Learn how the VM Monitoring solution helps you monitor
assets in your Azure deployment.
As you deploy or terminate virtual machines in the Azure
public cloud, you can use the VM Monitoring solution for Azure to
consistently enforce security policy rules on these workloads.
The VM Monitoring solution on Azure uses a VM Monitoring script
that runs on a virtual machine in the Azure public cloud environment.
The operating system of the virtual machine that the script runs
on, must be Red Hat Enterprise Linux (RHEL) 7.4 with Python version
2.7.5. The script collects the IP address to tag mappings for all
your Azure assets and uses the Azure and PAN-OS APIs to register
the VM information—IP address to tag mapping—on the firewalls you
specify. You can specify one or more virtual systems on the firewall
to which you want to register the VM information.
The solution, which is posted on GitHub, is released under the official
support policy of Palo Alto Networks through the support options
that you've purchased. The GitHub repository includes two files:
Parameters file—The parameters file is named
This file allows you to specify details on your Azure subscription,
how to authenticate to it, which Azure resources to monitor, and
to which firewalls you want to publish the IP address to tag mapping
information that the script collects.
VM Monitoring script—The VM Monitoring script uses Python
and is named
. This script collects
the IP address-to-tag mapping information for the Azure deployment
that you want to monitor and pushes the information to the specified
firewalls using the PAN-OS API. The script registers new IP address
to tag mapping on the firewalls, and unregisters IP addresses and
tags that are deprovisioned in your Azure deployment from the firewall.
To prevent overwriting the VM information, make sure that a virtual
system receives IP address and tag information from one instance
of the script only.
You must use the management interface
on the firewall to communicate with the virtual machine (RHEL instance)
that runs the script.
The script generates 2 sets of
log files. The audit log includes all messages, including the API
calls and the responses. The error log includes error messages only.
The log files require about 30 GB on the hard disk of the virtual
machine. The log file is rotated at 1 GB, and a maximum of 30 logs
files are stored on disk. If you want persistent log storage, make
sure to export or archive the log files to an external location.
You can deploy one or more instances of the virtual machine (RHEL
instance) to run the VM Monitoring script that monitors your Azure
subscription. Because the script is designed to execute as a cron
task, the script executes only when it detects that the process
isn’t already running. Therefore, a new cron task does not execute
when one is running, and you cannot have multiple instances of the
VM Monitoring script run on a single virtual machine (RHEL instance).