AWS Quick Starts — Customer Ready Solutions

Security and analytics environment on AWS

With Palo Alto Networks VM-Series firewall and Splunk Enterprise

This Quick Start builds an enterprise-class security and analytics environment on the Amazon Web Services (AWS) Cloud, using the Palo Alto Networks VM-Series next-generation firewall, Splunk Enterprise, and the Palo Alto Networks App for Splunk, along with complementary services from AWS.

These technologies help protect your workloads from cyberattacks and provide visibility, analytics, and reporting across cloud, on-premises, and hybrid environments.

The Palo Alto Networks VM-Series next-generation firewall complements AWS security groups and web application firewalls by classifying and controlling application traffic on AWS based on the application identity, and then applying threat prevention policies to block known and unknown cyberthreats. Splunk Enterprise provides security visibility by capturing and analyzing logs from the Palo Alto firewall using the Palo Alto Networks App for Splunk.


This Quick Start was developed by Splunk and Palo Alto Networks in collaboration with AWS. Splunk and Palo Alto Networks are
APN Partners.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  Resources
  •  What you'll build
  • The Quick Start architecture includes the following:

    • A VPC spanning multiple Availability Zones, with three public and two private subnets in each zone.*
    • Network address translation (NAT) gateways that allow the servers in the private subnets to connect to the internet.*
    • VM-Series firewall instances in an Auto Scaling group with three network interfaces: untrust, trust, and management.
    • Security groups for each instance or function to restrict access to only necessary protocols and ports.
    • An Amazon Simple Storage Service (Amazon S3) bucket that contains the firewall bootstrap files.
    • In the private subnets, an Auto Scaling group for the web servers, spanning multiple Availability Zones.
    • In the public subnets, Splunk indexers, search heads, syslog-ng servers, license server, indexer cluster master, and search head deployer.
    • External and internal load balancers for the web servers, and three load balancers for the Splunk instances.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks.

  •  How to deploy
  • You can build your security and analytics environment on AWS in 30-45 minutes, by following these steps:

    1. If you don't already have an AWS account, sign up at
    2. Get the binaries required for launch, and place them in an S3 bucket.
    3. Subscribe to the Amazon Machine Image (AMI) for Splunk Enterprise in AWS Marketplace.
    4. Get a license for the Palo Alto Networks VM-Series firewall. We recommend that you use the pay-as-you-go (PAYG) option.
    5. Launch the Quick Start. You can choose from two options:
    6. Test the integration and confirm that you can access the VM-Series firewall.
    7. (Optional) Customize the bootstrap.xml file.

    The Quick Start includes parameters that you can customize. For example, you can configure your network or customize firewall and Splunk Enterprise settings.

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates.

    The Palo Alto Networks VM-Series next-generation firewall deployed in this Quick Start requires a license. You can obtain a license through AWS Marketplace (recommended) or use the bring-your-own-license (BYOL) option.

    • Pay as you go (PAYG): This option deploys VM-Series Bundle 2 directly from AWS Marketplace. This bundle includes a VM-300 firewall license and annual subscriptions for Threat Prevention, WildFire, URL Filtering, GlobalProtect, and Premium Support (written and spoken English only).
    • BYOL: This option allows you to work with Palo Alto Networks sales or channel partners to generate an authorization code (license) that includes a VM-100, VM-300, VM-500 or VM-700 firewall license, along with the associated subscriptions and support. You must register your BYOL authorization code on the Palo Alto Networks support portal before you launch the Quick Start.

    This Quick Start also requires a subscription to the Splunk Enterprise AMI, which is available from AWS Marketplace. The AMI offers a 60-day trial license that provides limited access to Splunk Enterprise features. To fully utilize the environment created by this Quick Start, you will need to obtain a Splunk Enterprise license by contacting

  •  Resources
  • This Quick Start reference deployment is related to a solution featured in Solution Space that includes a solution brief, optional consulting offers crafted by AWS Competency Partners, and AWS co-investment in proof-of-concept (PoC) projects. To learn more about these resources, visit Solution Space.