Learn how to troubleshoot and resolve issues when monitoring Palo Alto Networks firewalls on AWS CloudWatch. Discover the importance of IAM policies and CloudWatch namespaces in ensuring effective monitoring.
Table of Contents
Question
A cloud infrastructure architect wants to monitor NGFW in production running on Amazon Web Services (AWS). It is known that the software firewalls are able to publish native PAN-OS metrics to AWS CloudWatch. The cloud infrastructure architect is unable to browse any firewall metrics on CloudWatch.
Which two features are needed to remediate this issue? (Choose two.)
A. IAM policy with action = “cloudwatch:PutMetricData”
B. IAM policy with action = “cloudwatch:SharetMetricData”
C. CloudWatch Monitoring with namespace = VMseries
D. CloudWatch Monitoring with namespace = aws
Answer
A. IAM policy with action = “cloudwatch:PutMetricData”
C. CloudWatch Monitoring with namespace = VMseries
Explanation
Option A is correct because the cloudwatch:PutMetricData action allows the firewall to publish custom metrics to AWS CloudWatch. This is a necessary permission for the firewall to send metrics to CloudWatch.
Option B is incorrect because there is no cloudwatch:SharetMetricData action in AWS IAM.
Option C is correct because the VM-Series firewall on AWS can publish native PAN-OS metrics to AWS CloudWatch56. However, when the default namespace (VMseries) is used on the firewall cloud setup, it does not reflect the metrics. Therefore, changing the default VM series namespace to any other like VM series1 and committing the changes can resolve the issue.
Option D is incorrect because AWS CloudWatch does not have a namespace named ‘aws’.
Palo Alto Networks PCSFE certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks PCSFE exam and earn Palo Alto Networks PCSFE certification.