Where Can I Use
This? | What Do I Need? |
- NGFW (PAN-OS & Panorama Managed)
- Prisma Access (Managed by Panorama)
| Check for any license or role requirements for the products you're using. |
VM information sources provides an automated way to gather information on the Virtual Machine
(VM) inventory on each monitored source (host); the firewall can monitor the VMware
ESXi, vCenter Server, AWS-VPC, Microsoft Azure VNet, and Google Cloud. As virtual
machines (guests) are deployed or moved, the firewall collects a predefined set of
attributes (or metadata elements) as tags; these tags can then be used to define
Dynamic Address Groups (see
Use Dynamic Address Groups in
Policy) and matched against in policy.
You can directly configure the firewall or use Panorama
templates to monitor up to 10 VM information sources.
VM
Information Sources offers easy configuration and enables
you to monitor a predefined set of 16 metadata elements or attributes.
See
Attributes
Monitored on Virtual Machines in Cloud Platforms for the
list. By default, the traffic between the firewall and the monitored
sources uses the management (MGT) port on the firewall.
When monitoring ESXi hosts that are part of the
VM-Series NSX edition solution,
use Dynamic Address Groups instead of using VM Information Sources
to learn about changes in the virtual environment. For the VM-Series
NSX edition solution, the NSX Manager provides Panorama with information
on the NSX security group to which an IP address belongs. The information
from the NSX Manager provides the full context for defining the
match criteria in a Dynamic Address Group because it uses the service
profile ID as a distinguishing attribute and allows you to properly
enforce policy when you have overlapping IP addresses across different
NSX security groups. Up to a maximum of 32 tags (from vCenter server
and NSX Manager) that can be registered to an IP address.
For monitoring the virtual machines within your Azure deployment, instead of VM Monitoring
Sources, you need to deploy the
VM Monitoring script that runs
on a virtual machine within the Azure public cloud. This script collects
the IP address-to-tag mapping information for your Azure assets and
publishes it to the firewalls and corresponding virtual systems you
specify in the script.
- For Panorama version 8.1.3 and later, you can also use the Panorama
plugin for AWS or Azure to retrieve VM Information and register
it to the managed firewalls. See Attributes
Monitored on Virtual Machines in Cloud Platformsfor details.