>
    Strata Copilot
    VM Monitoring with the Panorama Plugin for GCP
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Google Cloud Platform
    4. VM Monitoring with the Panorama Plugin for GCP
    Download PDF
    VM-Series

    VM Monitoring with the Panorama Plugin for GCP

    Table of Contents

    VM Monitoring with the Panorama Plugin for GCP

    Google Cloud Platform plugin for Panorama overview.
    Where Can I Use This?What Do I Need?
    • Google Cloud Platform (GCP)
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for GCP
    The Panorama plugin for GCP retrieves the internal and external IP addresses from running VMs, and periodically retrieves IP-to-tag mappings from VMs in connected GCP VPCs.You can use tags to organize VMs into dynamic address groups, and then reference your tags in Security policy rules that allow or deny traffic to specific VM IP addresses. To consistently enforce Security policy, you can then push rules to your VM-Series firewalls.Workloads in the cloud are often ephemeral. To write a granular security policy based on your requirement, you can use the application’s tags in Panorama security policy using the dynamic address groups (DAGs) .
    As a result, as workloads come up and down, the appropriate security policy will be applied.The Panorama plugin for GCP version 3.0.0 and above supports shared VPC architectures. When you use a Shared VPC, a single host project may define (and share) the VPCs for all service projects underneath to deploy your resources. By onboarding the host project into the Panorama plugin for GCP, you can automatically onboard your service projects as well.The Panorama plugin for Google Cloud Platform (GCP) version 2.0.0 enables you to create a VM monitoring configuration that authenticates with a GCP project and monitors VM-Series firewalls and other VMs deployed within it. Once you establish a connection to your project, the plugin can retrieve IP-address-to-tag communication between Panorama and GCP assets. Tags can be predefined attributes, user-defined labels for VMs, and user-defined network tags (see Review and Create Tags ).

    Configure GCP Assets for VM Monitoring

    You can monitor VM-Series firewalls you deployed from the GCP marketplace, firewalls you deployed with auto scaling firewall templates, GCE instances you created from to the GCP console or the gcloud command line, or other virtual machines deployed in GCP. If you deploy PAN-OS VMs from the Marketplace, follow the instructions in Set Up the VM-Series Firewall on Google Cloud Platform.

    Review IAM Roles

    Ensure that you have the following minimum permissions for VM Monitoring tasks:
    • In the GCP console, create service accounts for your project and grant the permission project owner or editor.
      Service account creation can't be automated. If you don't have permission to create a service account you can ask an administrator to create it and assign an appropriate role to you.
    • View your service accounts: read-only.
    • View PAN-OS VMs deployed from the Google Marketplace: Compute viewer.
    • Assign a user-defined tag to an instance: Project owner, editor or Instance Admin.

    Create a Service Account

    Before you use the GCP plugin on Panorama to configure VM Monitoring, you must use the GCP console to create service accounts that grant permissions to access your GCP project, VM-Series firewalls deployed within it, any other VMs that you want Panorama to manage, and related networks and subnetworks. The GCP plugin for Panorama retrieves pre-defined attributes for Google assets, user defined VM labels, and user-defined network tags.
    From the Panorama plugin for GCP version 3.1.0 or later, in a shared VPC setup, you can create service accounts for host projects, and grant permissions to the service projects. For more information, see creating cross project service account in GCP. These service account credentials must be used in Monitoring Definition to retrieve tags for multiple attached service projects.
    Every project has a default service account that was automatically created when the project was created. If you create a separate service account specifically for VM Monitoring, you have greater control of users and their roles. You can configure up to 100 service accounts per project.
    1. In the Google Cloud Platform console, select the project you want to monitor.
    2. Select IAM & AdminService accounts and choose +Create Service Account.
      Enter the service account name and description, and click Create.
    3. Select a role type from the drop menu, and on the right, select an appropriate access level.
      For example, select Project > Editor. You can select multiple roles for a service account.
      When you're finished, click Continue.
    4. Grant specific users permission to access this service account. Select members from the Permissions column on the right to give them permission to access the roles in the previous step.
    5. (Optional) Click +CREATE KEY to create a credential that allows you to authenticate with the Google Cloud CLI to access VM-Series firewalls, networks, and other VMs associated with this service account.
      The key is downloaded automatically. Be sure to store it in a secure location. The JSON format for the generated private key is as follows:
      {
  "type": "service_account",
  "project_id": "gcp-xxx",
  "private_key_id": "<private-key-id>",
  "private_key": "-----BEGIN PRIVATE KEY-----<private-key-value>-----END PRIVATE KEY-----\n",
  "client_email": "<client-email>",
  "client_id": "<client-id>",
  "auth_uri": "<auth-uri>",
  "token_uri": "<token-uri>",
  "auth_provider_x509_cert_url": "<auth-provider-x509-cert-url>",
  "client_x509_cert_url": "<client-x509-cert-url>"
}

    Review and Create Tags

    Set up tagging in GCP
    “Tag” is a general term for a predefined attributes, user-defined labels, and user-defined network tags.
    • Predefined tags (attributes) are automatically created for Google VMs. When you configure VM Monitoring you can choose to monitor all eight of the predefined attributes, or you can create a customized list of attributes to monitor.
    • You can define your own tags for VM labels and network tags.
    Tag VMs and networks so that you can identify and group them so that you can structure rules to enforce Security policy. You can tag any VM deployed in your Google project—for example, a VM-Series firewall, a web server, an application server, or a load balancer.
    • Tags must be associated with a VM. This also applies to networks and subnetworks.
    • If there are multiple IP addresses associated with an instance (for example if you tagged the VM-Series firewall trust and untrust interfaces), Panorama generates multiple sets of tag information.
    The total number of tags that the Panorama plugin can retrieve and register depends on the PAN-OS version Panorama is running and the version of the managed VM-Series firewalls.
    Google zone, Google region, VPC name, and subnet name are used to tag network interfaces on VMs with multiple interfaces. specific to network interface.

    Predefined Attributes

    The Google Cloud Platform plugin for Panorama retrieves the following predefined tags from any managed VM:
    • Project ID—For example: google.project-id.myProjectId.
      To find your project information in the Google console, select your project, then select IAM & AdminSettings.
    • Service account—Your service account in the form of an email address. For example: google.svc-accnt.sa-name@project-id.iam.gserviceaccount.com.
      To find your Service account, view the VM instance details.
    • VPC name—The name of the VPC network for a managed VM. For example: google.vpc-name.myvnet.
    • Subnet name—The name of a subnet you created for a managed VM interface. For example, for the VM-Series firewall untrust interface, the name of the subnet you created for the untrust interface: google.subnet-name-untrust.web.
    • OS SKU—The operating system you chose when you deployed the managed VM. For example: google.os-sku.centos-7.
      This attribute isn't supported if the VM uses a custom image.
    • Google zone—The zone you selected when you deployed the VM. For example: google.zone.us-east1-c.
    • Google region—The region containing the zone you selected. For example: google.region.us-east1.
    • Instance group name—For example: google.instance-group.myInstanceGroup. To view or create an instance group in the Google console, select Compute EngineInstance Group.

    User-defined Labels

    Panorama uses up to 16 user-defined labels. If you have more than 16 labels, Panorama sorts your user-defined labels alphabetically and uses the first 16 tags.
    Review the Google requirements for label key-value pairs: Keys have a minimum length of one character and a maximum length of 63 characters, and can't be empty. Values can be empty, and have a maximum length of 63 characters.
    To create or view labels in the GCP console, go to Compute EngineVM Instances and select Show Info Panel. Select one or more VMs and in the Info Panel, select Labels. Click +Add a label, add a key and value, and click Save.

    User-defined Network Tags

    Panorama uses up to eight user-defined network tags. If you have more than eight tags, Panorama sorts your user-defined labels alphabetically and uses the first 8 tags.
    Google limits network tags as follows:
    • Maximum 63 characters per tag.
    • You can use lowercase letters, numbers, and dashes; a tag must start with a lowercase letter, and end with a number or a lowercase letter.
    To create or view network tags in the GCP console, go to Compute EngineVM Instances and select an instance. Edit the instance, and scroll down to Network Tags, enter tags (separated by commas), and Save. See Configuring Network Tags.

    © 2026 Palo Alto Networks, Inc. All rights reserved.