VM monitoring sources attributes/annotations

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Gun-Slinger
L3 Networker

VM monitoring sources attributes/annotations

Does anyone know more on the use of the "annotation" field for use in a dynamic address group from a vm information source?

Can the notes or tags field in the summary tab in vCenter be used to apply custom annotations? Any assistance on the syntax would be great since PAN dosn't seem to provide much on this that I could find.

The goal is to be able to apply multiple custom annotations in order to apply the proper dynamic address group to the VM and a VM could belong to multiple dynamic address groups.
vc.jpgdag.jpg


Accepted Solutions
SSullivan3
L0 Member

I ran across the same issue today and found another/better way to use tagging if you have vCenter and the VMware vCenter plug-in for panorama.  Details for configuring the plug-in can be found at Panorama Plugin for VMware vCenter .

 

Instead of using the 'Notes' field, you can use the vCenter 'Tag and Categories' feature.  It is located under 'Menu > Tags & Custom Attributes'.  In my example, I use vCenter Tags to create Dynamic groups in Panorama using the following categories; security-zone, site-or-location and domain-member.

 

FYI: If you don't see the Tags widget in vCenter, you may need to scroll down.

Screen Shot 2020-11-22 at 3.07.16 PM.png

 

There are two pieces to the vCenter Tag configuration; Categories and Tags.  Categories are groups of tags and also control if a VMware entity, in our case the 'VirtualMachine', can have more than one Tag from the Category.

Screen Shot 2020-11-22 at 3.14.01 PM.png

 

For example, the Tags for the "domain-member" category are domain-client, domain-server and domain-controller.  Multiple Cardinality is set to false (see above) and Associable Entities is set to VirtualMachines, so you can only select one Tag and the Tags are only available for Virtual Machines.

Screen Shot 2020-11-22 at 3.13.00 PM.png

 

Once you have your categories and tags defined, apply them to your virtual machines by clicking Assign in the Tags widget for the Virtual Machine.  To manually synchronize the Tags use the VMware vCenter plug-in.

Screen Shot 2020-11-22 at 3.29.07 PM.png

 

Now when you create dynamic address group, you should see your tags available.

Screen Shot 2020-11-22 at 3.34.42 PM.png

 

TIPS:

-You can use (parenthesis) to group multiple ANDs & ORs

-You can add Panorama Tags to dynamic address groups for use in other static or dynamic groups.

Screen Shot 2020-11-22 at 3.36.34 PM.png

 

Hope you find this useful,

Sully

 

View solution in original post


All Replies
Gun-Slinger
L3 Networker

Update on this:

So the annotation field leverages the "Notes" field of the guest in vsphere. So if you add a notation in the notes field (example a_host), the PAN will pick it up on the next refresh and add that as an actual filter to choose from for the dynamic address group.

 

The piece I am still missing is can a guest have multiple annotations in the notes field and the PAN pick it up as seperate filters or annotations?

 

If "Yes", what is the syntax?

I have tried, seperate lines, ";", ",", and spaces with no success.

 

sanp.jpg

Sec101
L4 Transporter

did you ever get an answer on this one?

 

Gun-Slinger
L3 Networker

Nope never got anything back on this.

AndrewKemmyNTT
L1 Bithead

I needed to do this today.

In my case I am using vCenter integration.

When creating a dynamic object (objects -> add -> select type -> dynamic) there is an option at the bottom to "Add Match Criteria". When selected, this provides a "picklist" of all the annotations Palo has picked up from vCenter. In my case I already had 'annotation.access.to.3.pool.ntp.org' as a note I made on one of my VMs. for a logical "and" select a second annotation from the picklist so the result is:

'annotation.access to 3.pool.ntp.org' and 'annotation.VMware vCenter Server Appliance' in the Match field of the Dynamic Address Group 

 

 

AndrewKemmyNTT
L1 Bithead

Sorry, it doesn't seem to have the idea of multiple annotations within one VM note.

E.g. if you make a note:

 

Access to DMZ Server1

Access to DMZ Server2

 

The annotation becomes 'annotation.Access to Server1Access to Server2' rather than two seperate annotations

 

 

SSullivan3
L0 Member

I ran across the same issue today and found another/better way to use tagging if you have vCenter and the VMware vCenter plug-in for panorama.  Details for configuring the plug-in can be found at Panorama Plugin for VMware vCenter .

 

Instead of using the 'Notes' field, you can use the vCenter 'Tag and Categories' feature.  It is located under 'Menu > Tags & Custom Attributes'.  In my example, I use vCenter Tags to create Dynamic groups in Panorama using the following categories; security-zone, site-or-location and domain-member.

 

FYI: If you don't see the Tags widget in vCenter, you may need to scroll down.

Screen Shot 2020-11-22 at 3.07.16 PM.png

 

There are two pieces to the vCenter Tag configuration; Categories and Tags.  Categories are groups of tags and also control if a VMware entity, in our case the 'VirtualMachine', can have more than one Tag from the Category.

Screen Shot 2020-11-22 at 3.14.01 PM.png

 

For example, the Tags for the "domain-member" category are domain-client, domain-server and domain-controller.  Multiple Cardinality is set to false (see above) and Associable Entities is set to VirtualMachines, so you can only select one Tag and the Tags are only available for Virtual Machines.

Screen Shot 2020-11-22 at 3.13.00 PM.png

 

Once you have your categories and tags defined, apply them to your virtual machines by clicking Assign in the Tags widget for the Virtual Machine.  To manually synchronize the Tags use the VMware vCenter plug-in.

Screen Shot 2020-11-22 at 3.29.07 PM.png

 

Now when you create dynamic address group, you should see your tags available.

Screen Shot 2020-11-22 at 3.34.42 PM.png

 

TIPS:

-You can use (parenthesis) to group multiple ANDs & ORs

-You can add Panorama Tags to dynamic address groups for use in other static or dynamic groups.

Screen Shot 2020-11-22 at 3.36.34 PM.png

 

Hope you find this useful,

Sully

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!