Configure intrusion prevention service

To enable intrusion prevention service in your network, you must set up multiple Cloud Next Generation Firewall components. This document provides a high-level workflow that describes how to configure these components and enable threat detection and prevention.

Configure intrusion prevention service without TLS inspection

To configure intrusion prevention service in your network, perform the following tasks.

  1. Create a security profile of type Threat prevention. Set up threat or severity overrides as required by your network. You can create one or more profiles. To learn how to create security profiles, see Create a security profile.

  2. Create a security profile group with the security profile created in the preceding step. To learn how to create a security profile group, see Create a security profile group.

  3. Create a firewall endpoint in the same zone as your workloads where you want to enable threat prevention. To learn how to create a firewall endpoint, see Create a firewall endpoint.

  4. Associate the firewall endpoint with one or more VPC networks where you want to enable threat detection and prevention. Make sure that you're running your workloads in the same zone as the firewall endpoint. To learn how to associate a firewall endpoint with a VPC network, see Create firewall endpoint associations.

  5. You can use global network firewall policies or hierarchical firewall policies to configure intrusion prevention service.

    • In a new or existing global firewall policy, add a firewall policy rule with Layer 7 inspection enabled (apply_security_profile_group action) and specify the name of the security profile group that you created in the preceding step. Make sure that the firewall policy is associated with the same VPC network as the workloads that require inspection. To learn more about the parameters required to create a firewall policy rule with threat prevention enabled, see Create global network firewall policy rules.

    • You can also use a hierarchical firewall policy to add a firewall policy rule with a security profile group configured. To learn more about the parameters required to create hierarchical firewall policy rules with threat prevention enabled, see Create firewall rules.

Configure intrusion prevention service with TLS inspection

To configure intrusion prevention service with Transport Layer Security (TLS) inspection in your network, perform the following tasks.

  1. Create a security profile of type Threat prevention. Set up threat or severity overrides as required by your network. You can create one or more profiles. To learn how to create security profiles, see Create a security profile.

  2. Create a security profile group with the security profile created in the preceding step. To learn how to create a security profile group, see Create a security profile group.

  3. Create a CA pool and a trust config, and add them to your TLS inspection policy. To learn how to enable TLS inspection in Cloud NGFW, see Set up TLS inspection.

  4. Create a firewall endpoint in the same zone as your workloads where you want to enable threat prevention. To learn how to create a firewall endpoint, see Create a firewall endpoint.

  5. Associate the firewall endpoint with one or more VPC networks where you want to enable threat detection and prevention. Add the TLS inspection policy you created in the preceding step to the firewall endpoint association. Make sure that you're running your workloads in the same zone as the firewall endpoint.

    To learn how to associate a firewall endpoint with a VPC network and enable TLS inspection, see Create firewall endpoint associations.

  6. You can use global network firewall policies or hierarchical firewall policies to configure an intrusion prevention service.

    • In a new or existing global firewall policy, add a firewall policy rule with Layer 7 inspection enabled (apply_security_profile_group action) and specify the name of the security profile group that you created in the preceding step. To enable TLS inspection, specify the --tls-inspect flag. Make sure that the firewall policy is associated with the same VPC network as the workloads that require inspection. To learn more about the parameters required to create a firewall policy rule with threat prevention enabled, see Create global network firewall policy rules.

    • You can also use a hierarchical firewall policy to add a firewall policy rule with a security profile group configured. To learn more about the parameters required to create hierarchical firewall policy rules with threat prevention enabled, see Create firewall rules.

Example deployment model

Figure 1 shows an example deployment with intrusion prevention service configured for two VPC networks in the same region but two different zones.

Deploy intrusion prevention service in a region.
Figure 1. Deploy intrusion prevention service in a region (click to enlarge).

The example deployment has the following threat prevention configuration:

  1. Two security profile groups:

    1. Security profile group 1 with security profile Security profile 1.

    2. Security profile group 2 with security profile Security profile 2.

  2. Customer VPC 1 (VPC 1) has firewall policy with security profile group set to Security profile group 1.

  3. Customer VPC 2 (VPC 2) has firewall policy with security profile group set to Security profile group 2.

  4. Firewall endpoint Firewall endpoint 1 performs threat detection and prevention for workloads running on VPC 1andVPC 2 in zone us-west1-a.

  5. Firewall endpoint Firewall endpoint 2 performs threat detection and prevention with TLS inspection enabled for workloads running on VPC 1 and VPC 2 in zone us-west1-b.

What's next