Set Up VM Monitoring on Azure
To start collecting IP address-to-tag mapping, set up the VM Monitoring agent to execute as a cron task.
This workflow guides you through deployment of the RHEL virtual machine and configuration of the VM monitoring script to run as a cron task on this RHEL instance so that the script can collect the virtual machine attributes within your Azure subscription. You can then use this information to proactively enforce policy using your Palo Alto Networks firewalls.
There is no default interval or frequency at which the script will execute, so you must configure the script to run at a specific interval at which the script collects the IP address-to-tag mapping and publishes the information to a target virtual system on your next-gen firewalls. The script registers new IP addresses and associated tags on the firewall, and unregisters IP addresses and tags for assets that were deleted or terminated within your Azure environment.
- Make sure that you first Gather the Resources Required for VM Monitoring on Azure.
- Deploy a Red Hat Enterprise Linux 7.4 OS with at least 60GB hard disk space on the Azure public cloud.The virtual machine must have network connectivity to the management interface of the firewalls to which you are registering the IP address-to-tag information.
- Use an SSH client to log in to the virtual machine and verify the python version with the commandpython -V.Authenticate to the RHEL virtual machine using the option —password or SSH key— you selected when deploying the instance.
- Copy the files from the GitHub repository to the virtual machine.The VM Monitoring solution includes two files— parameters.json and run.py.git clone https://github.com/PaloAltoNetworks/azure-vm-monitoring
- Edit the parameters.json file and specify the resources you want to monitor within your Azure subscription.vi parameters.json
- Set up the cron task to run the VM Monitoring script at a specified frequency.The minimum frequency you can set is one minute. The amount of time the script takes to retrieve the IP address-to-tag information in your environment and register it on the firewall varies based on the number of virtual machines in your deployment.
- To set up the cron task, enter the following command:sudo crontab -eThis will open up an editor where you can enter the interval and specify the absolute path for the directory in which to save the log files. For example:*/5 * * * * /usr/bin/python/home/vmMonitoring/run.py -f /home/vmMonitoring/parameters.json -l /vmagentlogs
- Verify that the cron task is set up properly with the commandsudo crontab -lTo execute the VM Monitoring script on demand, use the commandpython run.py -f parameters.json -l, where log directory is the absolute path where you want to save the log files.<log-directory>
- Open the audit log file to confirm that the script was executed successfully and to view the IP address-to-tag mapping that it retrieved.vi<log-directory>/audit.log</entry><count>7</count></result></response>2018-03-20 17:24:31.822 +0000 VM Monitoring log INFO: : Get Tags: retrieved 7 tags2018-03-20 17:24:31.822 +0000 VM Monitoring log INFO: : Get Tags: Retrieved total of 7 tags2018-03-20 17:24:32.167 +0000 VM Monitoring log INFO: : Get Tags: <response status="success"><result>Session target vsys changed to none</result></response>2018-03-20 17:24:32.168 +0000 VM Monitoring log INFO: : current: ['10.155.1.1', '10.155.1.2', '10.155.1.3', '10.155.2.1', '10.155.2.2', '10.155.3.3', '10.155.3.4']2018-03-20 17:24:32.168 +0000 VM Monitoring log INFO: : new: ['10.155.1.1', '10.155.1.2', '10.155.1.6', '10.155.2.1', '10.155.2.2', '10.155.3.5', '10.155.3.6']2018-03-20 17:24:32.168 +0000 VM Monitoring log INFO: : Script completed normally.
- Log in to the CLI on the firewall and verify that you can view the IP address and tags that the script published.You can quickly confirm that the registered VM count on the firewall matches the audit log:On a hardware-based firewall, you must specify the target virtual system on which you are registering the VM information using the following command:admin@PA500>set system setting target-vsys vsys1Session target vsys changed to vsys1admin@PA5000vsys1>show object registered-ip allregistered IP Tags 10.155.2.5 #"azure-tag.vm-name.vrpn5server" "azure-tag.resource-group.vrpn5RG” "azure-tag.subnet.vrpn5Untrust" "azure-tag.vnet.vrpn5vnet0" "azure-tag.region.eastus2" "azure-tag.vm-size.Standard_D2s_v3” "azure-tag.os-type.Linux" "azure-tag.os-publisher.Canonical" "azure-tag.os-offer.UbuntuServer" "azure-tag.os-sku.16.04-LTS"