Enable Google Stackdriver Monitoring on the VM Series Firewall
Monitor PAN-OS metrics from Google® Stackdriver. Understand what you can accomplish with your project’s default service account, compared to a user’s service account.
A VM-Series firewall on a Google® Compute Engine instance can publish custom PAN-OS metrics to Google Stackdriver. These metrics allow you to assess performance and usage patterns so that you can manage your firewall resources accordingly.
Google Stackdriver Permissions
Authentication requirements vary based on whether you can use the default service account to authenticate or need to use Google APIs to authenticate.
You can authenticate in two ways:
- Use the default service account for the VM-Series firewall instance—If you are using the Google Cloud Platform (GCP™) Console, then you logged in with your email address and can access the instance based on whatever permissions or roles the project administrator assigned to your account.
- Use IAM permissions and the Google APIs—If you use the Google SDK APIs and gcloud, then you must call the APIs to authenticate. You typically use the Google SDK when you want to manage the firewall from a command line or you want to run a script to configure the firewall.
Every Google Compute Engine instance created with the Google Cloud Console or the gcloud command line tool has a default service account with the name in email address format:
To see the service account name for the firewall instance, view the instance details and scroll to the bottom (refer to the Compute Engine default service account).
The default service account can manage authentication for monitoring VMs in the same project as a VM-Series firewall.
- Access scopes allow the firewall to initiate API calls to monitor VMs in a Google Cloud project.
- You don’t need to access the Google APIs unless one of the monitored virtual machines has a custom image with applications that require Google APIs.
If you want to set up monitoring from a physical firewall or from a VM-Series firewall in a different project, you must use the Google APIs to authenticate. There are two prerequisites:
- Google APIs must be installed.
- Your account must have the roles Monitoring Metric Writer and Stackdriver Account Viewer.
Enable Google Stackdriver
- Push PAN-OS metrics from a VM-Series firewall
on a Google Compute Engine instance to Stackdriver.
- Log in to the web interface on the VM-Series firewall.
- Select DeviceSetupOperations.
Under Google Cloud Stackdriver Monitoring Setup, click Edit (
- Check Publish PAN-OS metrics to Stackdriver.
- Set the Update Interval (range is 1 - 60 minutes; default is 5). This is the frequency at which the firewall publishes the metrics to Stackdriver.
- Click OK.
- Commit your changes.Wait until the firewall starts to publish metrics to Stackdriver before you configure alarms for PAN-OS metrics.
- Verify that you can see the metrics on Stackdriver.
- In the Google Cloud Console, select Products and ServicesMonitoring.
- In Stackdriver, choose ResourcesMetrics Explorer.
- In the Find resource type and metric section, enter custom in the search field to filter the PAN-OS metrics.
- Configure alerts and actions for PAN-OS metrics on Stackdriver. See Monitoring Quickstart for Google Compute Engine and Stackdriver Introduction to Alerting.
VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series firewall from Google Cloud Platform Marketplace, enable Google Stackdriver monitoring, and enable VM-Series firewalls to monitoring Google Compute Engine instances. ...
Set Up the VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series Firewall on a Google Cloud Engine Instance. ...
About the VM-Series Firewall on Google Cloud Platform
Prepare to deploy a VM-Series firewall on a Google Compute Engine instance. ...
Custom PAN-OS Metrics Published for Monitoring
PAN-OS® metrics published to public cloud monitoring systems such as AWS® CloudWatch, Azure® Application Insights, and Google® Stackdriver. ...
Interface Used for Accessing External Services on the VM-Se...
Interfaces that the VM-Series firewall uses for making API calls. ...
Virtualization Features VM-50 Lite Integration with Azure Security Center View high-priority firewall logs as security alerts on the Azure Security Center dashboard with the default ...
About the VM-Series Firewall
About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for ...
Device > Setup > Operations
Device > Setup > Operations You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama™. If you’re ...
Enable CloudWatch Monitoring on the VM-Series Firewall
Enable CloudWatch Monitoring on the VM-Series Firewall The VM-Series firewall on AWS can publish native PAN-OS metrics to AWS CloudWatch, which you can use to ...