Embed Size (px)
Citation preview
Page 1 of 27
Security and Analytics Environment on the AWS Cloud
with Palo Alto Networks and Splunk
Quick Start Reference Deployment
November 2017
Splunk
Palo Alto Networks
AWS Quick Start Reference Team
Contents
Overview ................................................................................................................................. 2
Costs and Licenses .............................................................................................................. 3
Architecture ............................................................................................................................ 4
Prerequisites .......................................................................................................................... 6
Specialized Knowledge ....................................................................................................... 6
Planning for the Deployment ................................................................................................. 6
Deployment Options .......................................................................................................... 6
Planning Resources ............................................................................................................ 7
Deployment Steps .................................................................................................................. 7
Step 1. Prepare an AWS Account ........................................................................................ 7
Step 2. Get the Binary Files Required for Launch .............................................................8
Step 3. Subscribe to the Splunk Enterprise AMI ...............................................................8
Step 4. Get a License for Palo Alto Networks VM-Series Firewall .................................... 9
AWS can provide you with AWS credits for this deployment. Please
fill out our form and we will reach out to you.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 2 of 27
Step 5. Launch the Quick Start ........................................................................................... 9
Step 6. Test the Deployment ............................................................................................ 22
Step 7. (Optional) Customize the bootstrap.xml File ...................................................... 24
FAQ....................................................................................................................................... 24
Additional Resources ........................................................................................................... 25
Send Us Feedback ................................................................................................................ 26
Document Revisions ............................................................................................................ 26
This Quick Start deployment guide was created by Amazon Web Services (AWS) in
partnership with Splunk and Palo Alto Networks.
Quick Starts are automated reference deployments for key technologies on the AWS Cloud,
based on AWS best practices for security and high availability.
Overview This Quick Start reference deployment guide provides step-by-step instructions for
deploying an enterprise-class security and analytics environment on the AWS Cloud, using
the Palo Alto Networks VM-Series next-generation firewall, Splunk Enterprise, and the
Splunk App for Palo Alto Networks.
An enterprise-class security and analytics environment can deliver full visibility into
application traffic, which can help security teams by enforcing policy-based control and
prevention of known and unknown threats, and by identifying the root cause of issues. Palo
Alto Networks and Splunk provide technologies that help protect your workloads from
cyberattacks and provide visibility, analytics, and reporting across cloud, on-premises, and
hybrid environments.
This Quick Start deploys the Palo Alto Networks VM-Series next-generation firewall in
front of an example workload of web servers. It also deploys Splunk Enterprise, which is
configured to collect the logs produced by the firewall. The Quick Start automates the
recommended approach for deploying each of these technologies on AWS.
The Palo Alto Networks VM-Series next-generation firewall complements AWS security
groups and web application firewalls by classifying and controlling application traffic on
AWS based on the application identity, and then applying threat prevention policies to
block known and unknown cyberthreats. Native management features, including an XML
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 3 of 27
API, bootstrapping, and dynamic address groups enable you to fully automate firewall
policy configuration and updates.
Splunk is a platform that makes machine data accessible and usable. By monitoring and
analyzing everything from customer clickstreams and transactions to security events and
network activity, Splunk software helps you gain valuable Operational Intelligence from
your machine-generated data. This platform provides a full range of powerful search,
analysis, and visualization capabilities and prepackaged content for use cases, so you can
quickly discover and share insights.
Splunk Enterprise provides security visibility by capturing and analyzing logs from the Palo
Alto firewall using the Splunk App for Palo Alto Networks. You can expand the use of the
Splunk instance by sending machine data from anywhere in your environment.
This Quick Start is for users who want to deploy the VM-Series next-generation firewall
combined with Splunk Enterprise on AWS. It is specifically designed for teams who are
migrating these solutions from their on-premises environment to AWS.
Costs and Licenses You are responsible for the cost of the AWS services used while running this Quick Start
reference deployment. There is no additional cost for using the Quick Start.
The AWS CloudFormation template for this Quick Start includes configuration parameters
that you can customize. Some of these settings, such as instance type, will affect the cost of
deployment. See the pricing pages for each AWS service you will be using for cost estimates.
The Palo Alto Networks VM-Series next-generation firewall deployed in this Quick Start
requires a license. We recommend that you obtain a pay as you go (PAYG) license through
AWS Marketplace. You can also use the bring-your-own-license (BYOL) option. For
instructions, see step 4 in the deployment steps.
PAYG: This option deploys VM-Series Bundle 2 directly from AWS Marketplace. This
bundle includes a VM-300 firewall license and annual subscriptions for Threat
Prevention, WildFire, URL Filtering, GlobalProtect, and Premium Support (written and
spoken English only).
BYOL: This option allows you to work with Palo Alto Networks sales or channel partners
to generate an authorization code (license) that includes a VM-100, VM-300, VM-500
or VM-700 firewall license, along with the associated subscriptions and support. You
must register your BYOL authorization code on the Palo Alto Networks support portal
before you launch the Quick Start.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 4 of 27
This Quick Start also requires a subscription to the Amazon Machine Image (AMI) for
Splunk Enterprise, which is available from AWS Marketplace. For subscription
instructions, see step 3 in the deployment steps. The AMI offers a 60-day trial license that
provides limited access to Splunk Enterprise features. To fully utilize the environment
created by this Quick Start, you will need to obtain a Splunk Enterprise license by
contacting [email protected].
Architecture Deploying this Quick Start with the default parameters into a new virtual private cloud
(VPC) builds the following environment in the AWS Cloud.
Figure 1: Quick Start architecture on AWS
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 5 of 27
The Quick Start sets up the following:
A VPC spanning your choice of two or three Availability Zones, with three public and
two private subnets in each zone.*
In the first public subnet in each Availability Zone, optional network address translation
(NAT) gateways that allow the servers in the private subnets to connect to the internet.*
Note The NAT gateways are omitted by default. If you decide to omit them, you must
use a bastion host to access the firewall management interface. For more information
about this option, see step 6.
VM-Series firewall instances in an Auto Scaling group with three network interfaces:
untrust, trust, and management. The untrust (public) interfaces are in the second public
subnet in each Availability Zone. The management interface and the trust interface are
in two private subnets in each Availability Zone.
Appropriate security groups for each instance or function to restrict access to only
necessary protocols and ports.
An S3 bucket that contains the firewall bootstrap files.
In the private subnets, an Auto Scaling group for the web servers spanning the
Availability Zones.
External and internal load balancers for the web servers.
Three Elastic Load Balancing (ELB) load balancers for the Splunk stack, used to:
– Load-balance HTTP web traffic to the search head instances
– Load-balance HTTP event traffic destined for the Splunk HTTP Event Collector
(HEC) across all indexer instances
– Load-balance internal logs from firewall instances destined for the Splunk syslog
servers
In the public subnets:
– Splunk indexer cluster with the number of indexers you specify (3-10), distributed
across the number of Availability Zones you specify. The Splunk receiver (splunktcp)
and Splunk HEC are enabled across all indexers.
– Splunk search heads, either stand-alone or in a cluster, based on your input during
deployment. In the latter case, the search heads are distributed across the number of
Availability Zones you specify.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 6 of 27
– Syslog-ng cluster with the number of servers specified at input, distributed across
the number of Availability Zones you specify.
– Splunk license server and indexer cluster master, co-located.
– Splunk search head deployer, where applicable.
– (Optional) User-provided Splunk apps and/or add-ons, loaded and pre-installed
across indexers and search heads, based on your input.
Prerequisites
Specialized Knowledge
Before you deploy this Quick Start, we recommend that you become familiar with the
following AWS services. (If you are new to AWS, see the Getting Started Resource Center.)
Amazon Virtual Private Cloud (Amazon VPC)
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Block Store (Amazon EBS)
Elastic Load Balancing
Planning for the Deployment
Deployment Options This Quick Start provides two deployment options:
Deploy the security and analytics environment into a new VPC (end-to-end
deployment). This option builds a new AWS environment consisting of the VPC,
subnets, NAT gateways, security groups, and other infrastructure components, and
then deploys the Palo Alto Networks and Splunk software into this new VPC.
Deploy the security and analytics environment into an existing VPC. This
option provisions the Palo Alto Networks and Splunk in your existing AWS
infrastructure.
The Quick Start provides separate templates for these options. It also lets you configure
CIDR blocks, instance types, and VM-Series firewall and Splunk settings, as discussed later
in this guide.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 7 of 27
Planning Resources
For Palo Alto Networks VM-Series
EC2 instances: The VM-Series bundles can be deployed on a range of EC2 instance
types, including M4, M3, C4, and C3 instances. The firewall instances are deployed on
m4.xlarge instances by default.
CPU, memory, and storage: All instance types support 2 or 4 vCPUs, and require at least
9 GiB of memory and 60 GiB of EBS-optimized volume storage.
Elastic network interface support: Each instance supports up to eight elastic network
interfaces (ENIs). The first ENI is always dedicated to VM-Series management use,
whereas the remaining ENIs are used for data. For more information about ENIs and to
confirm ENI support for different instance types, see the AWS documentation.
When integrated with Auto Scaling and Elastic Load Balancing, the VM-Series firewall
deployment on AWS will also require AWS Lambda, Amazon S3, and Amazon
CloudWatch. These services are automatically provisioned by the Quick Start.
For Splunk Enterprise
For guidelines on configuring the Splunk Enterprise resources, including instance types,
storage, indexers, search heads, and high availability / disaster recovery (HA/DR)
considerations, see the “Planning the Deployment” section of the Splunk Enterprise Quick
Start deployment guide.
Deployment Steps
Step 1. Prepare an AWS Account
1. If you don’t already have an AWS account, create one at https://aws.amazon.com by
following the on-screen instructions.
2. Use the region selector in the navigation bar to choose the AWS Region where you want
to deploy the security and analytics environment on AWS.
3. Create a key pair in your preferred region.
4. If necessary, request a service limit increase for the Amazon EC2 C4 and M4 instance
types. You might need to do this if you already have an existing deployment that uses
this instance type, and you think you might exceed the default limit with this reference
deployment.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 8 of 27
Step 2. Get the Binary Files Required for Launch
1. Download the following binary files for the launch.
Palo Alto Networks App for Splunk:
a. Open https://splunkbase.splunk.com/app/491/.
b. Download the current version of palo-alto-networks-app-for-splunk-version.tgz.
This will require a Splunk user name and password, and you’ll need to accept the license
terms for the app.
Palo Alto Networks Add-on for Splunk:
a. Open https://splunkbase.splunk.com/app/2757/.
b. Download the current version of palo-alto-networks-addon-for-splunk-version.tgz.
This will require a Splunk user name and password, and you’ll need to accept the license
terms for the add-on.
Splunk Universal Forwarder for Linux, 64-bit:
a. Open https://www.splunk.com/en_us/download/universal-
forwarder.html#tabs/linux.
b. Download the current version of splunkforwarder-version-linux-2.6-x86_64.rpm.
This will require a Splunk user name and password, and you’ll need to accept the license
terms for the Universal Forwarder.
2. Create an S3 bucket and upload all three files you’ve downloaded. Make a note of the
path to these files—you will need them when you launch the Quick Start in step 5.
Step 3. Subscribe to the Splunk Enterprise AMI
This Quick Start requires a subscription to the Amazon Machine Image (AMI) for Splunk
Enterprise running on Amazon Linux. The AMI provides a 60-day free Enterprise trial
license, which supports a limited set of features. To take full advantage of the Splunk
Enterprise feature set, including distributed search, you can obtain a license for Splunk
Enterprise by contacting [email protected].
To subscribe:
1. Log in to your AWS account.
2. Open the AWS Marketplace page for Splunk Enterprise, and choose Continue.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 9 of 27
3. Use the Manual Launch option to launch the AMI into your account on Amazon EC2.
This involves accepting the terms of the license agreement and receiving confirmation
email. For detailed instructions, see the AWS Marketplace documentation.
4. If you’re using a BYOL license, place the Splunk license key file in a private S3 bucket.
You’ll be able to enter the bucket name and the file path as part of the Quick Start
parameters during deployment, in step 5.
Step 4. Get a License for Palo Alto Networks VM-Series Firewall
For the Palo Alto Networks VM-Series firewall, we recommend that you use the PAYG
(bundle 2) license, as discussed in the Costs and Licenses section.
To use the VM-Series PAYG license for your deployment:
1. Open the AWS Marketplace page for the VM-Series firewall bundle 2, and choose
Continue.
2. Review and accept the terms of the license agreement.
If you choose a BYOL license:
1. Contact Palo Alto Networks sales or channel partners to generate an authorization code
(license) that includes a VM-100, VM-300, VM-500 or VM-700 firewall license, along
with the associated subscriptions and support.
2. Register the authorization code on the Palo Alto Networks support portal.
You can also place the BYOL license in an S3 bucket for the firewall to use. For more
information, see step 5 in the VM-Series Auto Scaling launch guide on the Palo Alto
Networks website.
Step 5. Launch the Quick Start
Note You are responsible for the cost of the AWS services used while running this
Quick Start reference deployment. There is no additional cost for using this Quick Start.
For full details, see the pricing pages for each AWS service you will be using in this
Quick Start. Prices are subject to change.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 10 of 27
1. Choose one of the following options to launch the AWS CloudFormation template into
your AWS account. For help choosing an option, see deployment options earlier in this
guide.
Option 1
Deploy the Quick Start into a
new VPC on AWS
Option 2
Deploy the Quick Start into an
existing VPC on AWS
Important If you’re deploying the Quick Start into an existing VPC, make sure that
your VPC is set up with two or three Availability Zones, with three public and two
private subnets in each zone. You’ll also need the domain name option configured in the
DHCP options as explained in the Amazon VPC documentation. You’ll be prompted for
your VPC settings when you launch the Quick Start.
Each deployment takes about 30-45 minutes to complete.
2. Check the region that’s displayed in the upper-right corner of the navigation bar, and
change it if necessary. This is where the network infrastructure for the security and
analytics environment will be built. The template is launched in the US East (Ohio)
Region by default.
3. On the Select Template page, keep the default setting for the template URL, and then
choose Next.
4. On the Specify Details page, change the stack name if needed. Review the parameters
for the template. Provide values for the parameters that require input. For all other
parameters, review the default settings and customize them as necessary. When you
finish reviewing and customizing the parameters, choose Next.
In the following tables, parameters are listed by category and described separately for
the two deployment options:
– Parameters for deploying the Quick Start into a new VPC
– Parameters for deploying the Quick Start into an existing VPC
Launch Launch
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 11 of 27
– Option 1: Parameters for deploying the Quick Start into a new VPC
View template
Network Configuration:
Parameter label
(name)
Default Description
Availability Zones
(AvailabilityZones)
Requires input The list of Availability Zones in the AWS Region where you
want to install the Palo Alto Networks and Splunk software.
The number of selections must match the value you specify in
the Number of Availability Zones parameter. The Quick
Start preserves the logical order you specify.
Number of Availability
Zones for deployment
(NumberOfAZs)
2 The number of Availability Zones to use in the VPC. This must
match your selections in the Availability Zones parameter.
You can choose 2 or 3 Availability Zones.
VPC Name
(VPCName)
panwVPC Name of the new VPC.
VPC CIDR
(VPCCIDR)
192.168.0.0/16 CIDR block for the new VPC.
Management Subnet
CIDR Block
(MgmtSubnetIpBlocks)
192.168.0.0/24,
192.168.10.0/24,
192.168.20.0/24
Comma-delimited list of CIDR blocks to use for the private
subnets for the management interface (see Architecture). The
number of entries must match the number of Availability
Zones you specify.
Untrust Subnet CIDR
Block
(UntrustSubnetIpBlocks)
192.168.1.0/24,
192.168.11.0/24,
192.168.21.0/24
Comma-delimited list of CIDR blocks to use for the public
subnets for the untrust interface (see Architecture). The
number of entries must match the number of Availability
Zones you specify.
Trust Subnet CIDR
Block
(TrustSubnetIpBlocks)
192.168.2.0/24,
192.168.12.0/24,
192.168.22.0/24
Comma-delimited list of CIDR blocks to use for the private
subnets for the trust interface (see Architecture). The number
of entries must match the number of Availability Zones you
specify.
NAT Gateway Subnet
CIDR Block
(NATGWSubnetIpBlocks)
192.168.100.0/24,
192.168.101.0/24,
192.168.102.0/24
Comma-delimited list of CIDR blocks to use for the public
subnets for the NAT gateways (see Architecture). The number
of entries must match the number of Availability Zones you
specify. This parameter is required if you set the Create AWS
NAT Gateway in each Availability Zone parameter to
Yes.
Lambda Subnet CIDR
Block
(LambdaSubnetIpBlocks)
192.168.200.0/24,
192.168.201.0/24,
192.168.202.0/24
Comma-delimited list of CIDR blocks to use for the Lambda
functions. These are used only if the NAT gateways are
needed. The number of entries must match the number of
Availability Zones you specify. This parameter is required if
you set the Create AWS NAT Gateway in each
Availability Zone parameter to Yes.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 12 of 27
Parameter label
(name)
Default Description
Splunk Enterprise
CIDR Block
(SplunkSubnetIpBlocks)
192.168.3.0/24,
192.168.13.0/24,
192.168.23.0/24
Comma-delimited list of CIDR blocks to use for the public
subnets where the Splunk instances will be provisioned (see
Architecture). The number of entries must match the number
of Availability Zones you specify.
Create AWS NAT
Gateway in each
Availability Zone?
(NATGateway)
No Set this parameter to Yes if you want to create NAT gateways
in each Availability Zone. Keep the default No setting if you
want to use Elastic IP addresses instead. When this parameter
is set to No, the Quick Start won’t create the subnets for NAT
gateways and Lambda functions.
VM-Series Firewall Instance Configuration:
Parameter label
(name)
Default Description
Firewall instance size
(FWInstanceType)
m4.xlarge EC2 instance type and size to use for the VM-Series firewall.
Firewall license type
(PanFWlicenseType)
Pay-as-you-go-
bundle-2
The Palo Alto Networks license type you want to use for the
VM-Series software, from step 4.
Key used to de-license
the Firewall
(KeyDeLicense)
Optional To deactivate licenses on your firewalls when a scale-in event
occurs, copy and paste the license deactivation API key for
your Palo Alto Networks account. To get this key:
1. Log in to the Customer Support Portal on the Palo Alto
Networks website.
2. From the Go To list, choose License API.
3. Copy the API key, and paste it in this field.
Key Name
(KeyName)
Requires input Public/private key pair, which allows you to connect securely
to your instances after launch. When you created an AWS
account, this is the key pair you created in your preferred
region.
SSH Location
(SSHClientLocation)
Requires input CIDR IP range that is permitted to access the VM-Series
firewall instances via SSH. We recommend that you set this
value to a trusted IP range. For example, you might want to
grant only your corporate network access to the deployment.
VM-Series Firewall API Key:
Parameter label
(name)
Default Description
API Key for Firewall
(KeyPANWFirewall)
Key API key that the firewall will use to authenticate API calls. The
default key is based on the sample bootstrap.xml file and
should only be used for testing and evaluation. For a
production deployment, you must create a separate Palo Alto
Networks login for the API call and generate an associated key.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 13 of 27
Parameter label
(name)
Default Description
API Key for Panorama
(KeyPANWPanorama)
Requires input API key for accessing Panorama, if you are using Panorama for
centralized management. For a production deployment, you
should create a separate Palo Alto Networks login for the API
call and generate an associated key.
VM-Series Firewall Auto Scaling Configuration:
Parameter label
(name)
Default Description
Scaling Parameter
(ScalingParameter)
ActiveSessions Metric to use to set thresholds and create CloudWatch alarms
that run Auto Scaling policies for the firewalls. The three
options are ActiveSessions, DataPlane CPU Utilization,
and DataPlane Buffer Utilization. These options enable
you set thresholds based on the total number of sessions that
are active on the firewall, or as determined by CPU or buffer
usage.
For more information, see the Auto Scale VM-Series Firewalls
with the Amazon ELB guide on the Palo Alto Networks
website.
Time in seconds for
Scaling Period
(ScalingPeriod)
900 The period over which the average statistic is applied for Auto
Scaling, in seconds. This value must be a multiple of 60.
Maximum Firewall
Instances
(MaximumInstancesASG)
3 The maximum number of VM-Series firewall instances to
maintain in the Auto Scaling group.
Minimum Firewall
Instances
(MinInstancesASG)
1 The minimum number of VM-Series firewall instances to
maintain in the Auto Scaling group.
ScaleDown threshold
value in percentage/
value
(ScaleDownThreshold)
20 The value at which a scale-down event would take place to
remove VM-Series firewall instances from the Auto Scaling
group, based on the scaling metric you’ve selected.
ScaleUp threshold
value in percentage/
value
(ScaleUpThreshold)
80 The value at which a scale-up event would take place to add
VM-Series firewall instances to the Auto Scaling group, based
on the scaling metric you’ve selected.
Splunk Configuration:
Parameter label
(name)
Default Description
Splunk Enterprise
Instance Type
(SplunkInstanceType)
c4.large EC2 instance type to use for the Splunk Enterprise instances.
For guidelines on configuring the Splunk Enterprise resources
listed in this category, see the “Planning the Deployment”
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 14 of 27
Parameter label
(name)
Default Description
section of the Splunk Enterprise Quick Start deployment
guide.
Splunk Search
Instance Type
(SearchHeadInstance
Type)
c4.xlarge EC2 instance type to use for Splunk Enterprise search heads.
Syslog Server Instance
Type
(SplunkSyslogInstance
Type)
c4.large EC2 instance type to use for the Splunk syslog-ng cluster.
Splunk Indexer
Instance Type
(IndexerInstanceType)
c4.xlarge EC2 instance type to use for the Splunk indexers.
Enable Splunk Search
Head Cluster
(SHCEnabled)
no Set this parameter to yes to deploy a Splunk search head
cluster. (The default setting creates a single search head.)
Number of Splunk
Indexers
(SplunkIndexerCount)
3 The number of Splunk Enterprise instances to launch. You can
choose from 3 to 10 instances.
Splunk Indexer Disk
Size
(SplunkIndexerDiskSize)
200 The size of the EBS volume attached to the Splunk Enterprise
indexers, in GiB. You can choose a value between 50 and
16,000 GiB.
Splunk Index
Replication Factor
(SplunkReplicationFactor)
3 The number of copies of data to store in the Splunk indexer
cluster. You can choose from 2-5 copies.
Number of Syslog
Servers
(SplunkSyslogInstance
Count)
2 The number of Splunk Enterprise Syslog-ng servers to launch.
You can choose from 2 to 10 servers.
Splunk Syslog Server
Disk Size
(SplunkSyslogDiskSize)
100 The size of the EBS volume attached to the Splunk Enterprise
syslog aggregators, in GiB. You can choose a value between
100-16,000.
Splunk Indexer Apps
S3 URL
(IndexerApps)
Optional Comma-separated list of S3 bucket URLs for the Splunk app
(or add-on) tarballs (.spl files) to pre-install on indexer(s).
Splunk Search Head
Apps S3 URL
(SearchHeadApps)
Optional Comma-separated list of S3 bucket URLs for the Splunk app
(or add-on) tarballs (.spl files) to pre-install on search head(s).
Splunk Universal
Forwarder location
(SplunkUFLocation)
Requires input S3 location for Splunk Universal Forwarder (e.g.
https://s3.amazonaws.com/splunk-uf-bucket/splunk-uf.rpm)
from step 2.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 15 of 27
Parameter label
(name)
Default Description
Splunk License S3
Bucket
(SplunkLicenseBucket)
Optional The name of the private S3 bucket that contains your Splunk
license key file, from step 3.
Splunk License
file path
(SplunkLicensePath)
Optional The path to the S3 bucket that contains your Splunk license
key file, without a leading forward slash (/), from step 3.
Splunk Enterprise
Admin Password
(SplunkAdminPassword)
Requires input The password for Splunk Enterprise. This is a 6-32 character
string and may contain letters, numbers, and symbols.
Splunk secret
(SplunkSecret)
Requires input Shared cluster secret for the Splunk search head and indexer
clusters. This is a 6-32 character string and may contain
letters, numbers, and symbols.
Splunk Indexer
Discovery Secret
(SplunkIndexerDiscovery
Secret)
Requires input Security key used for communications between forwarders and
the cluster master. This value should also be used by
forwarders to retrieve a list of available peer nodes from the
cluster master. This string must be at least 8 characters long,
and may contain letters, numbers, and symbols.
HTTP CIDR Block
(HTTPLocation)
Requires input The CIDR IP address range that is allowed to connect to the
Splunk web interface. We recommend that you set this value
to a trusted IP range. Note that a value of 0.0.0.0/0 will allow
access from any IP address.
HEC Client Location
CIDR Block
(HECClientLocation)
Requires input The CIDR IP address range that is permitted to send data to
the Splunk HTTP Event Collector (HEC). We recommend that
you set this value to a trusted IP range. Note that a value of
0.0.0.0/0 will allow access from any IP address.
Web Server Configuration:
Parameter label
(name)
Default Description
Web Servers Instance
Type
(InstanceType)
t2.medium EC2 instance type for the VM-Series web servers.
External Load
Balancer Name
(ELBName)
public-elb The name of the external Classic Load Balancer. This is a 3-12
character string.
Internal Load
Balancer Name
(ILBName)
private-ilb The name of the internal Classic Load Balancer. This is a 3-12
character string.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 16 of 27
AWS Quick Start Configuration:
Parameter label
(name)
Default Description
Quick Start S3 Bucket
Name
(QSS3BucketName)
quickstart-
reference
S3 bucket where the Quick Start templates and scripts are
installed. Use this parameter to specify the S3 bucket name
you’ve created for your copy of Quick Start assets, if you decide
to customize or extend the Quick Start for your own use. The
bucket name can include numbers, lowercase letters,
uppercase letters, and hyphens, but should not start or end
with a hyphen.
Quick Start S3 Key
Prefix
(QSS3KeyPrefix)
securityanalytics/
splunkpan/
latest/
The S3 key name prefix used to simulate a folder for your copy
of Quick Start assets, if you decide to customize or extend the
Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
Option 2: Parameters for deploying the Quick Start into an existing VPC
View template
Network Configuration:
Parameter label
(name)
Default Description
CIDR Block for the
VPC
(VPCIDR)
Requires input The CIDR block for your existing VPC (e.g., 10.0.0.0/16).
Do you want to create
AWS NAT Gateway in
each Availability
Zone?
(NATGateway)
No Set this parameter to Yes if you want to create NAT gateways
in each Availability Zone. Keep the default No setting if you
want to use Elastic IP addresses instead. When this parameter
is set to No, the Quick Start won’t create the subnets for NAT
gateways and Lambda functions.
Number of Availability
Zones for deployment
(NumberOfAZs)
2 The number of Availability Zones to use in the VPC. This must
match your selections in the Availability Zones parameter.
You can choose 2 or 3 Availability Zones.
Select list of AZ
(AvailabilityZones)
Requires input The list of Availability Zones in the AWS Region where you
want to install the Palo Alto Networks and Splunk software.
The number of selections must match the value you specify in
the Number of Availability Zones parameter. The Quick
Start preserves the logical order you specify.
VPC ID
(VPCID)
Requires input ID of your existing VPC (e.g., vpc-0343606e).
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 17 of 27
Subnet Configuration:
Parameter label
(name)
Default Description
Lambda Function
Subnet 1
(LambdaSubnet1)
Requires input First subnet to use for the Lambda functions.
Lambda Function
Subnet 2
(LambdaSubnet2)
Requires input Second subnet to use for the Lambda functions.
Lambda Function
Subnet 3
(LambdaSubnet3)
Optional Third subnet to use for the Lambda functions. This is used
only if you’ve designated three Availability Zones for
deployment.
Management Subnet 1
(MGMTSubnet1)
Requires input Subnet to use for the first management interface.
Management Subnet 2
(MGMTSubnet2)
Requires input Subnet to use for the second management interface.
Management Subnet 3
(MGMTSubnet3)
Optional Subnet to use for the third management interface. This is
used only if you’ve designated three Availability Zones for
deployment.
NAT Gateway Subnet 1
(NATSubnet1)
Requires input Subnet to use for the first NAT gateway instance.
NAT Gateway Subnet 2
(NATSubnet2)
Requires input Subnet to use for the second NAT gateway instance.
NAT Gateway Subnet 3
(NATSubnet3)
Optional Subnet to use for the third NAT gateway instance. This is
used only if you’ve designated three Availability Zones for
deployment.
Splunk Subnet 1
(SplunkSubnet1)
Requires input First subnet for provisioning Splunk instances.
Splunk Subnet 2
(SplunkSubnet2)
Requires input Second subnet for provisioning Splunk instances.
Splunk Subnet 3
(SplunkSubnet3)
Optional Third subnet for provisioning Splunk instances. This is used
only if you’ve designated three Availability Zones for
deployment.
TRUST Subnet 1
(TRUSTSubnet1)
Requires input Subnet to use for the first trust interface.
TRUST Subnet 2
(TRUSTSubnet2)
Requires input Subnet to use for the second trust interface.
TRUST Subnet 3
(TRUSTSubnet3)
Optional Subnet to use for the third trust interface. This is used only
if you’ve designated three Availability Zones for
deployment.
UNTRUST Subnet 1
(UNTRUSTSubnet1)
Requires input Subnet to use for the first untrust interface.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 18 of 27
Parameter label
(name)
Default Description
UNTRUST Subnet 2
(UNTRUSTSubnet2)
Requires input Subnet to use for the second untrust interface.
UNTRUST Subnet 3
(UNTRUSTSubnet3)
Optional Subnet to use for the third untrust interface. This is used
only if you’ve designated three Availability Zones for
deployment.
VM-Series Firewall Instance Configuration:
Parameter label
(name)
Default Description
Firewall instance size
(FWInstanceType)
m4.xlarge EC2 instance type and size to use for the VM-Series firewall.
Firewall license type
(PanFWlicenseType)
Pay-as-you-go-
bundle-2
The Palo Alto Networks license type you want to use for the
VM-Series software, from step 4.
Key used to de-license
the Firewall
(KeyDeLicense)
Optional To deactivate licenses on your firewalls when a scale-in event
occurs, copy and paste the license deactivation API key for
your Palo Alto Networks account. To get this key:
1. Log in to the Customer Support Portal on the Palo Alto
Networks website.
2. From the Go To list, choose License API.
3. Copy the API key, and paste it in this field.
Key Name
(KeyName)
Requires input Public/private key pair, which allows you to connect securely
to your instances after launch. When you created an AWS
account, this is the key pair you created in your preferred
region.
SSH Location
(SSHClientLocation)
Requires input CIDR IP range that is permitted to access the VM-Series
firewall instances via SSH. We recommend that you set this
value to a trusted IP range. For example, you might want to
grant only your corporate network access to the deployment.
VM-Series Firewall API Key:
Parameter label
(name)
Default Description
API Key for Firewall
(KeyPANWFirewall)
Key API key that the firewall will use to authenticate API calls. The
default key is based on the sample bootstrap.xml file and
should only be used for testing and evaluation. For a
production deployment, you must create a separate Palo Alto
Networks login for the API call and generate an associated key.
API Key for Panorama
(KeyPANWPanorama)
Requires input API key for accessing Panorama, if you are using Panorama for
centralized management. For a production deployment, you
should create a separate Palo Alto Networks login for the API
call and generate an associated key.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 19 of 27
VM-Series Firewall Auto Scaling Configuration:
Parameter label
(name)
Default Description
Scaling Parameter
(ScalingParameter)
ActiveSessions Metric to use to set thresholds and create CloudWatch alarms
that run Auto Scaling policies for the firewalls. The three
options are ActiveSessions, DataPlane CPU Utilization,
and DataPlane Buffer Utilization. These options enable
you set thresholds based on the total number of sessions that
are active on the firewall, or as determined by CPU or buffer
usage.
For more information, see the Auto Scale VM-Series Firewalls
with the Amazon ELB guide on the Palo Alto Networks
website.
Time in seconds for
Scaling Period
(ScalingPeriod)
900 The period over which the average statistic is applied for Auto
Scaling, in seconds. This value must be a multiple of 60.
Maximum Firewall
Instances
(MaximumInstancesASG)
3 The maximum number of VM-Series firewall instances to
maintain in the Auto Scaling group.
Minimum Firewall
Instances
(MinInstancesASG)
1 The minimum number of VM-Series firewall instances to
maintain in the Auto Scaling group.
ScaleDown threshold
value in percentage/
value
(ScaleDownThreshold)
20 The value at which a scale-down event would take place to
remove VM-Series firewall instances from the Auto Scaling
group, based on the scaling metric you’ve selected.
ScaleUp threshold
value in percentage/
value
(ScaleUpThreshold)
80 The value at which a scale-up event would take place to add
VM-Series firewall instances to the Auto Scaling group, based
on the scaling metric you’ve selected.
Splunk Configuration:
Parameter label
(name)
Default Description
Splunk Enterprise
Instance Type
(SplunkInstanceType)
c4.large EC2 instance type to use for the Splunk Enterprise instances.
For guidelines on configuring the Splunk Enterprise resources
listed in this category, see the “Planning the Deployment”
section of the Splunk Enterprise Quick Start deployment
guide.
HTTP CIDR Block
(HTTPLocation)
Requires input The CIDR IP address range that is allowed to connect to the
Splunk web interface. We recommend that you set this value
to a trusted IP range. Note that a value of 0.0.0.0/0 will allow
access from any IP address.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 20 of 27
Parameter label
(name)
Default Description
Enable Splunk Search
Head Cluster
(SHCEnabled)
no Set this parameter to yes to deploy a Splunk search head
cluster. (The default setting creates a single search head.)
Splunk Enterprise
Admin Password
(SplunkAdminPassword)
Requires input The password for Splunk Enterprise. This is a 6-32 character
string and may contain letters, numbers, and symbols.
Number of Splunk
Indexers
(SplunkIndexerCount)
3 The number of Splunk Enterprise instances to launch. You can
choose from 3 to 10 instances.
Splunk Indexer Disk
Size
(SplunkIndexerDiskSize)
200 The size of the EBS volume attached to the Splunk Enterprise
indexers, in GiB. You can choose a value between 50 and
16,000 GiB.
Splunk License S3
Bucket
(SplunkLicenseBucket)
Optional The name of the private S3 bucket that contains your Splunk
license key file, from step 3.
Splunk License
file path
(SplunkLicensePath)
Optional The path to the S3 bucket that contains your Splunk license
key file, without a leading forward slash (/), from step 3.
Splunk Index
Replication Factor
(SplunkReplicationFactor)
3 The number of copies of data to store in the Splunk indexer
cluster. You can choose from 2-5 copies.
Splunk secret
(SplunkSecret)
Requires input Shared cluster secret for the Splunk search head and indexer
clusters. This is a 6-32 character string and may contain
letters, numbers, and symbols.
HEC Client Location
CIDR Block
(HECClientLocation)
Requires input The CIDR IP address range that is permitted to send data to
the Splunk HTTP Event Collector (HEC). We recommend that
you set this value to a trusted IP range. Note that a value of
0.0.0.0/0 will allow access from any IP address.
Splunk Indexer Apps
S3 URL
(IndexerApps)
Optional Comma-separated list of S3 bucket URLs for the Splunk app
(or add-on) tarballs (.spl files) to pre-install on indexer(s).
Splunk Search Head
Apps S3 URL
(SearchHeadApps)
Optional Comma-separated list of S3 bucket URLs for the Splunk app
(or add-on) tarballs (.spl files) to pre-install on search head(s).
Splunk Universal
Forwarder location
(SplunkUFLocation)
Requires input S3 location for Splunk Universal Forwarder (e.g.
https://s3.amazonaws.com/splunk-uf-bucket/splunk-uf.rpm)
from step 2.
Splunk Indexer
Instance Type
(IndexerInstanceType)
c4.xlarge EC2 instance type to use for the Splunk indexers.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 21 of 27
Parameter label
(name)
Default Description
Splunk Search Instance
Type
(SearchHeadInstanceType)
c4.xlarge EC2 instance type to use for Splunk Enterprise search heads.
Splunk Syslog Server
Disk Size
(SplunkSyslogDiskSize)
100 The size of the EBS volume attached to the Splunk Enterprise
syslog aggregators, in GiB. You can choose a value between
100-16,000.
Number of Syslog
Servers
(SplunkSyslogInstance
Count)
2 The number of Splunk Enterprise Syslog-ng servers to launch.
You can choose from 2 to 10 servers.
Syslog Server Instance
Type
(SplunkSyslogInstance
Type)
c4.large EC2 instance type to use for the Splunk syslog-ng cluster.
Web Server Configuration:
Parameter label
(name)
Default Description
Web Servers Instance
Type
(InstanceType)
t2.medium EC2 instance type for the VM-Series web servers.
External Load
Balancer Name
(ELBName)
public-elb The name of the external Classic Load Balancer. This is a 3-12
character string.
Internal Load
Balancer Name
(ILBName)
private-ilb The name of the internal Classic Load Balancer. This is a 3-12
character string.
AWS Quick Start Configuration:
Parameter label
(name)
Default Description
Quick Start S3 Bucket
Name
(QSS3BucketName)
quickstart-
reference
S3 bucket where the Quick Start templates and scripts are
installed. Use this parameter to specify the S3 bucket name
you’ve created for your copy of Quick Start assets, if you decide
to customize or extend the Quick Start for your own use. The
bucket name can include numbers, lowercase letters,
uppercase letters, and hyphens, but should not start or end
with a hyphen.
Quick Start S3 Key
Prefix
(QSS3KeyPrefix)
securityanalytics/
splunkpan/
latest/
The S3 key name prefix used to simulate a folder for your copy
of Quick Start assets, if you decide to customize or extend the
Quick Start for your own use. This prefix can include numbers,
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 22 of 27
Parameter label
(name)
Default Description
lowercase letters, uppercase letters, hyphens, and forward
slashes.
5. On the Options page, you can specify tags (key-value pairs) for resources in your stack
and set advanced options. When you’re done, choose Next.
6. On the Review page, review and confirm the template settings. Under Capabilities,
select the check box to acknowledge that the template will create IAM resources.
7. Choose Create to deploy the stack.
8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the
security and analytics environment is ready to use.
9. Use the URLs displayed in the Outputs tab for the stack to view the resources that were
created.
Step 6. Test the Deployment
Testing the Integration
Follow these steps to test the integration of the Palo Alto Networks VM-Series firewall and
Splunk Enterprise.
1. Open the AWS CloudFormation console at
https://console.aws.amazon.com/cloudformation/.
2. Select the parent stack and choose the Outputs tab.
3. Copy the output value of Search Head URL, and open it in a web browser.
4. Log in to Splunk Web using the user name “admin” and the password you specified
when you deployed the Quick Start in step 5.
5. In Splunk Web, choose the Search & Reporting app to bring up the Splunk search
bar.
6. Type the following search into the search bar: sourcetype=pan:* NOT PROXY
The search should result in raw events being displayed in the Events tab, and the tab’s
title will specify the number of events found, as shown in Figure 2.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 23 of 27
Figure 2: List of events
Testing Access to the Palo Alto Networks Firewall
Note You do not need to access the firewalls to configure them. To configure the
firewalls, you can deploy a firewall outside the Auto Scaling group, configure it, and save
the configuration as the new bootstrap.xml file in the S3 bucket, as described in step 7.
Refresh the stack to trigger the firewalls in the Auto Scaling group to use the new
configuration from the S3 bucket.
If NAT Gateway is enabled, you cannot access the firewall management interface directly.
You must use a bastion host in the management subnet of the stack to access the firewall.
The bastion host could be an SSH tunnel server, a reverse-proxy such as NGINX, or a jump
box. AWS offers a Linux-based bastion host Quick Start. If you are not using NAT Gateway,
follow these steps:
1. Determine the public IP of the firewall you want to access. This can be found in the
Amazon EC2 console for the firewall instances.
2. Use SSH or a browser to connect with HTTPS to the public IP address.
3. Log in to the firewall by using the demo credentials:
pandemo / demopassword
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 24 of 27
We recommend that you set your own credentials by editing the bootstrap.xml file, as
described in the next step.
Step 7. (Optional) Customize the bootstrap.xml File
The Palo Alto Networks VM-Series firewalls will deploy with a configuration pulled from a
bootstrap.xml file in an S3 bucket. After deployment, you can access the bootstrap.xml file
by using the URL in the AWS CloudFormation console Outputs tab, and edit the file to set
your credentials and customize settings for your production environment. For more
information about customizing the file, see the Palo Alto Networks documentation. After
you edit the file, refresh the stack to use the new configuration.
FAQ
Q. I encountered a CREATE_FAILED error when I launched the Quick Start.
A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the
template with Rollback on failure set to No. (This setting is under Advanced in the
AWS CloudFormation console, Options page.) With this setting, the stack’s state will be
retained and the instance will be left running, so you can troubleshoot the issue. (You'll
want to look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)
Important When you set Rollback on failure to No, you’ll continue to
incur AWS charges for this stack. Please make sure to delete the stack when
you’ve finished troubleshooting.
For additional information, see Troubleshooting AWS CloudFormation on the AWS
website.
Q. How do I change the credentials for all the firewalls at once?
A. To change the firewall credentials, follow the directions in the Palo Alto documentation.
Q. I’ve deployed the QuickStart, now how do I change the firewall configuration or version?
A. To update the firewalls in the stack after the stack is deployed, follow the directions in
the Palo Alto documentation.
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 25 of 27
Additional Resources
AWS services
AWS CloudFormation
http://aws.amazon.com/documentation/cloudformation/
Amazon EBS
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
Amazon EC2
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/
Amazon VPC
http://aws.amazon.com/documentation/vpc/
Palo Alto Networks VM-Series Firewall
More information on Palo Alto Networks VM-Series Firewalls
https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-
generation-firewall/vm-series
AWS Auto Scale of VM-Series Firewalls
https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/se
t-up-the-vm-series-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb
Splunk Enterprise
Product documentation
http://docs.splunk.com/Documentation/Splunk/latest/
Manual implementation guide
https://www.splunk.com/pdfs/white-papers/splunk-enterprise-on-aws-
deploymentguidelines.pdf
Splunk on AWS technical brief
https://www.splunk.com/pdfs/technical-briefs/deploying-splunk-enterprise-
onamazon-web-services-technical-brief.pdf
Splunk Add-on for Amazon Web Services
https://splunkbase.splunk.com/app/1876/
Splunk App for AWS
https://splunkbase.splunk.com/app/1274/
Splunk HTTP Event Collector
http://dev.splunk.com/view/event-collector/SP-CAAAE6M
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 26 of 27
AWS Lambda blueprints for HEC
http://dev.splunk.com/view/event-collector/SP-CAAAE6W
Quick Start reference deployments
AWS Quick Start home page
https://aws.amazon.com/quickstart/
Send Us Feedback You can visit our GitHub repository to download the templates and scripts for this Quick
Start, to post your comments, and to share your customizations with others.
Document Revisions
Date Change In sections
November 2017 Initial publication —
Amazon Web Services – Security and Analytics Environment on the AWS Cloud November 2017
Page 27 of 27
© 2017, Amazon Web Services, Inc. or its affiliates, Palo Alto Networks, and Splunk.
All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
