: Attributes Monitored Using the Panorama Plugin on Azure
Focus
Focus

Attributes Monitored Using the Panorama Plugin on Azure

Table of Contents

Attributes Monitored Using the Panorama Plugin on Azure

Proactively monitor the Virtual Machines (VMs) deployed on the Microsoft® Azure® public cloud.
When using the Panorama plugin for Azure, Panorama gathers the following set of metadata elements or attributes on the virtual machines in your Microsoft® Azure® deployment. Panorama can retrieve a total of 32 tags for each VM, 11 predefined tags, and up to 21 user-defined tags.
The maximum length of a tag can be 127 characters. If a tag is longer than 127 characters, Panorama does not retrieve the tag and register it on the firewalls. Also the tags should not include non-ASCII special characters such as { or ".
Up to a maximum of 21 user defined tags are supported. The user-defined tags are sorted alphabetically, and the first 21 tags are available for use on Panorama and the firewalls.
Panorama plugin on Azure version 3.0 or later supports following tags:
  • Load Balancer
    Load balancer tags for each application gateway and standard load balancer (both public and private IP addresses). Each load balancer has predefined tags for resource group, load balancer name and region, and supports up to 21 user-defined tags specific to load balancing.
  • Subnet/VNET
    Subnet/VNET tags for each Subnet and VNET in your subscription. Each subnet and VNET tag is associated with the full IP CIDR range so you can create policies based on a CIDR range rather than individual IP addresses. The plugin queries every subnet and VNET in your subscription and creates tags for them.
The following attributes are monitored in all Panorama plugin for Azure versions:
Attributes Monitored on the Azure VPCExample
VM Name
azure.vm-name
OS Type
azure.os-type
OS Publisher
azure.os-publisher
OS Offer
azure.os-offer
OS SKU
azure.os-sku.
Azure Region
azure.region
Resource Group Name
azure.resource-group
Network Security Group Name
azure.nsg-name
Subscription ID
azure.sub-id
Load Balancer
azure.slb
App Gateway
azure.appgw
Virtual Network Name
azure.vnet-name
Subnet Name
azure.subnet-name
Service Tag
azure.svg-tag
User Defined Tags
azure.tag.key.value
Service Tag Monitoring
Panorama plugin on Azure version 3.0 supports service tags. For example, azure.svg-tag.
Azure Service tags simplify security for Azure virtual machines and Azure virtual networks because you can restrict network access to just the Azure services you want to use. A service tag represents a group of IP address prefixes for a particular Azure service. For example, a tag can represent all storage IP addresses.
The plugin makes a daily API call (at 5:00 am UTC) to retrieve all service tags from the Azure Portal, parses the payload to form IP-Service Mappings, and stores the mappings in the plugin database. The mappings are passed to configd, then on to Panorama. If the API call fails to return service information, the plugin forms the IP-Service mappings from the contents of service_tags_public.json. Plugin logs report the origin of the IP-Service mappings, the daily retrieval or the JSON file.
The plugin also updates service tags for a new installation of the plugin, commit events, and monitoring definition addition or deletion.
A sample IP-Service mapping is shown below:
Service Name: AppServiceManagementazure.svc-tag.<service-name>
Example:
    azure.svc-tag.AppServiceManagement.WestUS2
Public IP CIDRs:
    13.166.40.0/26
    54.179.89.0/18