Attributes Monitored Using the Panorama Plugin on Azure

Proactively monitor the Virtual Machines (VMs) deployed on the Microsoft® Azure® public cloud.
When using the Panorama plugin for Azure, Panorama gathers the following set of metadata elements or attributes on the virtual machines in your Microsoft® Azure® deployment. Panorama can retrieve a total of 32 tags for each VM, 11 predefined tags and up to 21 user-defined tags.
The maximum length of a tag can be 127 characters. If a tag is longer than 127 characters, Panorama does not retrieve the tag and register it on the firewalls. Also the tags should not include non-ASCII special characters such as { or ".
The following attributes are monitored in all Panorama plugin for Azure versions.
Virtual Machine
VM Monitoring
Example
VM Name
azure-tag.vm-name.web_server1
Network Security Group Name
azure-tag.nsg-name.myNSG
OS Type
azure-tag.os-type.Linux
OS Publisher
azure-tag.os-publisher.Canonical
OS Offer
azure-tag.os-offer.UbuntuServer
OS SKU
azure-tag.os-sku.14.04.5-LTS
Subnet
azure-tag.subnet.webtier
VNet
azure-tag.vnet.untrustnet
Azure Region
azure-tag.region.east-us
Resource Group Name
azure-tag.resource-group.myResourceGroup
Subscription ID
azure.sub-id.93486f84-8de9-44f1-b4a8-f66aed312b64
User Defined Tags
Up to a maximum of 21 user defined tags are supported. The user-defined tags are sorted alphabetically, and the first 21 tags are available for use on Panorama and the firewalls.
azure-tag.mytag.value
Load Balancer
Panorama plugin on Azure version 3.0 or later supports tags for each application gateway and standard load balancer (both public and private IP addresses). Each load balancer has predefined tags for resource group, load balancer name and region, and supports up to 21 user-defined tags specific to load balancing.
Load Balancer Tags
Example
Load Balancer
azure.<type>.myLoadBalancer
Azure Region
azure-tag.region.east-us
Resource Group Name
azure-tag.resource-group.myResourceGroup
User Defined Tags
Up to a maximum of 21 user defined tags are supported. The user-defined tags are sorted alphabetically, and the first 21 tags are available for use on Panorama and the firewalls.
azure-tag.mytag.value
Subnet/VNET
Panorama plugin on Azure version 3.0 or later supports tags for each Subnet and VNET in your subscription. Each subnet and VNET tag is associated with the full IP CIDR range so you can create policies based on a CIDR range rather than individual IP addresses. The plugin queries every subnet and VNET in your subscription and creates tags for them.
Subnet and VNET Tags
Example
Subnet Name
azure.subnet-name.web
VNET Name
azure.vnet-name.myvnet
Service Tag Monitoring
Panorama plugin on Azure version 3.0 supports service tags.
Azure Service tags simplify security for Azure virtual machines and Azure virtual networks because you can restrict network access to just the Azure services you want to use. A service tag represents a group of IP address prefixes for a particular Azure service. For example, a tag can represent all storage IP addresses.
The plugin makes a daily API call (at 5:00 am UTC) to retrieve all service tags from the Azure Portal, parses the payload to form IP-Service Mappings, and stores the mappings in the plugin database. The mappings are passed to configd, then on to Panorama. If the API call fails to return service information, the plugin forms the IP-Service mappings from the contents of
service_tags_public.json
. Plugin logs report the origin of the IP-Service mappings, the daily retrieval or the JSON file.
The plugin also updates service tags for a new installation of the plugin, commit events, and monitoring definition addition or deletion.
A sample IP-Service mapping is shown below:
Service Name: AppServiceManagementazure.svc-tag.<service-name> Example:     azure.svc-tag.AppServiceManagement.WestUS2 Public IP CIDRs:     13.166.40.0/26     54.179.89.0/18

Recommended For You