Enable Google Stackdriver Monitoring on the VM Series Firewall
Monitor PAN-OS metrics from Google® Stackdriver. Understand what you can accomplish with your project’s default service account, compared to a user’s service account.
Google Stackdriver Permissions
Authentication requirements vary based on whether you can use the default service account to authenticate or need to use Google APIs to authenticate.
You can authenticate in two ways:
- Use the default service account for the VM-Series firewall instance—If you are using the Google Cloud Platform (GCP™) Console, then you logged in with your email address and can access the instance based on whatever permissions or roles the project administrator assigned to your account.
- Use IAM permissions and the Google APIs—If you use the Google SDK APIs and gcloud, then you must call the APIs to authenticate. You typically use the Google SDK when you want to manage the firewall from a command line or you want to run a script to configure the firewall.
Every Google Compute Engine instance created with the Google Cloud Console or the gcloud command line tool has a default service account with the name in email address format:
To see the service account name for the firewall instance, view the instance details and scroll to the bottom (refer to the Compute Engine default service account).
The default service account can manage authentication for monitoring VMs in the same project as a VM-Series firewall.
- You don’t need to access the Google APIs unless one of the monitored virtual machines has a custom image with applications that require Google APIs.
If you want to set up monitoring from a physical firewall or from a VM-Series firewall in a different project, you must use the Google APIs to authenticate. There are two prerequisites:
- Your account must have the roles Monitoring Metric Writer and Stackdriver Account Viewer.
Enable Google Stackdriver
For a description of the PAN-OS metrics that you can publish to Google Stackdriver, see Custom PAN-OS Metrics Published for Monitoring.
- Push PAN-OS metrics from a VM-Series firewall on a Google Compute Engine instance to Stackdriver.
- Log in to the web interface on the VM-Series firewall.
- Select. Under Google Cloud Stackdriver Monitoring Setup, click the Edit cog .DeviceVM-Series
- CheckPublish PAN-OS metrics to Stackdriver.
- Set theUpdate Interval(range is 1 - 60 minutes; default is 5). This is the frequency at which the firewall publishes the metrics to Stackdriver.
- Commityour changes.Wait until the firewall starts to publish metrics to Stackdriver before you configure alarms for PAN-OS metrics.
- Verify that you can see the metrics on Stackdriver.
- In the Google Cloud Console, select.Products and ServicesMonitoring
- In Stackdriver, choose.ResourcesMetrics Explorer
- In theFind resource type and metricsection, entercustomin the search field to filter the PAN-OS metrics.
Recommended For You
Recommended videos not found.