that collect dynamic, contextual changes can be fed into both the virtualized and physical form factor firewalls, enabling policy to keep pace with any changes in the application environment.

P B AP WE DB 3 2 1 ET ET ET BN BN EC2 EC2 BN EC2 EC2 EC2 EC2 SU SU SU EC2 EC2 EC2

private S ERIE -S

AWS VM Management public

Site-to-site Management IPSec VPN trafﬁc over VPN

Panorama Corporate Datacenter

Panorama Users Security Admin PALO ALTO NETWORKS: VM-Series for Amazon Web Services Specsheet

VM-SERIES FOR AWS USE CASE: VM-TO-VM SECURITY Recent high profile threats have shown that cyber criminals are adept at hiding in APP WEB DB plain sight once they bypass the perimeter controls, then moving at will across the EC2 EC2 EC2 EC2 EC2 EC2 SUBNET1 SUBNET2 network. In a physical network, you SUBNET3 might protect your applications and data EC2 EC2 EC2 by segmenting the network using Zero Trust principles of never trust, always verify. In your VPC, you can use the private VM-Series to implement the same Zero Trust principles to control traffic between

IP subnets based on application and user AWS VM-SERIES while inspecting it for cyber threats. In Management public this scenario, automation features can monitor changes to your EC2 instances, User access Management feeding that context into policy to over Internet trafﬁc over VPN dynamically keep security up-to-date. Panorama Corporate Datacenter

Panorama Users Security Admin SUMMARY The VM-Series for AWS allows you to protect your VPC using our next-generation firewall and advanced threat prevention services. Traffic flowing into, and across your AWS deployment is identified and secured based on the application identity, inspected for known and unknown cyber threats. Native VM-Series automation features help ensure that your security policies can keep pace with any contextual virtual machine changes in your VPC while Panorama allows you to centrally manage your entire Palo Alto Networks deployment of physical and virtualized appliances.

4401 Great America Parkway Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, Santa Clara, CA 95054 the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Main: +1.408.753.4000 Palo Alto Networks assumes no responsibility for any inaccuracies in this document Sales: +1.866.320.4788 or for any obligation to update information in this document. Palo Alto Networks Support: +1.866.898.9087 reserves the right to change, modify, transfer, or otherwise revise this publication www.paloaltonetworks.com without notice. PAN_SS_VMSAWS_041615