VM Monitoring to Track Changes on the Virtual Network
VM information sources provides an automated way to gather information on the Virtual Machine (VM) inventory on each monitored source (host); the firewall can monitor the VMware ESXi and vCenter Server, and the AWS-VPC. As virtual machines (guests) are deployed or moved, the firewall collects a predefined set of attributes (or metadata elements) as tags; these tags can then be used to define Dynamic Address Groups (see Use Dynamic Address Groups in Policy) and matched against in policy.
Up to 10 VM information sources can be configured on the firewall or pushed using Panorama templates. By default, the traffic between the firewall and the monitored sources uses the management (MGT) port on the firewall.
VM Information Sourcesoffers easy configuration and enables you to monitor a predefined set of 16 metadata elements or attributes. See Attributes Monitored in the AWS and VMware Environments for the list.
When monitoring ESXi hosts that are part of the VM-Series NSX edition solution, use Dynamic Address Groups instead of using VM Information Sources to learn about changes in the virtual environment. For the VM-Series NSX edition solution, the NSX Manager provides Panorama with information on the NSX security group to which an IP address belongs. The information from the NSX Manager provides the full context for defining the match criteria in a Dynamic Address Group because it uses the service profile ID as a distinguishing attribute and allows you to properly enforce policy when you have overlapping IP addresses across different NSX security groups. Up to a maximum of 32 tags (from vCenter server and NSX Manager) that can be
registered to an IP address.
- Enable the VM Monitoring Agent.You can configure up to 10 VM information sources for each firewall, or for each virtual system on a multiple virtual systems capable firewall.If your firewalls are configured in a high availability configuration:
- In an active/passive setup, only the active firewall monitors the VM sources.
- In an active/active setup, only the firewall with the priority value of primary monitors the VM sources.
- Select.DeviceVM Information Sources
- ClickAddand enter the following information:
- ANameto identify the VMware ESX(i) or vCenter Server that you want to monitor.
- Enter theHost information for the server—hostname or IP address and thePorton which it is listening.
- Select theTypeto indicate whether the source is aVMware ESX(i)server or aVMware vCenterServer.
- Add the credentials (UsernameandPassword) to authenticate to the server specified above.
- Use the credentials of an administrative user to enable access.
- (Optional) Modify theUpdate intervalto a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
- (Optional) Enter the interval in hours when the connection to the monitored source is closed, if the host does not respond. (default: 2 hours, range 2-10 hours) To change the default value, select the check box toEnable timeout when the source is disconnectedand specify the value. When the specified limit is reached or if the host cannot be accessed or does not respond, the firewall will close the connection to the source.
- ClickOK, andCommitthe changes.
- Verify that the connectionStatusdisplays as connected
- Verify the connection status.Verify that the connectionStatusdisplays as connected.If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the MGT port for communicating with the monitored source, you must change the service route (, click theDeviceSetupServicesService Route Configurationlink and modify theSource Interfacefor theVM Monitorservice).