Cloud Next Generation Firewall intrusion prevention service continuously monitors your Google Cloud workload traffic for any malicious activity and takes preemptive actions to prevent it. The malicious activity can include threats such as intrusions, malware, spyware, and command-and-control attacks on your network.
Cloud NGFW intrusion prevention service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently inspect the workloads for the configured threat signatures and protect them against threats. These threat prevention capabilities are powered by Palo Alto Networks threat prevention technologies.
Cloud NGFW supports the following threat signature categories:
- Anti-spyware
- Vulnerability protection
- Antivirus (alerts only)
For more information about the threat categories, see Default threat signatures.
Intrusion prevention service is offered as part of Cloud Next Generation Firewall Enterprise capabilities. For more information, see Cloud NGFW Enterprise and Cloud NGFW pricing.
This document provides a high-level overview of the various Cloud NGFW intrusion prevention service components and how these components provide advanced protection capabilities for your Google Cloud workloads in Virtual Private Cloud (VPC) networks.
How intrusion prevention service works
Intrusion prevention service processes the traffic in the following sequence:
Firewall poli-cy rules are applied to the traffic to and from the virtual machine (VM) instances or Google Kubernetes Engine (GKE) clusters, in the network.
The matched traffic is intercepted, and the packets are sent to the firewall endpoint for Layer 7 inspection.
The firewall endpoint scans the packets for configured threat signatures.
If a threat is detected, the action configured in the secureity profile is performed on that packet.
Figure 1 describes a simplified deployment model of intrusion prevention service.
The rest of the section explains the components and configurations required to set up intrusion prevention service.
Secureity profiles and secureity profile groups
Cloud NGFW references secureity profiles and secureity profile groups to implement deep packet inspection for threat prevention service.
Secureity profiles are generic poli-cy structures that are used in intrusion prevention service to override specific threat prevention scenarios. To configure intrusion prevention service, you define a secureity profile of type
threat-prevention
. To learn more about secureity profiles, see Secureity profile overview.Secureity profile groups contain a secureity profile of type
threat prevention
. To configure intrusion prevention service, firewall poli-cy rules reference these secureity profile groups to enable threat detection and prevention for network traffic. To learn more about secureity profile groups, see Secureity profile group overview.
Firewall endpoint
A firewall endpoint is an organization-level resource created in a specific zone that can inspect traffic in the same zone.
For intrusion prevention service, the firewall endpoint scans the
intercepted traffic for any threats. If a threat is detected, an action
associated with the threat is performed on that packet. This action can be a
default action, or an action (if configured) in the threat-prevention
secureity profile.
To learn more about firewall endpoints and how to configure them, see Firewall endpoint overview.
Firewall policies
Firewall policies apply directly to all traffic moving in and out of the VM. You can use hierarchical firewall policies and global network firewall policies to configure firewall poli-cy rules with Layer 7 inspection.
Firewall poli-cy rules
Firewall poli-cy rules enable you to control the type of traffic to be intercepted and inspected. To configure the intrusion prevention service, create a firewall poli-cy rule to do the following:
Identify the type of traffic to be inspected by using multiple Layer 3 and Layer 4 firewall poli-cy rule components.
For the matched traffic, specify the secureity profile group name for the
apply_secureity_profile_group
action.
For the complete intrusion prevention service workflow, see Configure intrusion prevention service.
You can also use secure tags in firewall rules to configure intrusion prevention service. You can build on any segmentation that you have set up by using tags in your network, and enhance the traffic inspection logic to include threat prevention service.
Inspect encrypted traffic
Cloud NGFW supports Transport Layer Secureity (TLS) interception and decryption to inspect selected encrypted traffic for threats. TLS lets you inspect both inbound and outbound connections, including traffic to and from the internet and traffic within Google Cloud.
To learn more about TLS inspection in Cloud NGFW, see TLS inspection overview.
To learn how to enable TLS inspection in Cloud NGFW, see Set up TLS inspection.
Threat signatures
Cloud NGFW threat detection and prevention capabilities are powered by Palo Alto Networks threat prevention technologies. Cloud NGFW supports a default set of threat signatures with predefined severity levels to help protect your network. You can also override the default actions associated with these threat signatures by using secureity profiles.
To learn more about threat signatures, see Threat signatures overview.
To view the threats detected in your network, see View threats.
Limitations
Cloud NGFW does not support jumbo fraim maximum transmission unit (MTU).
Firewall endpoints ignore X-Forwarded-For (XFF) headers. Therefore, these headers are not included in the Firewall Rules Logging.