GCP VM Information Source fails with error 'GCE-ERROR: gce-unauthorised : Insufficient Permission'
7473
Created On 07/12/20 18:31 PM - Last Modified 07/21/20 02:40 AM
Symptom
- VM Information Sources is configured on VM-Series GCP firewall with type Google Compute Engine.
- After some system maintenance (snapshot / restore) required to swap the management and Untrust interfaces for the firewall on Google Cloud.
- This has causes VM Information Sources failure with error:
vm-info-source v7-panfw-gcp(vsys1): failed to connected to GCE, status GCE-ERROR: gce-unauthorised : Insufficient Permission
Connection status drops:
> show vm-monitor source all Source: v7-panfw-gcp (vsys: vsys1, Host: www.googleapis.com/443) Status : not-conn:idle
mp\useridd.log
Error: pan_vm_gce_source_proc(pan_vm_info_src_gce.c:1542): pan_vm_info_source_parse_n_proc_updates failed for vm-info-source v7-panfwp Error: pan_vm_gce_source_parse_updates(pan_vm_info_src_gce.c:1358): GCE-ERROR: gce-unauthorised : Insufficient Permission pan_vm_gce_source_parse_n_proc_updates(pan_vm_info_src_gce.c:831): pan_vm_gce_source_parse_updates failed
System log:
vm-info-source GCP Engine(vsys1): failed to connected to GCE, status GCE-ERROR: gce-communication-error no connection is available to Google Cloud.
Environment
- Platform: VM-Series on GCP
- PAN-OS / Plugin Version: Any
- Deployment: New/Existing
Cause
- PAN-OS configuration issue under 'Device > VM Information Sources > Project ID'. Could be using GCP Project Name (uppercase).
- Or, Service Account associated with PA-VM instance does not have sufficient IAM Permissions.
- Although, Service Account was configured with sufficient permissions initially. But, when PA-VM instance is Snapshotted on Google Cloud and the instance is restored may cause associated IAM Permissions deleted.
- To confirm this issue, check debug logs from PAN-OS root shell:
Syntax:# /usr/local/bin/pan_gce_vmmonitor.py '<vm-info-source name>' '<gcp-zone-name>' '' 0
Example:# /usr/local/bin/pan_gce_vmmonitor.py 'v7i-sub-project' 'northamerica-northeast1-a' '' 0 GCE-ERROR: gce-unauthorised : Insufficient Permission
for running configuration:
<vm-info-source> <entry name="v7-panfw-vm"> <Google-Compute-Engine> <service-auth-type> <service-in-gce/> </service-auth-type> <project-id>V7I-Sub-Project</project-id> <zone-name>northamerica-northeast1-a</zone-name> <disabled>no</disabled> </Google-Compute-Engine> </entry> </vm-info-source>
Resolution
- Replace 'Device > VM Information Sources > Project ID' configuration on the firewall with an expected projectID (lowercase). You can find your Google Project ID in your Google API console, go to the Google API console, choose your project from the drop-down selector, and then you will find the project ID in the “Home” screen.
- Add Compute Engine Read-Only IAM Role to Service Account associate with an instance.
- An instance can have only one service account, and the service account must have been created in the same project as the instance.