: Enable Azure Application Insights on the VM-Series Firewall
Focus
Focus

Enable Azure Application Insights on the VM-Series Firewall

Table of Contents

Enable Azure Application Insights on the VM-Series Firewall

Publish firewall performance metrics to Application Insights.
The VM-Series firewall on Azure can publish custom PAN-OS metrics natively to Azure Application Insights that you can use to monitor the firewalls directly from the Azure portal. These metrics allow you to assess performance and usage patterns that you can use to set alarms and take action to automate events such as launching or terminating instances of the VM-Series firewalls. See Custom PAN-OS Metrics Published for Monitoring for a description on the metrics that are available.
  1. On the Azure portal, create your Application Insights instance to monitor the firewall and copy the Instrumentation Key from ConfigureProperties.
    The firewall needs this key to authenticate to the Application Insights instance and publish metrics to it. See VM-Series on Azure Service Principal Permissions for the permissions required.
  2. Enable the firewall to publish metrics to your Application Insights instance.
    1. Log in to the VM-Series firewall on Azure.
    2. Select DeviceVM-SeriesAzure.
    3. Edit Azure Application Insights and enter the Instrumentation Key you copied earlier.
      The default interval for publishing metrics is five minutes. You can change this to vary from 1-60 minutes.
    4. Commit your changes.
      The firewall generates a system log to it record the success or failure to authenticate to Azure Application Insights.
  3. Verify that you can view the metrics on the Azure Application Insights dashboard.
    1. On the Azure portal, select the Application Insights instance, and select MonitoringMetrics to view the PAN-OS custom metrics.
    2. Select the metric(s) that you want to monitor for trends and trigger alerts. Refer to the Microsoft Azure documentation for details on exploring metrics on Application Insights.

Deploying Application Insights Using Workspace

Beginning with Azure plugin 4.2.0, Azure recommends deploying Application Insights using Workspaces and plans to end support for Classic Application Insights from February 2024. It is not mandatory to migrate Application Insights to workspace while upgrading to Azure plugin 4.2.0. However, it is recommended, as you will have to migrate Application Insights before Feb 2024.
Considerations before upgrading to Azure plugin 4.2.0:
  • It is recommended that you migrate Application Insights before upgrading to Azure plugin 4.2.0.
  • If you do not wish to migrate now, but want to upgrade the Azure plugin, then:
    • You may retain the existing deployment and create a new deployment to bring up workspace Application Insights. You can also leverage the new deployment for auto-scaling solutions.
    • You may undeploy the existing deployment and deploy it again which would then create the workspace Application Insights.
    • You may redeploy an existing deployment, which will bring up the workspace Application Insights.
Deploying Application Insights using workspaces requires you to create a Resource group and associate the workspace with it. It is advised to name your workspace as <resource_group_name>-workspaces. If you deploy both hub and inbound stack, then you will need to create two Application Insights, and both of them need to be associated with the same workspace.

Migrate Application Insights Manually

To manually migrate your existing Application Insights, you will need to check if your current Application Insights is classic or workspace. To verify the deployment method of Application Insights:
Navigate to Azure Portal → Resource Group → Application Insights → Properties. If the Application Insight is classic, the workspace field value will appear empty, and the Migrate to Workspace-based link will be available.
To migrate the Application Insights, search log analytics workspace on Azure Portal and click Create to create a log analytics workspace.
Select the subscription and resource group associated with current deployment. While naming the workspace, use the convention 'resource_group_name-workspaces'. The workspace can be associated with hub stack Application Insights and/or inbound stack Application Insights. Ensure that the region is consistent with the deployment region and click Review + Create.
After the workspace is created successfully, it appears in the resource group.
Click Migrate to Workspace-based link in Application Insights Property tab. The newly created workspace appears.
Select the workspace and click Apply.
Note: Migration is irreversible and the resource cannot be reverted to classic application insights once migrated.

Application Insights Deletion

Delete the Application Insights instance first, and then delete the workspace along with other resources in the resource group that the deployment is associated with.

Downgrade

Downgrade is not allowed as you will need to deploy Application Insights using the classic method, which is not recommended.