Enable VM Monitoring to Track Changes on the Virtual Network

VM information sources provides an automated way to gather information on the Virtual Machine (VM) inventory on each monitored source (host); the firewall can monitor the VMware ESXi and vCenter Server, and the AWS-VPC. As virtual machines (guests) are deployed or moved, the firewall collects a predefined set of attributes (or metadata elements) as tags; these tags can then be used to define Dynamic Address Groups (see Use Dynamic Address Groups in Policy) and matched against in policy.
Up to 10 VM information sources can be configured on the firewall or pushed using Panorama templates. By default, the traffic between the firewall and the monitored sources uses the management (MGT) port on the firewall.
VM Information Sources
offers easy configuration and enables you to monitor a predefined set of 16 metadata elements or attributes. See Attributes Monitored in the AWS and VMware Environments for the list.
When monitoring ESXi hosts that are part of the VM-Series NSX edition solution, use Dynamic Address Groups instead of using VM Information Sources to learn about changes in the virtual environment. For the VM-Series NSX edition solution, the NSX Manager provides Panorama with information on the NSX security group to which an IP address belongs. The information from the NSX Manager provides the full context for defining the match criteria in a Dynamic Address Group because it uses the service profile ID as a distinguishing attribute and allows you to properly enforce policy when you have overlapping IP addresses across different NSX security groups. Up to a maximum of 32 tags (from vCenter server and NSX Manager) that can be
registered to an IP address.
  1. Enable the VM Monitoring Agent.
    You can configure up to 10 VM information sources for each firewall, or for each virtual system on a multiple virtual systems capable firewall.
    If your firewalls are configured in a high availability configuration:
    • In an active/passive setup, only the active firewall monitors the VM sources.
    • In an active/active setup, only the firewall with the priority value of primary monitors the VM sources.
    1. Select
      Device
      VM Information Sources
      .
    2. Click
      Add
      and enter the following information:
      • A
        Name
        to identify the VMware ESX(i) or vCenter Server that you want to monitor.
      • Enter the
        Host information for the server—
        hostname or IP address and the
        Port
        on which it is listening.
      • Select the
        Type
        to indicate whether the source is a
        VMware ESX(i)
        server or a
        VMware vCenter
        Server.
      • Add the credentials (
        Username
        and
        Password
        ) to authenticate to the server specified above.
      • Use the credentials of an administrative user to enable access.
      • (Optional) Modify the
        Update interval
        to a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
        vm_info_source.PNG
      • (Optional) Enter the interval in hours when the connection to the monitored source is closed, if the host does not respond. (default: 2 hours, range 2-10 hours) To change the default value, select the check box to
        Enable timeout when the source is disconnected
        and specify the value. When the specified limit is reached or if the host cannot be accessed or does not respond, the firewall will close the connection to the source.
      • Click
        OK
        , and
        Commit
        the changes.
      • Verify that the connection
        Status
        displays as connected connected.PNG
  2. Verify the connection status.
    Verify that the connection
    Status
    displays as connected.PNG connected. VM_monitoring_connected.PNG
    If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the MGT port for communicating with the monitored source, you must change the service route (
    Device
    Setup
    Services
    , click the
    Service Route Configuration
    link and modify the
    Source Interface
    for the
    VM Monitor
    service).

Related Documentation