Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

You can enable any firewall that runs PAN-OS 8.1 (virtual or physical) to monitor application workloads deployed on Google Compute Engine instances. VM Monitoring enables you to monitor a predefined set of metadata elements or attributes on the VM-Series firewall. In the PAN-OS 8.1 Administrator’s Guide, see Attributes Monitored on Virtual Machines in Cloud Platforms.
With an awareness of virtual machine adds, moves, and deletes within a Google VPC, you can create Security policy rules that automatically adapt to changes in your application environment. As you deploy or move virtual machines, the firewall collects attributes (or metadata elements). You can use this metadata for policy matching and to define Dynamic Address Groups (see Use Dynamic Address Groups to Secure Instances Within the VPC).
You can configure up to ten VM information sources on each firewall or on each virtual system on a firewall capable of multiple virtual systems. Information sources can also be pushed using Panorama templates.
To perform VM monitoring, you must have the IAM role Monitoring Metric Writer.
  1. Log in to your deployed firewall.
  2. Enable VM Monitoring.
    1. Select DeviceVM Information Sources.
    2. Add a VM information source and enter the following information:
      • Specify a Name to identify the instance that you want to monitor.
      • Select the Google Compute Engine Type.
      • Select Enabled.
      • Choose the Service Authentication Type.
        • If you choose VM-Series running in GCE, you are authenticating with the default service account generated when an instance is created. This is part of the instance metadata.
        • If you want to monitor from a firewall outside the current project, choose Service Account. You must upload the service account credentials in JSON format. See Creating and Managing Service Account Keys.
      • (Optional) Modify the Update interval to a value between 5-600 seconds. By default the firewall polls every 5 seconds. The API calls are queued and retrieved every 60 seconds, an update takes up to 60 seconds plus the configured polling interval.
      • (Optional) To change the number of hours before timeout, check Enable timeout when the source is disconnected and enter the Timeout (hours) before the connection to the monitored source is closed (range is 2 to 10; default is 2).
        If the firewall cannot access the host and the specified limit is reached, the firewall closes the connection to the source.
      • Click OK and Commit your changes.
  3. Verify the connection status.
    If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the Management (MGT) port for communicating with the monitored source, then you must change the service route (select DeviceSetupServices, click Service Route Configuration, and modify the Source Interface for the VM Monitor service).

Related Documentation