Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

You can enable any firewall running a compatible version of PAN-OS (virtual or physical) to monitor application workloads deployed on Google Compute Engine instances. VM Monitoring enables you to monitor a predefined set of metadata elements or attributes on the VM-Series firewall. In the PAN-OS 8.1 Administrator’s Guide, see Attributes Monitored on Virtual Machines in Cloud Platforms.
With an awareness of virtual machine adds, moves, and deletes within a Google VPC, you can create Security policy rules that automatically adapt to changes in your application environment. As you deploy or move virtual machines, the firewall collects attributes (or metadata elements). You can use this metadata for policy matching and to define Dynamic Address Groups (see Use Dynamic Address Groups to Secure Instances Within the VPC).
You can configure up to ten VM information sources on each firewall or on each virtual system on a firewall capable of multiple virtual systems. Information sources can also be pushed using Panorama templates.
To perform VM monitoring, you must have the IAM role Monitoring Metric Writer.
  1. Log in to your deployed firewall.
  2. Enable VM Monitoring.
    1. Select
      Device
      VM Information Sources
      .
    2. Add
      a VM information source and enter the following information:
      • Specify a
        Name
        to identify the instance that you want to monitor.
      • Select the Google Compute Engine
        Type
        .
      • Select
        Enabled
        .
      • Choose the
        Service Authentication Type
        .
        • If you choose
          VM-Series running in GCE
          , you are authenticating with the default service account generated when an instance is created. This is part of the instance metadata.
        • If you want to monitor from a firewall outside the current project, choose
          Service Account
          . You must upload the service account credentials in JSON format. See Creating and Managing Service Account Keys.
      • (
        Optional
        ) Modify the
        Update interval
        to a value between 5-600 seconds. By default the firewall polls every 5 seconds. The API calls are queued and retrieved every 60 seconds, an update takes up to 60 seconds plus the configured polling interval.
        vm-info-source-config.png
      • (
        Optional
        ) To change the number of hours before timeout, check
        Enable timeout when the source is disconnected
        and enter the Timeout (hours) before the connection to the monitored source is closed (range is 2 to 10; default is 2).
        If the firewall cannot access the host and the specified limit is reached, the firewall closes the connection to the source.
        vm-info-source-config.png
      • Click
        OK
        and
        Commit
        your changes.
        vm-info-source-status.png
  3. Verify the connection status.
    If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the Management (MGT) port for communicating with the monitored source, then you must change the service route (select
    Device
    Setup
    Services
    , click
    Service Route Configuration
    , and modify the
    Source Interface
    for the
    VM Monitor
    service).

Related Documentation