Detect and respond to attacks in AWS by sending packets to VM-Series without putting the firewall inline

Using VM-Series with AWS VPC Traffic Mirroring

This repository provides a sample firewall configuration that you can import into VM-Series. The sample configuration allows the fireall to receive packets sent by the AWS VPC Traffic Mirroring service. This will allow you to get application visibility, and detect and respond to attacks by sending a copy of all packets sent/received by your AWS instances to VM-Series without putting the firewall inline with the traffic. Putting the VM-Series inline with the traffic flow will allow you actually prevent attacks in real-time; traffic mirroring provides an alternative option without real-time inline protection. You can also use mirroring to run a security lifecycle report (SLR) on your public cloud deployment. And, for scaled out deployments you can deploy multiple VM-Series instances behind the AWS NLB with UDP load balancing.


  1. Read details of AWS VPC Traffic Mirroring
  2. Read an overview of use cases of how VM-Series works with Traffic Mirroring
  3. PAN-OS 9.0 or higher is required. Mirrored packets are sent by AWS in a VXLAN encapsulated tunnel. This can be handled using the PAN-OS VXLAN TCI feature.

How To

Steps for setting up AWS VPC Traffic Mirroring 1. Deploy and configure VM-Series from AWS Marketplace. Use BYOL edition if you have a trial/evaluation/full (i.e. BYOL or ELA) license, or use the pre-licensed PAYG options. A 15-day free trial for VM-Series PAYG (Bundle 1 and Bundle 2) is availale for first-time customers (once per AWS account). Normal EC2 (compute/storage) charges for the instances will still apply. Hourly charges for the software will apply after 15 days. Be sure to shutdown or delete the free trial if you're not using the instance to avoid unnecessary charges. See AWS Marketplace documentation on free trials for more information. 2. Follow documentation to deploy a 3 ENI setup of VM-Series and do the basic setup to configure a password (up to Step 5 in documentation link). (A CFT of this is coming soon). 3. Import the sample PAN-OS configuration file (aws-mirroring-sample.xml) from the repository into VM-Series. 4. Load the imported configuration. IMPORTANT: Set the password immediately (Device > Setup > Operations > Import). 5. Commit the configuration. 6. Follow AWS VPC Traffic Mirroring steps to send traffic from any of your instances to the Untrust ENI of VM-Series. 7. Check the Monitor tab in VM-Series to see the traffic sent. 8. Customize security policies to match your use case. 9. Enable Log Filtering to find high or critical level items, or specific attacks. 10. Enable a webhook, also known as Action-Oriented Log Forwarding using HTTP, to trigger an action: create a service desk ticket, or launch an AWS Lambda function to quarrantine.

Scale Out using NLB

For scaled out deployments and high availability: You can deploy 2 or more instances of VM-Series behind the the NLB with UDP load balancing. In this setup you can: 1. Setup two or more instances of VM-Series behind the NLB with UDP listener on port 4789. Make sure to deploy the VM-Series after doing an interface swap using CLI (if firewall is already deployed), or at time of deployment using AWS User Data field. This puts the eth0 (first interface) of the firewall in the NLB's backend pool as a dataplane interface to receive mirrored packets, and moves the firewall's management interface to eth1 (the second ENI).

  1. Enable HTTP on Management Profile on the Untrust interface of the VM-Series firewalls. Enable NLB for health monitoring on port 80. The firewall will now respond to the health probes while also processing the mirrored traffic.
  2. Setup AWS VPC traffic mirroring to send the mirrored packets to the NLB frontend/VIP.

Developer Sites


Copyright © 2021 Palo Alto Networks, Inc. All rights reserved.