Set up TLS inspection

This page describes how to set up Transport Layer Security (TLS) inspection for Cloud Firewall.

Before you begin

Before you configure TLS inspection, complete the tasks in the following sections.

Enable Certificate Authority Service

Cloud Firewall uses Certificate Authority Service to generate intermediate certificate authorities (CAs). Cloud Firewall uses these intermediate CAs to generate the certificates used for TLS inspection.

To enable CA Service, use the following command:

   gcloud services enable privateca.googleapis.com

Enable Certificate Manager

Cloud Firewall uses Certificate Manager to create trust configs. If you don't want to use trust configs, skip this step.

To enable Certificate Manager, use the following command:

   gcloud services enable certificatemanager.googleapis.com

Create a trust config

This is an optional step. To create a trust config, follow the steps in this section.

Create a CA pool.

The CA pool that you create in this step is different from the one you create for configuring the TLS inspection policy.
Create a root CA by using the CA pool you created earlier.
Create a certificate using an auto-generated key. Use the same CA pool name that you created earlier.
Get the public certificate of the CA from the created certificate.
```
$PEM-CERT=$(gcloud privateca roots describe ROOT_CA_NAME \
   --location LOCATION \
   --project PROJECT_ID \
   --pool CA_POOL \
   --format "value(pemCaCertificates)")
```
Replace the following:
- ROOT_CA_NAME: the name of the root CA
- LOCATION: the location of the root CA
- PROJECT_ID: the project ID of the root CA
- CA_POOL: the name of the CA pool to create the certificates from
Create and import a trust config by using the PEM-CERT obtained in the preceding step. If you use your own CA, use the public certificate obtained from your CA.

You use this trust config to create a TLS inspection policy.

Create a CA pool

You must create a CA pool before you can use CA Service to create a CA. To create a CA pool, follow the instructions in Creating CA pools.

You use this CA pool to create a TLS inspection policy.

Create a root CA

If you don't have an existing root CA, you can create one within CA Service. To create a root CA, follow the instructions in Creating a root CA, and use the same CA pool that you created earlier (see section Create a CA pool).

Create a service account

If you don't have a service account, you must create one and grant the required permissions.

Create a service account:
```
 gcloud beta services identity create \
     --service networksecurity.googleapis.com \
     --project PROJECT_ID
```
Replace PROJECT_ID with the project ID of the service account.

The Google Cloud CLI creates a service account called service-PROJECT_ID@gcp-sa-networksecurity.iam.gserviceaccount.com.
Grant permission to your service account to generate certificates that use your CA pool:
```
 gcloud privateca pools add-iam-policy-binding CA_POOL \
     --member 'serviceAccount:SERVICE_ACCOUNT' \
     --role 'roles/privateca.certificateRequester' \
     --location 'REGION'
```
Replace the following:
- CA_POOL: the name of the CA pool to create the certificates from
- SERVICE_ACCOUNT: the name of the service account you created in the preceding step
- LOCATION: the region of the CA pool

Configure TLS inspection

Before you proceed with the tasks in this section, make sure you have configured your certificates, or you have completed the prerequisite tasks listed in the Before you begin section.

To configure TLS inspection, complete the tasks in the following sections.

Create a TLS inspection policy

Create a YAML file TLS_INSPECTION_FILE.yaml. Replace TLS_INSPECTION_FILE with a filename of your choice.
Add the following code to the YAML file to configure the TLS inspection policy.
```
name: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME
caPool: projects/PROJECT_ID/locations/REGION/caPools/CA_POOL
minTlsVersion: TLS_VERSION
tlsFeatureProfile: PROFILE_TYPECIPHER_NAME
excludePublicCaSet: `TRUE`|`FALSE`
trustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAME
```
Replace the following:
- PROJECT_ID: the project ID of the TLS inspection policy
- REGION: the region where the TLS inspection policy is created
- TLS_INSPECTION_NAME: the name of the TLS inspection policy
- CA_POOL: the name of the CA pool to create the certificates from
  
  The CA pool must exist within the same region.
- TLS_VERSION: an optional argument that specifies the minimum TLS version supported by Cloud Firewall
  
  You can select from one of the following values:
  - TLS_1_0
  - TLS_1_1
  - TLS_1_2
- PROFILE_TYPE: an optional argument that specifies the type of TLS profile
  
  You can select from one of the following values:
  - PROFILE_COMPATIBLE: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.
  - PROFILE_MODERN: supports a wide set of TLS features, allowing modern clients to negotiate TLS.
  - PROFILE_RESTRICTED: supports a reduced set of TLS features intended to meet stricter compliance requirements.
  - PROFILE_CUSTOM: lets you to select TLS features individually.
- CIPHER_NAME: an optional argument to specify the name of the cipher suite supported by the custom profile.
  
  You specify this argument only when the profile type is set to PROFILE_CUSTOM.
- excludePublicCaSet: an optional flag to include or exclude a public CA set.
  
  By default, this flag is set to false. When this flag is set to true, TLS connections don't trust public CA servers. In this case, Cloud Firewall can only make TLS connections to servers with certificates signed by CAs in the trust config.
- TRUST_CONFIG_NAME: the name of the trust config resource

Import TLS inspection policy

Import the TLS inspection policy that you created in the section Create a TLS inspection policy

   gcloud beta network-security tls-inspection-policies import TLS_INSPECTION_NAME \
       --source TLS_INSPECTION_FILE.yaml \
       --location REGION

Replace the following:

TLS_INSPECTION_NAME: the name of the TLS inspection policy
TLS_INSPECTION_FILE: the name of the TLS inspection policy YAML file

Add TLS inspection policy to a firewall endpoint association

To add the TLS inspection policy to a firewall endpoint association, follow the steps mentioned in Create and associate firewall endpoints.

Configure firewall policy rules with TLS inspection

To enable TLS inspection for your Virtual Private Cloud (VPC) network, set the --tls-inspect flag in your firewall policy rule. This flag indicates that the TLS inspection can be performed when the security profile group is applied.

To learn more about how to enable the --tls-inspect flag in hierarchical firewall policy rules, see Create firewall rules.

To learn more about how to enable the --tls-inspect flag in global network firewall policy rules, see Create global network firewall rules.