Set Up VM Monitoring on Azure
To start collecting IP address-to-tag mapping, set up the VM Monitoring agent to execute as a cron task.
This workflow guides you through deployment of the RHEL virtual machine and configuration of the VM monitoring script to run as a cron task on this RHEL instance so that the script can collect the virtual machine attributes within your Azure subscription. You can then use this information to proactively enforce policy using your Palo Alto Networks firewalls.
There is no default interval or frequency at which the script will execute, so you must configure the script to run at a specific interval at which the script collects the IP address-to-tag mapping and publishes the information to a target virtual system on your next-gen firewalls. The script registers new IP addresses and associated tags on the firewall, and unregisters IP addresses and tags for assets that were deleted or terminated within your Azure environment.
- Make sure that you first Gather the Resources Required for VM Monitoring on Azure.
- Deploy a Red Hat Enterprise Linux 7.4 OS with at least
60GB hard disk space on the Azure public cloud.The virtual machine must have network connectivity to the management interface of the firewalls to which you are registering the IP address-to-tag information.
- Use an SSH client to log in to the virtual machine and
verify the python version with the command python -V.Authenticate to the RHEL virtual machine using the option —password or SSH key— you selected when deploying the instance.
- Copy the files from the GitHub repository to the virtual machine.The VM Monitoring solution includes two files— parameters.json and run.py.git clone https://github.com/PaloAltoNetworks/azure-vm-monitoring
- Edit the parameters.json file and specify the resources
you want to monitor within your Azure subscription.vi parameters.json
- Set up the cron task to run the VM Monitoring script
at a specified frequency.The minimum frequency you can set is one minute. The amount of time the script takes to retrieve the IP address-to-tag information in your environment and register it on the firewall varies based on the number of virtual machines in your deployment.
- To set up the cron task, enter the following
command:sudo crontab -eThis will open up an editor where you can enter the interval and specify the absolute path for the directory in which to save the log files. For example:
*/5 * * * * /usr/bin/python/home/vmMonitoring/run.py -f /home/vmMonitoring/parameters.json -l /vmagentlogs
- Verify that the cron task is set up properly with
the command sudo crontab -lTo execute the VM Monitoring script on demand, use the command python run.py -f parameters.json -l <log-directory>, where log directory is the absolute path where you want to save the log files.
- To set up the cron task, enter the following command:
- Open the audit log file to confirm that the script was
executed successfully and to view the IP address-to-tag mapping
that it retrieved.vi <log-directory>/audit.log</entry><count>7</count></result></response>2018-03-20 17:24:31.822 +0000 VM Monitoring log INFO: : Get Tags: retrieved 7 tags2018-03-20 17:24:31.822 +0000 VM Monitoring log INFO: : Get Tags: Retrieved total of 7 tags2018-03-20 17:24:32.167 +0000 VM Monitoring log INFO: : Get Tags: <response status="success"><result>Session target vsys changed to none</result></response>2018-03-20 17:24:32.168 +0000 VM Monitoring log INFO: : current: ['10.155.1.1', '10.155.1.2', '10.155.1.3', '10.155.2.1', '10.155.2.2', '10.155.3.3', '10.155.3.4']2018-03-20 17:24:32.168 +0000 VM Monitoring log INFO: : new: ['10.155.1.1', '10.155.1.2', '10.155.1.6', '10.155.2.1', '10.155.2.2', '10.155.3.5', '10.155.3.6']2018-03-20 17:24:32.168 +0000 VM Monitoring log INFO: : Script completed normally.
- Log in to the CLI on the firewall and verify that you
can view the IP address and tags that the script published.You can quickly confirm that the registered VM count on the firewall matches the audit log:On a hardware-based firewall, you must specify the target virtual system on which you are registering the VM information using the following command:admin@PA500> set system setting target-vsys vsys1Session target vsys changed to vsys1admin@PA5000vsys1>show object registered-ip all
registered IP Tags 10.155.2.5 #"azure-tag.vm-name.vrpn5server" "azure-tag.resource-group.vrpn5RG” "azure-tag.subnet.vrpn5Untrust" "azure-tag.vnet.vrpn5vnet0" "azure-tag.region.eastus2" "azure-tag.vm-size.Standard_D2s_v3” "azure-tag.os-type.Linux" "azure-tag.os-publisher.Canonical" "azure-tag.os-offer.UbuntuServer" "azure-tag.os-sku.16.04-LTS"
- Set up Dynamic Address Groups and use them in Security policy.
About VM Monitoring on Azure
Learn how the VM Monitoring solution helps you monitor assets in your Azure deployment. ...
VM Monitoring on Azure
Monitor the virtual machine (VM) resources within your Microsoft® Azure® subscription. ...
Gather the Resources Required for VM Monitoring on Azure
Know the system requirements and details of the Microsoft® Azure® resources that you want to monitor with the VM Monitoring script. ...
Register IP Addresses and Tags Dynamically
Register IP Addresses and Tags Dynamically To mitigate the challenges of scale, lack of flexibility and performance, the architecture in networks today allows for clients, ...
Attributes Monitored on Azure
Proactively monitor the Virtual Machines (VMs) deployed on the Microsoft® Azure® public cloud. ...
Enable VM Monitoring to Track Changes on the Virtual Networ...
Enable VM Monitoring to Track Changes on the Virtual Network VM information sources provides an automated way to gather information on the Virtual Machine (VM) ...
Set up the VM-Series Firewall on Azure
Set up the VM-Series Firewall on Azure VM-Series firewall on Azure brings the security features of Palo Alto Networks next generation firewall as a virtual ...
Virtualization Features New Virtualization Features Description VM-Series Firewall Performance Enhancements and Expanded Model Line This feature introduces improved performance, capacity, and efficiencyforall VM-Series firewalls, including ...
Panorama 8.0 OSS Listing
Open-Source Software (OSS) licensing for the Panorama™ 8.0 software release. ...