Enable VM Monitoring to Track VM Changes on Google Cloud
You can enable any firewall that runs PAN-OS 9.0 (virtual or physical) to monitor application workloads deployed on Google Compute Engine instances. VM Monitoring enables you to monitor a predefined set of metadata elements or attributes on the VM-Series firewall. In the PAN-OS 9.0 Administrator’s Guide, see Attributes Monitored on Virtual Machines in Cloud Platforms.
With an awareness of virtual machine adds, moves, and deletes within a Google VPC, you can create Security policy rules that automatically adapt to changes in your application environment. As you deploy or move virtual machines, the firewall collects attributes (or metadata elements). You can use this metadata for policy matching and to define Dynamic Address Groups (see Use Dynamic Address Groups to Secure Instances Within the VPC).
You can configure up to ten VM information sources on each firewall or on each virtual system on a firewall capable of multiple virtual systems. Information sources can also be pushed using Panorama templates.
To perform VM monitoring, you must have the IAM role Monitoring Metric Writer.
- Log in to your deployed firewall.
- Enable VM Monitoring.
- Select.DeviceVM Information Sources
- Adda VM information source and enter the following information:
- Specify aNameto identify the instance that you want to monitor.
- Select the Google Compute EngineType.
- Choose theService Authentication Type.
- If you chooseVM-Series running in GCE, you are authenticating with the default service account generated when an instance is created. This is part of the instance metadata.
- (Optional) Modify theUpdate intervalto a value between 5-600 seconds. By default the firewall polls every 5 seconds. The API calls are queued and retrieved every 60 seconds, an update takes up to 60 seconds plus the configured polling interval.
- (Optional) To change the number of hours before timeout, checkEnable timeout when the source is disconnectedand enter the Timeout (hours) before the connection to the monitored source is closed (range is 2 to 10; default is 2).If the firewall cannot access the host and the specified limit is reached, the firewall closes the connection to the source.
- ClickOKandCommityour changes.
- Verify the connection status.If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the Management (MGT) port for communicating with the monitored source, then you must change the service route (select, clickDeviceSetupServicesService Route Configuration, and modify theSource Interfacefor theVM Monitorservice).