The URL filtering service lets you control access to specific web domains by blocking or allowing them. To enable the URL filtering service in your network, you must set up multiple Cloud Next Generation Firewall components, including firewall endpoints, security profiles, and security profile groups. This document provides a high-level workflow that describes how to configure these components and enable the URL filtering service.
To learn more about the URL filtering service, see URL filtering service overview.
Configure the URL filtering service without TLS inspection
To configure the URL filtering service in your network, perform the following tasks.
Create a security profile for URL filtering.
To allow or deny access to specific domains, create a security profile of type
url-filteringand use URL lists to specify your matcher strings.For more information, see Create a URL filtering security profile.
Optionally, you can create a security profile to scan traffic for threats.
To scan the traffic for security threats, create another security profile of type
threat-prevention. Review the list of threat signatures, evaluate the default responses, and customize actions for the selected signatures according to your requirements.For more information, see Create a threat prevention security profile. To learn more about intrusion detection and prevention service, see Intrusion detection and prevention service overview.
Create a security profile group.
A security profile group acts as a container for security profiles. Create a security profile group to include the security profiles you created in the previous steps.
For more information, see Create a security profile group.
Create a firewall endpoint.
A firewall endpoint is a zonal resource that you must create in the same zone as the workload you want to protect with the URL filtering service.
For more information, see Create a firewall endpoint.
Associate the firewall endpoint with your VPC networks.
To enable the URL filtering service, associate the firewall endpoint with your VPC networks. Make sure that you're running your workloads in the same zone as the firewall endpoint.
For more information, see Create firewall endpoint associations.
Configure and apply the URL filtering service to your network traffic.
To configure the URL filtering service, create a global network firewall policy or a hierarchical firewall policy with Layer 7 inspection.
If you create a new global firewall policy or use an existing one, add a firewall policy rule with the
apply_security_profile_groupaction and specify the name of the security profile group that you created previously. Make sure that the firewall policy is associated with the same VPC network as the workloads that require inspection.For more information, see Create a global network firewall policy and Create global network firewall rules.
If you create a new hierarchical firewall policy or use an existing one, add a firewall policy rule with the
apply_security_profile_groupaction. Make sure that the firewall policy is associated with the same VPC network as the workloads that require inspection.For more information, see Create firewall rules.
Configure the URL filtering service with TLS inspection
To configure the URL filtering service with Transport Layer Security (TLS) inspection in your network, perform the following tasks.
Create a security profile for URL filtering.
To allow or deny access to specific domains, create a security profile of type
url-filteringand use URL lists to specify your matcher strings.For more information, see Create a URL filtering security profile.
Optionally, you can create a security profile to scan traffic for threats.
To scan traffic for security threats, create another security profile of type
threat-prevention. Review the list of threat signatures, evaluate the default responses, and customize actions for the selected signatures according to your requirements.For more information, see Create a threat prevention security profile. To learn more about intrusion detection and prevention service, see Intrusion detection and prevention service overview.
Create a security profile group.
A security profile group acts as a container for security profiles. Create a security profile group to include the security profiles you created in the previous steps.
For more information, see Create a security profile group.
Create a firewall endpoint.
A firewall endpoint is a zonal resource that you must create in the same zone as the workload you want to protect with the URL filtering service.
For more information, see Create a firewall endpoint.
Create and configure resources to inspect encrypted traffic.
Create a certificate authority (CA) pool.
A CA pool is a collection of CAs with a common certificate issuance policy and Identity and Access Management (IAM) policy. A regional CA pool must exist before you can configure TLS inspection.
For more information, see Create a CA pool.
Create a root CA.
To use TLS inspection, you must have at least one root CA. The root CA signs an intermediate CA, which then signs all leaf certificates for the clients. For more information, see reference documentation for
gcloud privateca roots createcommand.Grant necessary permissions to the Network Security Service Agent (P4SA).
Cloud NGFW requires a P4SA to generate intermediate CAs for TLS inspection. The service agent needs the required permissions to request certificates for the CA pool.
For more information, see Create a service account.
Create a regional TLS inspection policy.
A TLS inspection policy specifies how to intercept encrypted traffic. A regional TLS inspection policy can hold the configurations for the TLS inspection.
For more information, see Create a TLS inspection policy.
Associate the firewall endpoint with your VPC networks.
To enable the URL filtering service, associate the firewall endpoint with your VPC networks. Make sure that you're running your workloads in the same zone as the firewall endpoint.
In addition, associate the firewall endpoint with a TLS inspection policy.
For more information, see Create firewall endpoint associations.
Configure and apply the URL filtering service to your network traffic.
To configure the URL filtering service, create a global network firewall policy or a hierarchical firewall policy with Layer 7 inspection.
If you create a new global firewall policy or use an existing one, add a firewall policy rule with the
apply_security_profile_groupaction and specify the name of the security profile group that you created previously. Make sure that the firewall policy is associated with the same VPC network as the workloads that require inspection.For more information, see Create global network firewall policy and Create global network firewall policy rules.
If you create a new hierarchical firewall policy or use an existing one, add a firewall policy rule with the
apply_security_profile_groupaction configured. Make sure that the firewall policy is associated with the same VPC network as the workloads that require inspection.For more information, see Create firewall rules.
Example deployment model
The following diagram shows an example of the URL filtering service deployment with multiple firewall endpoints, configured for two VPC networks in the same region but two different zones.
The example deployment has the following configuration:
Two security profile groups:
Security profile group 1with security profileSecurity profile 1.Security profile group 2with security profileSecurity profile 2.
Customer VPC 1 (
VPC 1) has a firewall policy with its security profile group set toSecurity profile group 1.Customer VPC 2 (
VPC 2) has a firewall policy with its security profile group set toSecurity profile group 2.Firewall endpoint
Firewall endpoint 1performs URL filtering for workloads running onVPC 1andVPC 2in zoneus-west1-a.Firewall endpoint
Firewall endpoint 2performs URL filtering with TLS inspection enabled for workloads running onVPC 1andVPC 2in zoneus-west1-b.