1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. Virtualization Features
    5. VM-Series Firewall on Google Cloud Platform

    VM-Series Firewall on Google Cloud Platform

    Deploy the VM-Series firewall from Google Cloud Platform Marketplace, enable Google Stackdriver monitoring, and enable VM-Series firewalls to monitoring Google Compute Engine instances.
    You can now deploy the VM-Series firewall on a Google Compute Engine instance within a Google Cloud Platform project to secure your applications and workloads.
    The VM-Series firewall on Google Cloud Platform can publish custom PAN-OS metrics to Google Stackdriver. With Stackdriver Monitoring, you can monitor the firewall, and set up alerts based on firewall health and performance.
    You can also enable any firewall that runs PAN-OS 8.1 (virtual or physical) to monitor application workloads deployed on Google Compute Engine instances. With an awareness of virtual machine adds, moves, or deletes within a Google VPC, you can create security policy rules that automatically adapt to changes in your application environment.

    Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

    The VM-series firewall is part of your Google project, using the VPC networks to communicate with other compute engine instances. In addition to serving as an internet gateway, the VM-series firewall can secure east-west traffic between VPCs to ensure data protection compliance and application access.
    gce-n-s-e-w.png
    Google Marketplace provides templates based on license types. The templates deploy an instance of the VM-Series firewall with a management interface and two dataplane interfaces.
    Before you deploy the VM-Series firewall, you must choose a project in your organization, and create a minimum of three networks and subnetworks that the firewall requires at launch.
    1. Locate the VM-Series firewall listing in Google Marketplace.
      1. Log in to the Google Cloud Console.
      2. From the Products and Services menu, choose Marketplace.
      3. Search for “VM-Series”.
      4. Select one of the VM-Series licensing options.
    2. Click Launch on Compute Engine.
    3. Deploy the VM-Series Firewall  from  Google Cloud Platform Marketplace.

    Enable Google Stackdriver Monitoring

    You can enable any firewall that runs PAN-OS 8.1 (virtual or physical) to monitor application workloads deployed on Google Compute Engine instances. With an awareness of virtual machine adds, moves, or deletes within a Google VPC, you can create security policy rules that automatically adapt to changes in your application environment.
    When Stackdriver is enabled, the firewall can retrieve metadata on eight predefined attributes—hostname of the VM, machine type, status (running or not), source (OS type), VPC Network, subnetwork, zone, and Project ID. In addition to these attributes, you can retrieve up to 24 user-defined attributes such as labels, tags, and other key-value pairs defined using metadata or startup scripts on the Google Compute Engine instances.
    1. Select DeviceVM Information Sources, and Add a new source to monitor.
    2. Enter a unique Name for the source.
    3. Select the Service Authentication Type.
      • VM-Series running in GCE—Use this option if a VM-Series firewall deployed on GCE is monitoring the virtual machines on GCE. You do not need to provide account credentials if the service account that you used to provision the firewall has the permissions required to authenticate to the Google Cloud Project you want to monitor.
      • Service Account—Use this option on any hardware-based firewall or VM-Series firewall that is not running on GCE. You must the provide the Service Account Credential as a JSON file so that the firewall can authenticate to the GCP infrastructure and retrieve the attributes.
    4. Enter the Project ID and the Zone in which the resources are deployed.
    5. Click OK and Commit your changes.
    6. Verify the connection Status is successful and that the firewall is able to connect to the GCE project you want to monitor.
    7. Use the attributes as match criteria in dynamic address groups.

    Enable VM-Series Firewall to Track Changes on Google Cloud Platform VMs

    You can also enable any firewall that runs PAN-OS 8.1(virtual or physical) to monitor application workloads deployed on Google Compute Engine instances. For a description of the PAN-OS metrics that you can publish to Google Stackdriver, see Custom PAN-OS Metrics Published for Monitoring.
    1. Push PAN-OS metrics from a VM-Series firewall on a Google Compute Engine instance to Stackdriver.
      1. Log in to the web interface on the VM-Series firewall.
      2. Select DeviceOperations. On the Google Cloud Stackdriver Monitoring Setup panel, click Edit edit-icon.png .
        1. Check Publish PAN-OS metrics to Stackdriver.
          gcstackdriver.png
        2. Set Update Interval to a value between 1- 60 minutes. This is the frequency at which the firewall publishes the metrics to Stackdriver. The default is 5 minutes.
        3. Click OK.
      3. Commit the changes.
        Wait until the firewall starts to publish metrics to Stackdriver before you configure alarms for PAN-OS metrics.
    2. Verify that you can see the metrics on Stackdriver.
      1. In the Google Cloud Console, select Products and ServicesMonitoring.
      2. In Stackdriver, choose ResourcesMetrics Explorer.
      3. Under “Find resource type and metric”, click in the search field and type custom to filter the PAN-OS metrics.
        custom-metrics-in-console.png
    3. Configure alerts and actions for PAN-OS metrics on Stackdriver. See Monitoring Quickstart for Google Compute Engine, and Stackdriver Introduction to Alerting.

    Related Documentation

    Enable Google Stackdriver Monitoring on the VM Series Firewall

    Monitor PAN-OS metrics from Google Stackdriver. ...

    Set Up the VM-Series Firewall on Google Cloud Platform

    Deploy the VM-Series Firewall on a Google Cloud Engine Instance. ...

    About the VM-Series Firewall on Google Cloud Platform

    Prepare to deploy a VM-Series firewall on a Google Compute Engine instance. ...

    Virtualization Features

    Virtualization Features VM-50 Lite Integration with Azure Security Center View high-priority firewall logs as security alerts on the Azure Security Center dashboard with the default ...

    Custom PAN-OS Metrics Published for Monitoring

    PAN-OS® metrics published to public cloud monitoring systems such as AWS® CloudWatch, Azure® Application Insights, and Google® Stackdriver. ...

    Prepare to Set Up the VM-Series Firewall on Google Public Cloud

    Information to gather and tasks to complete before deploying the VM-series firewall on a Google Compute Engine instance. ...

    Settings to Enable VM Information Sources for Google Comput...

    Enable monitoring of GCE instances to consistently enforce policy for workloads. ...

    Interface Used for Accessing External Services on the VM-Se...

    Interfaces that the VM-Series firewall uses for making API calls. ...

    About the VM-Series Firewall

    About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for ...

    Virtualization Features

    Describes all the exciting new capabilities in PAN-OS® 8.1 for the VM-Series firewall. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo