VM information sources provides an automated
way to gather information on the Virtual Machine (VM) inventory
on each monitored source (host); the firewall can monitor the VMware
ESXi, vCenter Server, AWS-VPC, Microsoft Azure VNet, and Google
Cloud. As virtual machines (guests) are deployed or moved, the firewall
collects a predefined set of attributes (or metadata elements) as
tags; these tags can then be used to define Dynamic Address Groups
(see
Use
Dynamic Address Groups in Policy) and matched against in
policy.
You can directly configure the firewall or use Panorama
templates to monitor up to 10 VM information sources.
VM
Information Sources offers easy configuration and enables
you to monitor a predefined set of 16 metadata elements or attributes.
See
Attributes
Monitored on Virtual Machines in Cloud Platforms for the
list. By default, the traffic between the firewall and the monitored
sources uses the management (MGT) port on the firewall.
When monitoring ESXi hosts that are part of the
VM-Series NSX edition solution,
use Dynamic Address Groups instead of using VM Information Sources
to learn about changes in the virtual environment. For the VM-Series
NSX edition solution, the NSX Manager provides Panorama with information
on the NSX security group to which an IP address belongs. The information
from the NSX Manager provides the full context for defining the
match criteria in a Dynamic Address Group because it uses the service
profile ID as a distinguishing attribute and allows you to properly
enforce policy when you have overlapping IP addresses across different
NSX security groups. Up to a maximum of 32 tags (from vCenter server
and NSX Manager) that can be registered to an IP address.
For monitoring the virtual machines within your Azure deployment,
instead of VM Monitoring Sources, you need to deploy the
VM Monitoring script that runs on a virtual
machine within the Azure public cloud. This script collects the
IP address-to-tag mapping information for your Azure assets and publishes
it to the firewalls and corresponding virtual systems you specify
in the script.
- For Panorama version 8.1.3 and later, you can also use the Panorama
plugin for AWS or Azure to retrieve VM Information and register
it to the managed firewalls. See Attributes
Monitored on Virtual Machines in Cloud Platformsfor details.