Network Security
Enable VM Monitoring to Track Changes on the Virtual Network
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Enable VM Monitoring to Track Changes on the Virtual Network
Where Can I Use This? | What Do I Need? |
---|---|
|
VM information sources provides an automated way to gather information on the Virtual Machine
(VM) inventory on each monitored source (host); the firewall can monitor the VMware
ESXi, vCenter Server, AWS-VPC, Microsoft Azure VNet, and Google Cloud. As virtual
machines (guests) are deployed or moved, the firewall collects a predefined set of
attributes (or metadata elements) as tags; these tags can then be used to define
Dynamic Address Groups (see Use Dynamic Address Groups in
Policy) and matched against in policy.
You can directly configure the firewall or use Panorama
templates to monitor up to 10 VM information sources. VM
Information Sources offers easy configuration and enables
you to monitor a predefined set of 16 metadata elements or attributes.
See Attributes
Monitored on Virtual Machines in Cloud Platforms for the
list. By default, the traffic between the firewall and the monitored
sources uses the management (MGT) port on the firewall.
- When monitoring ESXi hosts that are part of the VM-Series NSX edition solution, use Dynamic Address Groups instead of using VM Information Sources to learn about changes in the virtual environment. For the VM-Series NSX edition solution, the NSX Manager provides Panorama with information on the NSX security group to which an IP address belongs. The information from the NSX Manager provides the full context for defining the match criteria in a Dynamic Address Group because it uses the service profile ID as a distinguishing attribute and allows you to properly enforce policy when you have overlapping IP addresses across different NSX security groups. Up to a maximum of 32 tags (from vCenter server and NSX Manager) that can be registered to an IP address.
- For monitoring the virtual machines within your Azure deployment, instead of VM Monitoring Sources, you need to deploy the VM Monitoring script that runs on a virtual machine within the Azure public cloud. This script collects the IP address-to-tag mapping information for your Azure assets and publishes it to the firewalls and corresponding virtual systems you specify in the script.
- For Panorama version 8.1.3 and later, you can also use the Panorama plugin for AWS or Azure to retrieve VM Information and register it to the managed firewalls. See Attributes Monitored on Virtual Machines in Cloud Platformsfor details.
- Enable VM Monitoring.You can configure up to 10 VM information sources for each firewall, or for each virtual system on a multiple virtual systems capable firewall.If your firewalls are configured in a high availability configuration:
- In an active/passive setup, only the active firewall monitors the VM sources.
- In an active/active setup, only the firewall with the priority value of primary monitors the VM sources.
- Select DeviceVM Information Sources. This example shows you how to add VMware ESX(i) or vCenter Server.
- Click Add and enter the following information:
- A Name to identify the source that you want to monitor.
- Select the Type to indicate whether the source is an AWS VPC, a Google Compute Engine instance, a VMware ESX(i) server, or a VMware vCenter Server.The type chosen determines the fields displayed.
- Enter the Port on which the source is listening.
- To change the default value, select the check box to Enable timeout when the source is disconnected and specify the value. When the specified limit is reached or if the host cannot be accessed or does not respond, the firewall will close the connection to the source.
- Add the credentials (Username and Password) to authenticate to the server specified above.
- Define the Source—hostname or IP address.
- (Optional) Modify the Update interval to a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
- Click OK, and Commit the changes.
- Verify that the connection Status displays as connected.
- Verify the connection status.Verify that the connection Status displays as connected.If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source. If you use a port other than the MGT port for communicating with the monitored source, you must change the service route (DeviceSetupServices, click the Service Route Configuration link and modify the Source Interface for the VM Monitor service).