VM-Info Sources GCP dynamic groups not populating correctly
3796
Created On 03/18/20 20:05 PM - Last Modified 04/03/20 23:56 PM
Symptom
- Customer has multiple dynamic groups, only a few are working correctly, for some reason the firewall is not able to process all dynamic groups members.
- Example of non-working registered IP where gce-tag and gce-label are missing:
> show object registered-ip ip 10.213.0.49
registered IP Tags
-----------------------------------------
10.213.0.49
"project_id.sclab-service-project"
"hostname.tagftp032-lax-five9lab-com"
"machinetype.n1-standard-8"
"zone.us-west2-b"
"network.vpc-front-end-bdc"
"subnetwork.network-uswest2-taguslab04-frontend-bdc"
-----------------------------------------
10.213.0.49
"project_id.sclab-service-project"
"hostname.tagftp032-lax-five9lab-com"
"machinetype.n1-standard-8"
"zone.us-west2-b"
"network.vpc-front-end-bdc"
"subnetwork.network-uswest2-taguslab04-frontend-bdc"
- This is an example of working registered IP:
> show object registered-ip ip 10.213.0.19
registered IP Tags
---------------------------------------- -----------------
10.213.0.19
"project_id.sclab-service-project"
"hostname.tagapiew032-lax-five9lab-com"
"machinetype.n1-standard-16"
"zone.us-west2-b"
"gce-tag.sclab-uswest2"<<<<<<<<<<<<<<<
"gce-tag.taguslab01-apiew" <<<<<<<<<<<<<<<
"gce-label.product.vcc" <<<<<<<<<<<<<<<<<
"gce-label.role.apiew" <<<<<<<<<<<<<<<<<
"gce-label.env.taguslab01" <<<<<<<<<<<<<<<<<
"network.vpc-front-end-bdc"
"subnetwork.network-uswest2-taguslab04-frontend-bdc"
registered IP Tags
---------------------------------------- -----------------
10.213.0.19
"project_id.sclab-service-project"
"hostname.tagapiew032-lax-five9lab-com"
"machinetype.n1-standard-16"
"zone.us-west2-b"
"gce-tag.sclab-uswest2"<<<<<<<<<<<<<<<
"gce-tag.taguslab01-apiew" <<<<<<<<<<<<<<<
"gce-label.product.vcc" <<<<<<<<<<<<<<<<<
"gce-label.role.apiew" <<<<<<<<<<<<<<<<<
"gce-label.env.taguslab01" <<<<<<<<<<<<<<<<<
"network.vpc-front-end-bdc"
"subnetwork.network-uswest2-taguslab04-frontend-bdc"
- Enabled userid debugs for vmmonitor and cleared the registered IP's
The userid debugs do not show the tags obtained from GCP - Gain root access to run the script manually and confirmed that the tags are retrieved from GCP
/usr/local/bin/pan_gce_vmmonitor.py sclab-service-project us-west2-b $KEY 0 > objects.txt
Here are the instance details from the script output. Both of them have the tags and labels:
, {
"hostname": "tagftp032-lax",
"machinetype": "n1-standard-8",
"license": ["centos-6"],
"zone": "us-west2-b",
"tags": ["sclab-uswest2", "taguslab01-ftp"], <<<<<<<<<<<<<<<<<tag
"labels": {
"product": "vcc", <<<<<<<<<<<<<<<<<label
"role": "ftp", <<<<<<<<<<<<<<<<<label
"env": "taguslab01" <<<<<<<<<<<<<<<<<label
},
"networks": [{
"subnetwork": "network-uswest2-taguslab04-frontend-bdc",
"natips": [],
"networkip": "10.213.0.49",
"network": "vpc-front-end-bdc",
"name": "nic0"
}],
"id": "1167820765528214442"
}
}, {
"hostname": "tagapiew032-lax",
"machinetype": "n1-standard-16",
"license": ["centos-6"],
"zone": "us-west2-b",
"tags": ["sclab-uswest2", "taguslab01-apiew"],
"labels": {
"product": "vcc",
"role": "apiew",
"env": "taguslab01"
},
"networks": [{
"subnetwork": "network-uswest2-taguslab04-frontend-bdc",
"natips": [],
"networkip": "10.213.0.19",
"network": "vpc-front-end-bdc",
"name": "nic0"
}],
"id": "141226236350644023"
}
"hostname": "tagftp032-lax",
"machinetype": "n1-standard-8",
"license": ["centos-6"],
"zone": "us-west2-b",
"tags": ["sclab-uswest2", "taguslab01-ftp"], <<<<<<<<<<<<<<<<<tag
"labels": {
"product": "vcc", <<<<<<<<<<<<<<<<<label
"role": "ftp", <<<<<<<<<<<<<<<<<label
"env": "taguslab01" <<<<<<<<<<<<<<<<<label
},
"networks": [{
"subnetwork": "network-uswest2-taguslab04-frontend-bdc",
"natips": [],
"networkip": "10.213.0.49",
"network": "vpc-front-end-bdc",
"name": "nic0"
}],
"id": "1167820765528214442"
}
}, {
"hostname": "tagapiew032-lax",
"machinetype": "n1-standard-16",
"license": ["centos-6"],
"zone": "us-west2-b",
"tags": ["sclab-uswest2", "taguslab01-apiew"],
"labels": {
"product": "vcc",
"role": "apiew",
"env": "taguslab01"
},
"networks": [{
"subnetwork": "network-uswest2-taguslab04-frontend-bdc",
"natips": [],
"networkip": "10.213.0.19",
"network": "vpc-front-end-bdc",
"name": "nic0"
}],
"id": "141226236350644023"
}
- The tags do not change after clearing and resetting the vmmonotor for the source:
- debug vm-monitor clear source-name service-project-us-west2-b
- debug vm-monitor reset source-name service-project-us-west2-b
Environment
- Platform: PAN-OS
- PAN-OS / Plugin Version: -8.1.7
- Deployment: VM-Series
Cause
- Max tag counting logic was done for the entire project instead of per instance.
Resolution
- This issue has been addressed in PAN-OS 8.1.7 or later and 9.0.0 or later
- PAN-110262 - Fixed an issue on VM-Series Firewalls Dynamic Address Groups did not display all the tags and labels for registered IPs