VM monitoring sources attributes/annotations

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VM monitoring sources attributes/annotations

L4 Transporter

Does anyone know more on the use of the "annotation" field for use in a dynamic address group from a vm information source?

Can the notes or tags field in the summary tab in vCenter be used to apply custom annotations? Any assistance on the syntax would be great since PAN dosn't seem to provide much on this that I could find.

The goal is to be able to apply multiple custom annotations in order to apply the proper dynamic address group to the VM and a VM could belong to multiple dynamic address groups.
vc.jpgdag.jpg

1 accepted solution

Accepted Solutions

I ran across the same issue today and found another/better way to use tagging if you have vCenter and the VMware vCenter plug-in for panorama.  Details for configuring the plug-in can be found at Panorama Plugin for VMware vCenter .

 

Instead of using the 'Notes' field, you can use the vCenter 'Tag and Categories' feature.  It is located under 'Menu > Tags & Custom Attributes'.  In my example, I use vCenter Tags to create Dynamic groups in Panorama using the following categories; security-zone, site-or-location and domain-member.

 

FYI: If you don't see the Tags widget in vCenter, you may need to scroll down.

Screen Shot 2020-11-22 at 3.07.16 PM.png

 

There are two pieces to the vCenter Tag configuration; Categories and Tags.  Categories are groups of tags and also control if a VMware entity, in our case the 'VirtualMachine', can have more than one Tag from the Category.

Screen Shot 2020-11-22 at 3.14.01 PM.png

 

For example, the Tags for the "domain-member" category are domain-client, domain-server and domain-controller.  Multiple Cardinality is set to false (see above) and Associable Entities is set to VirtualMachines, so you can only select one Tag and the Tags are only available for Virtual Machines.

Screen Shot 2020-11-22 at 3.13.00 PM.png

 

Once you have your categories and tags defined, apply them to your virtual machines by clicking Assign in the Tags widget for the Virtual Machine.  To manually synchronize the Tags use the VMware vCenter plug-in.

Screen Shot 2020-11-22 at 3.29.07 PM.png

 

Now when you create dynamic address group, you should see your tags available.

Screen Shot 2020-11-22 at 3.34.42 PM.png

 

TIPS:

-You can use (parenthesis) to group multiple ANDs & ORs

-You can add Panorama Tags to dynamic address groups for use in other static or dynamic groups.

Screen Shot 2020-11-22 at 3.36.34 PM.png

 

Hope you find this useful,

Sully

 

View solution in original post

11 REPLIES 11

L4 Transporter

Update on this:

So the annotation field leverages the "Notes" field of the guest in vsphere. So if you add a notation in the notes field (example a_host), the PAN will pick it up on the next refresh and add that as an actual filter to choose from for the dynamic address group.

 

The piece I am still missing is can a guest have multiple annotations in the notes field and the PAN pick it up as seperate filters or annotations?

 

If "Yes", what is the syntax?

I have tried, seperate lines, ";", ",", and spaces with no success.

 

sanp.jpg

did you ever get an answer on this one?

 

Nope never got anything back on this.

L1 Bithead

I needed to do this today.

In my case I am using vCenter integration.

When creating a dynamic object (objects -> add -> select type -> dynamic) there is an option at the bottom to "Add Match Criteria". When selected, this provides a "picklist" of all the annotations Palo has picked up from vCenter. In my case I already had 'annotation.access.to.3.pool.ntp.org' as a note I made on one of my VMs. for a logical "and" select a second annotation from the picklist so the result is:

'annotation.access to 3.pool.ntp.org' and 'annotation.VMware vCenter Server Appliance' in the Match field of the Dynamic Address Group 

 

 

Sorry, it doesn't seem to have the idea of multiple annotations within one VM note.

E.g. if you make a note:

 

Access to DMZ Server1

Access to DMZ Server2

 

The annotation becomes 'annotation.Access to Server1Access to Server2' rather than two seperate annotations

 

 

I ran across the same issue today and found another/better way to use tagging if you have vCenter and the VMware vCenter plug-in for panorama.  Details for configuring the plug-in can be found at Panorama Plugin for VMware vCenter .

 

Instead of using the 'Notes' field, you can use the vCenter 'Tag and Categories' feature.  It is located under 'Menu > Tags & Custom Attributes'.  In my example, I use vCenter Tags to create Dynamic groups in Panorama using the following categories; security-zone, site-or-location and domain-member.

 

FYI: If you don't see the Tags widget in vCenter, you may need to scroll down.

Screen Shot 2020-11-22 at 3.07.16 PM.png

 

There are two pieces to the vCenter Tag configuration; Categories and Tags.  Categories are groups of tags and also control if a VMware entity, in our case the 'VirtualMachine', can have more than one Tag from the Category.

Screen Shot 2020-11-22 at 3.14.01 PM.png

 

For example, the Tags for the "domain-member" category are domain-client, domain-server and domain-controller.  Multiple Cardinality is set to false (see above) and Associable Entities is set to VirtualMachines, so you can only select one Tag and the Tags are only available for Virtual Machines.

Screen Shot 2020-11-22 at 3.13.00 PM.png

 

Once you have your categories and tags defined, apply them to your virtual machines by clicking Assign in the Tags widget for the Virtual Machine.  To manually synchronize the Tags use the VMware vCenter plug-in.

Screen Shot 2020-11-22 at 3.29.07 PM.png

 

Now when you create dynamic address group, you should see your tags available.

Screen Shot 2020-11-22 at 3.34.42 PM.png

 

TIPS:

-You can use (parenthesis) to group multiple ANDs & ORs

-You can add Panorama Tags to dynamic address groups for use in other static or dynamic groups.

Screen Shot 2020-11-22 at 3.36.34 PM.png

 

Hope you find this useful,

Sully

 

Hi, SSullivan3, 

But Your solution require Panorama, how to use vcenter/ESXI tags without buying Panorama ? 

 

I have PA220 and vcenter 7.0 u2 and I can't see tags in Adres Groups. 

Tags are most important here, I am little bit disappointed, I hope I am doing something wrong and there is quick fix for that.

 

Regards,

Jerzy Kołysz 

Jerzy,

If you have configured the vSphere source under 'Device > VM Information Sources' and configured and assigned vSphere categories to the Guest, you should see those selections categories/tags when you add an Address Group and select type=Dynamic.

 

Device > VM Infirmation SourcesDevice > VM Infirmation SourcesvSphere  > Categories & TagsvSphere > Categories & TagsObjects > Address Groups (*set type=Dynamic)Objects > Address Groups (*set type=Dynamic)

Sully

 

I did all above,

 but my PA220 running 9.1.8, and You are running 10.x

I have to check it once again, or maybe update to 10, but it is quite slow on PA220

I'm using VM Information Sources without Panorama too and having the same issue.

Did you manage to see the vm tags besides annotations in matching criteria?

L2 Linker

Not at all, 

still having issues, 

  • 1 accepted solution
  • 8797 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!