End-of-Life (EoL)

Enable VM Monitoring to Track Changes on the Virtual Network

VM information sources provides an automated way to gather information on the Virtual Machine (VM) inventory on each monitored source (host); the firewall can monitor the VMware ESXi and vCenter Server, and the AWS-VPC. As virtual machines (guests) are deployed or moved, the firewall collects a predefined set of attributes (or metadata elements) as tags; these tags can then be used to define Dynamic Address Groups (see Use Dynamic Address Groups in Policy) and matched against in policy.
Up to 10 VM information sources can be configured on the firewall or pushed using Panorama templates. By default, the traffic between the firewall and the monitored sources uses the management (MGT) port on the firewall.
VM Information Sources
offers easy configuration and enables you to monitor a predefined set of 16 metadata elements or attributes. See Attributes Monitored in the AWS and VMware Environments for the list.
When monitoring ESXi hosts that are part of the VM-Series NSX edition solution, use Dynamic Address Groups instead of using VM Information Sources to learn about changes in the virtual environment. For the VM-Series NSX edition solution, the NSX Manager provides Panorama with information on the NSX security group to which an IP address belongs. The information from the NSX Manager provides the full context for defining the match criteria in a Dynamic Address Group because it uses the service profile ID as a distinguishing attribute and allows you to properly enforce policy when you have overlapping IP addresses across different NSX security groups. Up to a maximum of 32 tags (from vCenter server and NSX Manager) that can be
registered to an IP address.
  1. Enable the VM Monitoring Agent.
    You can configure up to 10 VM information sources for each firewall, or for each virtual system on a multiple virtual systems capable firewall.
    If your firewalls are configured in a high availability configuration:
    • In an active/passive setup, only the active firewall monitors the VM sources.
    • In an active/active setup, only the firewall with the priority value of primary monitors the VM sources.
    1. Select
      VM Information Sources
    2. Click
      and enter the following information:
      • A
        to identify the VMware ESX(i) or vCenter Server that you want to monitor.
      • Enter the
        Host information for the server—
        hostname or IP address and the
        on which it is listening.
      • Select the
        to indicate whether the source is a
        VMware ESX(i)
        server or a
        VMware vCenter
      • Add the credentials (
        ) to authenticate to the server specified above.
      • Use the credentials of an administrative user to enable access.
      • (Optional) Modify the
        Update interval
        to a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
      • (Optional) Enter the interval in hours when the connection to the monitored source is closed, if the host does not respond. (default: 2 hours, range 2-10 hours) To change the default value, select the check box to
        Enable timeout when the source is disconnected
        and specify the value. When the specified limit is reached or if the host cannot be accessed or does not respond, the firewall will close the connection to the source.
      • Click
        , and
        the changes.
      • Verify that the connection
        displays as connected
  2. Verify the connection status.
    Verify that the connection
    displays as connected.
    If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the MGT port for communicating with the monitored source, you must change the service route (
    , click the
    Service Route Configuration
    link and modify the
    Source Interface
    for the
    VM Monitor

Recommended For You