Enable Google Stackdriver Monitoring on the VM Series Firewall

Table of Contents

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Enable Google Stackdriver Monitoring on the VM Series Firewall

Monitor PAN-OS metrics from Google® Stackdriver. Understand what you can accomplish with your project’s default service account, compared to a user’s service account.

Where Can I Use This?	What Do I Need?
Google Cloud Platform (GCP)	VM-Series License (PAYG or BYOL) VM-Series plugin Panorama Panorama plugin for GCP

A VM-Series firewall on a Google® Compute Engine instance can publish custom PAN-OS metrics to Google Stackdriver. These metrics allow you to assess performance and usage patterns so that you can manage your firewall resources accordingly.

Google Stackdriver Permissions

Authentication requirements vary based on whether you can use the default service account to authenticate or need to use Google APIs to authenticate.

You can authenticate in two ways:

Use the default service account for the VM-Series firewall instance—If you are using the Google Cloud Platform (GCP™) Console, then you logged in with your email address and can access the instance based on whatever permissions or roles the project administrator assigned to your account.
Use IAM permissions and the Google APIs—If you use the Google SDK APIs and gcloud, then you must call the APIs to authenticate. You typically use the Google SDK when you want to manage the firewall from a command line or you want to run a script to configure the firewall.

Every Google Compute Engine instance created with the Google Cloud Console or the gcloud command line tool has a default service account with the name in email address format:

<project-number>-compute@developer.gserviceaccount.com

To see the service account name for the firewall instance, view the instance details and scroll to the bottom (refer to the Compute Engine default service account).

The default service account can manage authentication for monitoring VMs in the same project as a VM-Series firewall.

Access scopes allow the firewall to initiate API calls to monitor VMs in a Google Cloud project.
You don’t need to access the Google APIs unless one of the monitored virtual machines has a custom image with applications that require Google APIs.

If you want to set up monitoring from a physical firewall or from a VM-Series firewall in a different project, you must use the Google APIs to authenticate. There are two prerequisites:

Google APIs must be installed.
Your account must have the roles Monitoring Metric Writer and Stackdriver Account Viewer.

Enable Google Stackdriver

For a description of the PAN-OS metrics that you can publish to Google Stackdriver, see Custom PAN-OS Metrics Published for Monitoring.

Push PAN-OS metrics from a VM-Series firewall on a Google Compute Engine instance to Stackdriver.
1. Log in to the web interface on the VM-Series firewall.
2. Select DeviceVM-Series. Under Google Cloud Stackdriver Monitoring Setup, click Edit (
  
  ).
  Check Publish PAN-OS metrics to Stackdriver.
  
  Set the Update Interval (range is 1 - 60 minutes; default is 5). This is the frequency at which the firewall publishes the metrics to Stackdriver.
  Click OK.
3. Commit your changes.
  Wait until the firewall starts to publish metrics to Stackdriver before you configure alarms for PAN-OS metrics.
Verify that you can see the metrics on Stackdriver.
1. In the Google Cloud Console, select Products and ServicesMonitoring.
2. In Stackdriver, choose ResourcesMetrics Explorer.
3. In the Find resource type and metric section, enter custom in the search field to filter the PAN-OS metrics.
Configure alerts and actions for PAN-OS metrics on Stackdriver. See Monitoring Quickstart for Google Compute Engine and Stackdriver Introduction to Alerting.