>
    Strata Copilot
    Monitoring on Azure
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Azure
    4. Monitoring on Azure
    Download PDF
    VM-Series

    Monitoring on Azure

    Table of Contents

    Monitoring on Azure

    Monitor the resources within your Microsoft® Azure® subscription.
    Where Can I Use This?What Do I Need?
    • Microsoft Azure
    • Microsoft Azure Stack
    • Azure® Marketplace
    • Azure China Marketplace
    • Azure Government Marketplace
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for Azure
    Monitoring on Microsoft® Azure® enables you to dynamically update security policy rules to consistently enforce Security policy across all assets deployed within your Azure subscription. To enable this capability, you need to install the Panorama plugin for Azure and enable API communication between Panorama and your Azure subscriptions. Panorama can then collect the IP address-to-tag mapping for all your Azure assets and push or distribute Azure resources information to your Palo Alto Networks firewalls.
    As you deploy or terminate virtual machines in the Azure public cloud, you can use the Panorama plugin for Azure to consistently enforce security policy rules on these workloads.
    The Panorama plugin for Azure is built for scale and allows you to monitor up to 100 Azure subscriptions on the Azure public cloud. With this plugin, you use Panorama as an anchor to poll your subscriptions for tags, and then distribute the metadata (IP address-to-tag mapping) to many firewalls in a device group. Because Panorama communicates with your Azure subscriptions to retrieve Azure resource information, you’re able to streamline the number of API calls made to the cloud environment. Although you can define Security policy locally on the firewall, using Panorama and the plugin centralizes Security policy management, ensuring consistent policies for hybrid and cloud-native architectures.
    See the Panorama plugin version information in the Compatibility Matrix.

    Attributes Monitored Using the Panorama Plugin on Azure

    When using the Panorama plugin for Azure, Panorama gathers the following set of metadata elements or attributes on the virtual machines in your Microsoft® Azure® deployment. Panorama can retrieve a total of 32 tags for each VM, 11 predefined tags, and up to 21 user-defined tags.
    The maximum length of a tag can be 127 characters. If a tag is longer than 127 characters, Panorama does not retrieve the tag and register it on the firewalls. Also the tags should not include non-ASCII special characters such as { or ".
    Up to a maximum of 21 user-defined tags are supported. The user-defined tags are sorted alphabetically, and the first 21 tags are available for use on Panorama and the firewalls.
    The Panorama plugin on Azure version 3.0 or later supports the following tags:
    • Load Balancer
      Load balancer tags for each application gateway and standard load balancer (both public and private IP addresses). Each load balancer has predefined tags for resource group, load balancer name and region, and supports up to 21 user-defined tags specific to load balancing.
    • Subnet/VNET
      Subnet/VNET tags for each subnet and VNET in your subscription. Each subnet and VNET tag is associated with the full IP CIDR range so you can create policies based on a CIDR range rather than individual IP addresses. The plugin queries every subnet and VNET in your subscription and creates tags for them.
    The following attributes are monitored in all Panorama plugin for Azure versions:
    Attributes Monitored on the Azure VPCExample
    VM Name
    azure.vm-name
    OS Type
    azure.os-type
    OS Publisher
    azure.os-publisher
    OS Offer
    azure.os-offer
    OS SKU
    azure.os-sku.
    Azure Region
    azure.region
    Resource Group Name
    azure.resource-group
    Network Security Group Name
    azure.nsg-name
    Subscription ID
    azure.sub-id
    Load Balancer
    azure.slb
    App Gateway
    azure.appgw
    Virtual Network Name
    azure.vnet-name
    Subnet Name
    azure.subnet-name
    Service Tag
    azure.svg-tag
    User Defined Tags
    azure.tag.key.value
    Service Tag Monitoring
    The Panorama plugin on Azure version 3.0 supports service tags. For example, azure.svg-tag.
    Azure Service tags simplify security for Azure virtual machines and Azure virtual networks because you can restrict network access to just the Azure services you want to use. A service tag represents a group of IP address prefixes for a particular Azure service. For example, a tag can represent all storage IP addresses.
    The plugin makes a daily API call (at 5:00 am UTC) to retrieve all service tags from the Azure Portal, parses the payload to form IP-Service Mappings, and stores the mappings in the plugin database. The mappings are passed to configd, then on to Panorama. If the API call fails to return service information, the plugin forms the IP-Service mappings from the contents of service_tags_public.json. Plugin logs report the origin of the IP-Service mappings, the daily retrieval, or the JSON file.
    The plugin also updates service tags for a new installation of the plugin, commit events, and monitoring definition addition or deletion.
    A sample IP-Service mapping is shown below:
    Service Name: AppServiceManagementazure.svc-tag.<service-name>
Example:
    azure.svc-tag.AppServiceManagement.WestUS2
Public IP CIDRs:
    13.166.40.0/26
    54.179.89.0/18

    © 2026 Palo Alto Networks, Inc. All rights reserved.