Configure VM Monitoring with the Panorama Plugin for GCP
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
-
- Activate Credits
- Transfer Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- Use Panorama-Based Software Firewall License Management
- What Happens When Licenses Expire?
- Install a Device Certificate on the VM-Series Firewall
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Add a New Host to Your NSX-V Deployment
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on GCP
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Locate VM-Series Firewall Images in the GCP Marketplace
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
Configure VM Monitoring with the Panorama Plugin for GCP
Before you configure the Google Cloud Platform plugin
for Panorama for VM Monitoring, complete GCP and Panorama preparation
tasks.
This topic describes the steps to prepare your GCP assets
for VM monitoring, review the required Panorama elements, and describes
how to configure VM Monitoring in the Panorama plugin for Google
Cloud Platform (GCP).
- Configure GCP Assets for VM Monitoring
- Review and Create Tags
- Configure VM Monitoring with the Panorama Plugin for GCP
Configure GCP Assets for VM Monitoring
You can monitor VM-Series firewalls you deployed from
the GCP marketplace, firewalls you deployed with auto scaling Firewall
templates, GCE instances you created from to the GCP console or
the gcloud command line, or other virtual machines deployed in GCP.
If you deploy PAN-OS VMs from the Marketplace, follow the instructions
in Set Up the VM-Series Firewall
on Google Cloud Platform.
Review IAM Roles
Ensure that you have the following minimum permissions
for VM Monitoring tasks:
- In GCP console, create a service account for your project and grant the permission project owner or editor.Service account creation cannot be automated. If you do not have permission to create a service account you can ask an administrator to create it and assign an appropriate role to you.
- View your service account: read-only.
- View PAN-OS VMs deployed from the Google Marketplace: Compute viewer.
- Assign a user-defined tag to an instance: Project owner, editor or Instance Admin.
Create a Service Account
Before you use the GCP plugin on Panorama
to configure VM Monitoring, you must use the GCP console to create
a service account that grants
permissions to access your GCP project, VM-Series firewalls deployed
within it, any other VMs that you want Panorama to manage, and related
networks and subnetworks. The GCP plugin for Panorama retrieves pre-defined attributes for
Google assets, user defined VM
labels, and user-defined network
tags.
Every project has a default service account
that was automatically created when the project was created. If
you create a separate service account specifically for VM Monitoring
you have greater control of users and their roles. You can configure
up to 100 service accounts per project.
- In the Google Cloud Platform console, select the project you want to monitor.
- Select IAM & AdminService accounts and choose +Create
Service Account.Enter the service account name and description, and click Create.
- Select a role type from the drop menu, and on the right,
select an appropriate access level.For example, select Project > Editor. You can select multiple roles for a service account.When you are finished, click Continue.
- Grant specific users permission to access this service account. Select members from the Permissions column on the right to give them permission to access the roles in the previous step.
- (Optional) Click +CREATE
KEY to create a credential that allows you to authenticate
with the Google Cloud CLI to access VM-Series firewalls, networks,
and other VMs associated with this service account.The key is downloaded automatically. Be sure to store it in a secure location. The JSON format for the generated private key is as follows:
{ "type": "service_account", "project_id": "gcp-xxx", "private_key_id": "252e1e7a2e9c84b5d4dbb6195b1de074594b6499", "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAd0i+RMKCtrsO\n4KHnzTAPrgoBjRgpjyNcvQmdUqHr\n-----END PRIVATE KEY-----\n", "client_email": "dlp-vm-monit-svc-acct@gcp-xxx.iam.gserviceaccount.com", "client_id": "108932514695821539229", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dlp-vm-monit-svc-acct%40gcp-xxx.iam.gserviceaccount.com" }
Review and Create Tags
Tagging in GCP
“Tag” is a general term for predefined attributes, user-defined labels, and user-defined
network tags.
- Predefined tags (attributes) are automatically created for Google VMs. When you configure VM Monitoring you can choose to monitor all 8 of the predefined attributes, or you can create a customized list of attributes to monitor.
Tag VMs and networks so that you can identify and group them
so that you can structure rules to enforce Security policy. You
can tag any VM deployed in your Google project—for example, a VM-Series
firewall, a web server, an application server, or a load balancer.
- Tags must be associated with a VM. This also applies to networks and subnetworks.
- If there are multiple IP addresses associated with an instance (for example if you tagged the VM-Series firewall trust and untrust interfaces), Panorama generates multiple sets of tag information.
The total number of tags that the Panorama plugin can retrieve
and register depends on the PAN-OS version Panorama is running and
the version of the managed VM-Series firewalls.
Google zone, Google region, VPC name, and Subnet name are used
to tag network interfaces on VMs with multiple interfaces. specific
to network interface.
Predefined Attributes
The Google Cloud Platform plugin for Panorama retrieves
the following predefined tags from any managed VM:
- Project ID—For example: google.project-id.myProjectId.To find your project information in the Google console, select your project, then select IAM & AdminSettings.
- Service account—Your service account in the form of an email address. For example: google.svc-accnt.sa-name@project-id.iam.gserviceaccount.com.To find your Service account, view the VM instance details.
- VPC name—The name of the VPC network for a managed VM. For example: google.vpc-name.myvnet.
- Subnet name—The name of a subnet you created for a managed VM interface. For example, for the VM-Series firewall untrust interface, the name of the subnet you created for the untrust interface: google.subnet-name-untrust.web.
- OS SKU—The operating system you chose when you deployed the managed VM. For example: google.os-sku.centos-7.This attribute is not supported if the VM uses a custom image.
- Google zone—The zone you selected when you deployed the VM. For example: google.zone.us-east1-c.
- Google region—The region containing the zone you selected. For example: google.region.us-east1.
- Instance group name—For example: google.instance-group.myInstanceGroup. To view or create an instance group in the Google console, select Compute EngineInstance Group.
User-defined Labels
Panorama uses up to 16 user-defined labels. If you have
more than 16 labels, Panorama sorts your user-defined labels alphabetically
and uses the first 16 tags.
Review the Google requirements for label
key-value pairs: Keys have a minimum length of 1 character and a
maximum length of 63 characters, and cannot be empty. Values can
be empty, and have a maximum length of 63 characters.
To create or view labels in the GCP console, go to Compute EngineVM Instances and
select Show Info Panel. Select one or more
VMs and in the Info Panel, select Labels.
Click +Add a label, add a key and value,
and click Save.
User-defined Network Tags
Panorama uses up to 8 user-defined network tags, If
you have more than 8 tags, Panorama sorts your user-defined labels
alphabetically and uses the first 8 tags.
Note that Google limits network tags as
follows:
- Maximum 63 characters per tag.
- You can use lowercase letters, numbers, and dashes; a tag must start with a lowercase letter, and end with a number or a lowercase letter.
To create or view network tags in the GCP console, go to Compute EngineVM Instances and
select an instance. Edit the instance, and
scroll down to Network Tags, enter tags (separated
by commas), and Save. See Configuring Network Tags.
Configure VM Monitoring with the Panorama Plugin for GCP
After you tag your GCP assets and
create a service account,
make your assets available to Panorama so you can set up VM monitoring.
Prepare Panorama to Configure VM Monitoring
- In Panorama, add the VM-Series firewalls and other VMs associated with your GCP project as managed devices.
- Add a Device Group and
assign managed devices to it. A Device Group is a group of firewalls
or virtual systems that you want to manage as a group. A VM can be a member of only one Device Group. Plan your Device Groups carefully.
- Add a template. Name the template and accept the default VPC.
- Add a template stack. Add the stack, Add the template you just created, and select your devices.
- Commit the changes.
Set Up VM Monitoring
- If you have not done so, Install the Panorama Plugin for GCP.
- Log in to the Panorama web interface and select PanoramaGoogle Cloud Platform.
- Set up VM monitoring.
- Configure general settings.
- Select PanoramaGoogle Cloud PlatformSetupGeneral. To edit the settings, click the gear.
- Check Enable Monitoring to permit VM monitoring on all projects for which you configure a service account.
- Enter the Monitoring Interval in seconds. This is the length of time between tag retrieval events.
- Add a
notify group. A notify group is a list of Device Groups to which
Panorama pushes IP-address-to-tag mappings and updates. A project can have only one notify group.
- Select PanoramaGoogle Cloud PlatformSetupNotify Groups and click Add.
- Enter a Name to identify the group of firewalls to which Panorama pushes the VM information (IP address-to-tag mappings) it retrieves.
- Select the Device Groups to which Panorama will push the VM information (IP address-to-tag mappings) retrieved from your project. The VM-Series firewalls use the update to determine the current member list for Dynamic Address Groups referenced in Security policy.Plan your Device Groups carefully.
- Select predefined or custom tags.
- Select All 8 Predefined Tags—Choose this option to select all predefined attributes (tags).
- Custom Tags—Choose this option to create tag lists for predefined attributes, user-defined labels, and user-defined network tags.
- Make sure to include all relevant Device Groups in a single notify group.
- If you want to deregister the tags that Panorama has pushed to a firewall included in a notify group, you must delete the monitoring definition.
- To register tags to all virtual systems on a firewall enabled for multiple virtual systems, you must add each virtual system to a separate Device Group on Panorama and assign the Device Groups to the notify group. Panorama will register tags to only one virtual system, if you assign all the virtual systems to one Device Group.
- Add a GCP Service Account Credential.
- Name the service account credential.
- (Optional) Enter a description of the service account.
- Browse to upload the JSON file generated when you created the service account.
You must use the Panorama web interface. You cannot use the CLI to add a service accountYou can only use a service account for one credential. Do not create multiple credentials from a single JSON file.
After you add a service account credential, you can validate the credential from your Panorama command line:request plugins gcp validate-service-account <svc-acct-credential-name>
- Configure general settings.
- Create a Monitoring Definition.A monitoring definition consists of the service account credential for your project and a notify group. All the networking assets in your project are monitored, and the tags retrieved are pushed to the Device Groups you list in your monitoring definition. When you add a new monitoring definition, it is enabled by default.A project can have only one monitoring definition, and a monitoring definition can include only one notify group.
- Select PanoramaGoogle Cloud PlatformMonitoring Definition and click Add.
- Name the monitoring definition.
- Enter an optional Description for the project and assets you are monitoring.
- Select the Service Account credential you created in the previous step.
- Select a Notify Group.
- Enable monitoring for the elements associated with this service account.
- Commit the changes on Panorama.Verify that the status for the Monitoring Definition displays as Success. If it fails, verify that you entered the project ID accurately and provided the correct keys and IDs for the service.
- Verify that you can view the VM information on Panorama,
and define the match criteria for Dynamic Address Groups.On HA failover, the newly active Panorama attempts to reconnect to Google Cloud Platform and retrieve tags for all monitoring definitions. If there is an error with reconnecting even one monitoring definition, Panorama generates a system log message:
Unable to process subscriptions after HA switch-over; user-intervention required.
If you see this error, fix the issue in Panorama. For example, remove an invalid subscription or provide valid credentials, and commit your changes to enable Panorama to reconnect and retrieve the tags for all monitoring definitions.Even when Panorama is disconnected from Google Cloud Platform, the firewalls have the list of all tags that had been retrieved before failover, and can continue to enforce policy on that list of IP addresses. When you delete a monitoring definition, Panorama removes all tags associated with registered VMs. As a best practice, configure action-oriented log forwarding to an HTTPS destination from Panorama so that you can take immediate action.