You can enable any firewall that runs PAN-OS
9.0 (virtual or physical) to monitor application workloads deployed
on Google Compute Engine instances. In this procedure you manually
log in to the firewall to enable VM monitoring. If you want to use the
Panorama plugin for GCP to configure VM Monitoring, see Configure VM Monitoring with the Panorama Plugin for GCP.
With an awareness of
virtual machine adds, moves, and deletes within a Google VPC, you
can create Security policy rules that automatically adapt to changes
in your application environment. As you deploy or move virtual machines,
the firewall collects attributes (or metadata elements). You can
use this metadata for policy matching and to define Dynamic Address
Groups (see Use
Dynamic Address Groups to Secure Instances Within the VPC).
can configure up to ten VM information sources on each firewall
or on each virtual system on a firewall capable of multiple virtual
systems. Information sources can also be pushed using Panorama templates.
perform VM monitoring, you must have the IAM role Monitoring Metric
Log in to your deployed firewall.
Enable VM Monitoring.
VM Information Sources
a VM information source
and enter the following information:
the instance that you want to monitor.
Select the Google Compute Engine
Service Authentication Type
If you choose
VM-Series running in GCE
you are authenticating with the default service account generated
when an instance is created. This is part of the instance metadata.
If you want to monitor from a firewall outside the current
a value between 5-600 seconds. By default the firewall polls every
5 seconds. The API calls are queued and retrieved every 60 seconds—an
update takes up to 60 seconds plus the configured polling interval.
) To change the number of hours before
Enable timeout when the source is disconnected
enter the Timeout (in hours) before the connection to the
monitored source is closed (range is 2 to 10; default is 2).
the firewall cannot access the host and the specified limit is reached,
the firewall closes the connection to the source.
Verify the connection status.
If the connection status is pending or disconnected, verify
that the source is operational and that the firewall is able to
access the source. If you use a port other than the Management (MGT)
port for communicating with the monitored source, then you must change
the service route (select