Set Up VM Monitoring

1. If you have not done so, Install the Panorama Plugin for GCP.
2. Log in to the Panorama web interface and select Panorama#.
3. Set up VM monitoring.

   1. Configure general settings.

      1. Select PanoramaGoogle Cloud PlatformSetupGeneral. To edit the settings, click the gear.
         • Check Enable Monitoring to permit VM monitoring on all projects for which you configure a service account.
         • Enter the Monitoring Interval in seconds. This is the length of time between tag retrieval events.
   2. Add a notify group. A notify group is a list of Device Groups to which Panorama pushes IP address-to-tag mappings and updates.

      A project can have only one notify group.

      1. Select PanoramaGoogle Cloud PlatformSetupNotify Groups and click Add.
      2. Enter a Name to identify the group of firewalls to which Panorama pushes the VM information (IP address-to-tag mappings) it retrieves.
      3. Select the Device Groups to which Panorama will push the VM information (IP address-to-tag mappings) retrieved from your project. The VM-Series firewalls use the update to determine the current member list for Dynamic Address Groups referenced in Security policy.
         Plan your Device Groups carefully.
      4. Select predefined or custom tags.
         • Select All 8 Predefined Tags—Choose this option to select all predefined attributes (tags).
         • Custom Tags—Choose this option to create tag lists for predefined attributes, user-defined labels, and user-defined network tags.
      5. • Make sure to include all relevant Device Groups in a single notify group.
         • If you want to deregister the tags that Panorama has pushed to a firewall included in a notify group, you must delete the monitoring definition.
         • To register tags to all virtual systems on a firewall enabled for multiple virtual systems, you must add each virtual system to a separate Device Group on Panorama and assign the Device Groups to the notify group. Panorama will register tags to only one virtual system, if you assign all the virtual systems to one Device Group.
   3. Add GCP Service Account Credential.

      • Name the service account credential.
      • (Optional) Enter a description of the service account.
      • Browse to upload the JSON file generated when you created service accounts.

      In Shared VPC Setup, you have to create service accounts for host projects, and grant permissions to the service projects. You can use these service accounts in the GCP plugin. This will allow you to retrieve tags that are part of service projects attached to the host project.

      Use the Panorama web interface. You can't use the CLI to add a service account.

      You can only use a service account for one credential. Don't create multiple credentials from a single JSON file.

   After you add the service account credential, you can validate the credential from your Panorama command line:

   request plugins gcp validate-service-account <svc-acct-credential-name>

4. Create a Monitoring Definition.

   A monitoring definition consists of the service account credential for your project and a notify group. All the networking assets in your project are monitored, and the tags retrieved are pushed to the Device Groups you list in your monitoring definition. When you add a new monitoring definition, it is enabled by default.

   A project can have only one monitoring definition, and a monitoring definition can include only one notify group.

   1. Select PanoramaGoogle Cloud PlatformMonitoring Definition and click Add.
   2. Name the monitoring definition.
   3. Enter an optional Description for the project and assets you are monitoring.
   4. Select the Service Account credential you created in the previous step.
   5. Select a Notify Group.
   6. Enable monitoring for the elements associated with this service account.
5. Commit the changes on Panorama.

   Verify that the status for the Monitoring Definition displays as Success. If it fails, verify that you entered the project ID accurately and provided the correct keys and IDs for the service.
6. Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups.

   On HA failover, the secondary Panorama attempts to reconnect to Google Cloud Platform and retrieve tags for all monitoring definitions. If there is an error with reconnecting even one monitoring definition, Panorama generates a system log message:

   Unable to process subscriptions after HA switch-over; user-intervention required.

   If you see this error, fix the issue in Panorama. For example, remove an invalid subscription or provide valid credentials, and commit your changes to enable Panorama to reconnect and retrieve the tags for all monitoring definitions.

   Even when Panorama is disconnected from Google Cloud Platform, the firewalls have the list of all tags that had been retrieved before failover, and can continue to enforce policy on that list of IP addresses. When you delete a monitoring definition, Panorama removes all tags associated with registered VMs. As a best practice, configure action-oriented log forwarding to an HTTPS destination from Panorama so that you can take immediate action.