This page describes how to set up Transport Layer Security (TLS) inspection for Cloud Next Generation Firewall.
Before you begin
Before you configure TLS inspection, complete the tasks in the following sections.
Enable Certificate Authority Service
Cloud NGFW uses Certificate Authority Service to generate intermediate certificate authorities (CAs). Cloud NGFW uses these intermediate CAs to generate the certificates used for TLS inspection.
You can enable the CA Service API by using Google Cloud console:
To enable CA Service by using the Google Cloud CLI, use the following command:
gcloud services enable privateca.googleapis.com
Enable Certificate Manager
Cloud NGFW uses Certificate Manager to create trust configs. If you don't want to use trust configs, skip this step.
You can enable the Certificate Manager API by using Google Cloud console:
To enable Certificate Manager by using the Google Cloud CLI, use the following command:
gcloud services enable certificatemanager.googleapis.com
Create a trust config
This is an optional step. To create a trust config, follow the steps in this section.
-
The CA pool that you create in this step is different from the one you create for configuring the TLS inspection policy.
Create a root CA by using the CA pool you created earlier.
Create a certificate using an auto-generated key. Use the same CA pool name that you created earlier.
Get the public certificate of the CA from the created certificate.
$PEM-CERT=$(gcloud privateca roots describe ROOT_CA_NAME \ --location LOCATION \ --project PROJECT_ID \ --pool CA_POOL \ --format "value(pemCaCertificates)")
Replace the following:
ROOT_CA_NAME
: the name of the root CALOCATION
: the location of the root CAPROJECT_ID
: the project ID of the root CACA_POOL
: the name of the CA pool to create the certificates from
Create and import a trust config by using the
PEM-CERT
obtained in the preceding step. If you use your own CA, use the public certificate obtained from your CA.
You use this trust config to create a TLS inspection policy.
Create a CA pool
You must create a CA pool before you can use CA Service to create a CA. To create a CA pool, follow the instructions in Creating CA pools.
You use this CA pool to create a TLS inspection policy.
Create a root CA
If you don't have an existing root CA, you can create one within CA Service. To create a root CA, follow the instructions in Creating a root CA, and use the same CA pool that you created earlier (see section Create a CA pool).
Create a service account
If you don't have a service account, you must create one and grant the required permissions.
Create a service account:
gcloud beta services identity create \ --service networksecurity.googleapis.com \ --project PROJECT_ID
Replace
PROJECT_ID
with the project ID of the service account.The Google Cloud CLI creates a service account called
service-PROJECT_NUMBER@gcp-sa-networksecurity.iam.gserviceaccount.com
. Here,PROJECT_NUMBER
is the unique identifier of thePROJECT_ID
you provided in the preceding command.Grant permission to your service account to generate certificates that use your CA pool:
gcloud privateca pools add-iam-policy-binding CA_POOL \ --member 'serviceAccount:SERVICE_ACCOUNT' \ --role 'roles/privateca.certificateRequester' \ --location REGION
Replace the following:
CA_POOL
: the name of the CA pool to create the certificates fromSERVICE_ACCOUNT
: the name of the service account you created in the preceding stepLOCATION
: the region of the CA pool
Configure TLS inspection
Before you proceed with the tasks in this section, make sure you have configured your certificates, or you have completed the prerequisite tasks listed in the Before you begin section.
To configure TLS inspection, complete the tasks in the following sections.
Create a TLS inspection policy
Console
In the Google Cloud console, go to the TLS inspection policies page.
In the project selector menu, select your project.
Click Create TLS inspection policy.
For Name, enter a name.
Optional: In the Description field, enter a description.
In the Region list, select the region where you want to create the TLS inspection policy.
In the CA pool list, select the CA pool from where you want to create the certificates.
If you don't have a CA pool configured, click New Pool and follow the instructions in Create a CA pool.
Optional: In the Minimum TLS version list, select the minimum TLS version supported by the policy.
For the Trust Configuration, select one of the following options:
- Public CAs only: Select this option if you want to trust servers with publicly signed certificates.
Private CAs only: Select this option if you want to trust servers with privately signed certificates.
In the Private trust configuration list, select the trust config with the configured trust store to use for trusting upstream server certificates. For more information about how to create a trust config, see Create a trust config.
Public and private CAs: Select this option if you want to use both public and private CAs.
Optional: In the Cipher suite profile list, select the TLS profile type. You can choose from one of the following values:
- Compatible: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.
- Modern: supports a wide set of TLS features, allowing modern clients to negotiate TLS.
- Restricted: supports a reduced set of TLS features intended to meet stricter compliance requirements.
Custom: lets you select TLS features individually.
In the Cipher suites list, select the name of the cipher suites supported by the custom profile.
Click Create.
gcloud
Create a YAML file
TLS_INSPECTION_FILE.yaml
. ReplaceTLS_INSPECTION_FILE
with a filename of your choice.Add the following code to the YAML file to configure the TLS inspection policy.
name: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME caPool: projects/PROJECT_ID/locations/REGION/caPools/CA_POOL minTlsVersion: TLS_VERSION tlsFeatureProfile: PROFILE_TYPECIPHER_NAME excludePublicCaSet: `TRUE`|`FALSE` trustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAME
Replace the following:
PROJECT_ID
: the project ID of the TLS inspection policyREGION
: the region where the TLS inspection policy is createdTLS_INSPECTION_NAME
: the name of the TLS inspection policyCA_POOL
: the name of the CA pool to create the certificates fromThe CA pool must exist within the same region.
TLS_VERSION
: an optional argument that specifies the minimum TLS version supported by Cloud NGFWYou can select from one of the following values:
TLS_1_0
TLS_1_1
TLS_1_2
PROFILE_TYPE
: an optional argument that specifies the type of TLS profileYou can select from one of the following values:
PROFILE_COMPATIBLE
: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.PROFILE_MODERN
: supports a wide set of TLS features, allowing modern clients to negotiate TLS.PROFILE_RESTRICTED
: supports a reduced set of TLS features intended to meet stricter compliance requirements.PROFILE_CUSTOM
: lets you select TLS features individually.
CIPHER_NAME
: an optional argument to specify the name of the cipher suite supported by the custom profileYou specify this argument only when the profile type is set to
PROFILE_CUSTOM
.excludePublicCaSet
: an optional flag to include or exclude a public CA set. By default, this flag is set to false. When this flag is set to true, TLS connections don't trust public CA servers. In this case, Cloud NGFW can only make TLS connections to servers with certificates signed by CAs in the trust config.TRUST_CONFIG_NAME
: an optional argument to specify the name of the trust config resource
Import the TLS inspection policy that you created in the section Create a TLS inspection policy
gcloud network-security tls-inspection-policies import TLS_INSPECTION_NAME \ --source TLS_INSPECTION_FILE.yaml \ --location REGION
Replace the following:
TLS_INSPECTION_NAME
: the name of the TLS inspection policyTLS_INSPECTION_FILE
: the name of the TLS inspection policy YAML file
View details for a TLS inspection policy
You can view information about the TLS inspection policy that you created in your project.
Console
In the Google Cloud console, go to the TLS inspection policies page.
In the project selector menu, select your project.
The TLS inspection policies are listed in the TLS inspections section.
To view the details, click the name of your TLS inspection policy.
Add TLS inspection policy to a firewall endpoint association
To add the TLS inspection policy to a firewall endpoint association, follow the steps mentioned in Create firewall endpoint associations.
Configure firewall policy rules with TLS inspection
To enable TLS inspection for your Virtual Private Cloud (VPC) network,
set the --tls-inspect
flag in your firewall policy rule. This flag indicates
that the TLS inspection can be performed when the
security profile group
is applied.
To learn more about how to enable the --tls-inspect
flag in hierarchical firewall
policy rules, see Create firewall rules.
To learn more about how to enable the --tls-inspect
flag in global network firewall
policy rules, see Create global network firewall rules.
Manage TLS inspection policy
You can list, update, and delete TLS inspection policies in your project.
List all TLS inspection policies
You can list all the TLS inspection policies in a project.
Console
In the Google Cloud console, go to the TLS inspection policies page.
In the project selector menu, select your project.
The TLS inspection policies are listed in the TLS inspections section.
gcloud
To list all TLS inspection policies, use the
gcloud network-security tls-inspection-policies list
command:
gcloud network-security tls-inspection-policies list \ --project PROJECT_ID \ --location REGION
Replace the following:
PROJECT_ID
: the project ID for the TLS inspection policyREGION
: the name of the region for which you want to list the TLS inspection policy
Edit a TLS inspection policy
You can modify an existing TLS inspection policy in your project.
Console
In the Google Cloud console, go to the TLS inspection policies page.
In the project selector menu, select your project.
The TLS inspection policies are listed in the TLS inspections section.
To edit a policy, click the name of your TLS inspection policy.
Click Edit.
Modify the required fields. For more information about each field, see Create a TLS inspection policy.
Click Save.
Delete a TLS inspection policy
You can delete a TLS inspection policy from your project. However, if the TLS inspection policy is referenced by a firewall endpoint association, that TLS inspection policy cannot be deleted.
Console
In the Google Cloud console, go to the TLS inspection policies page.
In the project selector menu, select your project.
The TLS inspection policies are listed in the TLS inspections section.
To delete a TLS inspection policy, select the checkbox next to its name.
Click Delete.
Click Delete again.
gcloud
To delete a TLS inspection policy, use the
gcloud network-security tls-inspection-policies delete
command:
gcloud network-security tls-inspection-policies delete \ projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME \ --location REGION
Replace the following:
PROJECT_ID
: the project ID of the TLS inspection policyTLS_INSPECTION_NAME
: the name of the TLS inspectionREGION
: the region where the TLS inspection policy is created