Set up TLS inspection

This page describes how to set up Transport Layer Security (TLS) inspection for Cloud Next Generation Firewall.

Before you begin

Before you configure TLS inspection, complete the tasks in the following sections.

Enable Certificate Authority Service

Cloud NGFW uses Certificate Authority Service to generate intermediate certificate authorities (CAs). Cloud NGFW uses these intermediate CAs to generate the certificates used for TLS inspection.

You can enable the CA Service API by using Google Cloud console:

Enable the API

To enable CA Service by using the Google Cloud CLI, use the following command:

   gcloud services enable privateca.googleapis.com
  

Enable Certificate Manager

Cloud NGFW uses Certificate Manager to create trust configs. If you don't want to use trust configs, skip this step.

You can enable the Certificate Manager API by using Google Cloud console:

Enable the API

To enable Certificate Manager by using the Google Cloud CLI, use the following command:

   gcloud services enable certificatemanager.googleapis.com
  

Create a trust config

This is an optional step. To create a trust config, follow the steps in this section.

  1. Create a CA pool.

    The CA pool that you create in this step is different from the one you create for configuring the TLS inspection policy.

  2. Create a root CA by using the CA pool you created earlier.

  3. Create a certificate using an auto-generated key. Use the same CA pool name that you created earlier.

  4. Get the public certificate of the CA from the created certificate.

    $PEM-CERT=$(gcloud privateca roots describe ROOT_CA_NAME \
       --location LOCATION \
       --project PROJECT_ID \
       --pool CA_POOL \
       --format "value(pemCaCertificates)")
    

    Replace the following:

    • ROOT_CA_NAME: the name of the root CA
    • LOCATION: the location of the root CA
    • PROJECT_ID: the project ID of the root CA
    • CA_POOL: the name of the CA pool to create the certificates from
  5. Create and import a trust config by using the PEM-CERT obtained in the preceding step. If you use your own CA, use the public certificate obtained from your CA.

You use this trust config to create a TLS inspection policy.

Create a CA pool

You must create a CA pool before you can use CA Service to create a CA. To create a CA pool, follow the instructions in Creating CA pools.

You use this CA pool to create a TLS inspection policy.

Create a root CA

If you don't have an existing root CA, you can create one within CA Service. To create a root CA, follow the instructions in Creating a root CA, and use the same CA pool that you created earlier (see section Create a CA pool).

Create a service account

If you don't have a service account, you must create one and grant the required permissions.

  1. Create a service account:

     gcloud beta services identity create \
         --service networksecurity.googleapis.com \
         --project PROJECT_ID
    

    Replace PROJECT_ID with the project ID of the service account.

    The Google Cloud CLI creates a service account called service-PROJECT_NUMBER@gcp-sa-networksecurity.iam.gserviceaccount.com. Here, PROJECT_NUMBER is the unique identifier of the PROJECT_ID you provided in the preceding command.

  2. Grant permission to your service account to generate certificates that use your CA pool:

     gcloud privateca pools add-iam-policy-binding CA_POOL \
         --member 'serviceAccount:SERVICE_ACCOUNT' \
         --role 'roles/privateca.certificateRequester' \
         --location REGION
    

    Replace the following:

    • CA_POOL: the name of the CA pool to create the certificates from
    • SERVICE_ACCOUNT: the name of the service account you created in the preceding step
    • LOCATION: the region of the CA pool

Configure TLS inspection

Before you proceed with the tasks in this section, make sure you have configured your certificates, or you have completed the prerequisite tasks listed in the Before you begin section.

To configure TLS inspection, complete the tasks in the following sections.

Create a TLS inspection policy

Console

  1. In the Google Cloud console, go to the TLS inspection policies page.

    Go to TLS inspection policies

  2. In the project selector menu, select your project.

  3. Click Create TLS inspection policy.

  4. For Name, enter a name.

  5. Optional: In the Description field, enter a description.

  6. In the Region list, select the region where you want to create the TLS inspection policy.

  7. In the CA pool list, select the CA pool from where you want to create the certificates.

    If you don't have a CA pool configured, click New Pool and follow the instructions in Create a CA pool.

  8. Optional: In the Minimum TLS version list, select the minimum TLS version supported by the policy.

  9. For the Trust Configuration, select one of the following options:

    • Public CAs only: Select this option if you want to trust servers with publicly signed certificates.
    • Private CAs only: Select this option if you want to trust servers with privately signed certificates.

      In the Private trust configuration list, select the trust config with the configured trust store to use for trusting upstream server certificates. For more information about how to create a trust config, see Create a trust config.

    • Public and private CAs: Select this option if you want to use both public and private CAs.

  10. Optional: In the Cipher suite profile list, select the TLS profile type. You can choose from one of the following values:

    • Compatible: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.
    • Modern: supports a wide set of TLS features, allowing modern clients to negotiate TLS.
    • Restricted: supports a reduced set of TLS features intended to meet stricter compliance requirements.
    • Custom: lets you select TLS features individually.

      In the Cipher suites list, select the name of the cipher suites supported by the custom profile.

  11. Click Create.

gcloud

  1. Create a YAML file TLS_INSPECTION_FILE.yaml. Replace TLS_INSPECTION_FILE with a filename of your choice.

  2. Add the following code to the YAML file to configure the TLS inspection policy.

    name: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME
    caPool: projects/PROJECT_ID/locations/REGION/caPools/CA_POOL
    minTlsVersion: TLS_VERSION
    tlsFeatureProfile: PROFILE_TYPECIPHER_NAME
    excludePublicCaSet: `TRUE`|`FALSE`
    trustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAME
    

    Replace the following:

    • PROJECT_ID: the project ID of the TLS inspection policy
    • REGION: the region where the TLS inspection policy is created
    • TLS_INSPECTION_NAME: the name of the TLS inspection policy
    • CA_POOL: the name of the CA pool to create the certificates from

      The CA pool must exist within the same region.

    • TLS_VERSION: an optional argument that specifies the minimum TLS version supported by Cloud NGFW

      You can select from one of the following values:

      • TLS_1_0
      • TLS_1_1
      • TLS_1_2
    • PROFILE_TYPE: an optional argument that specifies the type of TLS profile

      You can select from one of the following values:

      • PROFILE_COMPATIBLE: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.
      • PROFILE_MODERN: supports a wide set of TLS features, allowing modern clients to negotiate TLS.
      • PROFILE_RESTRICTED: supports a reduced set of TLS features intended to meet stricter compliance requirements.
      • PROFILE_CUSTOM: lets you select TLS features individually.
    • CIPHER_NAME: an optional argument to specify the name of the cipher suite supported by the custom profile

      You specify this argument only when the profile type is set to PROFILE_CUSTOM.

    • excludePublicCaSet: an optional flag to include or exclude a public CA set. By default, this flag is set to false. When this flag is set to true, TLS connections don't trust public CA servers. In this case, Cloud NGFW can only make TLS connections to servers with certificates signed by CAs in the trust config.

    • TRUST_CONFIG_NAME: an optional argument to specify the name of the trust config resource

  3. Import the TLS inspection policy that you created in the section Create a TLS inspection policy

    gcloud network-security tls-inspection-policies import TLS_INSPECTION_NAME \
        --source TLS_INSPECTION_FILE.yaml \
        --location REGION
    

    Replace the following:

    • TLS_INSPECTION_NAME: the name of the TLS inspection policy
    • TLS_INSPECTION_FILE: the name of the TLS inspection policy YAML file

View details for a TLS inspection policy

You can view information about the TLS inspection policy that you created in your project.

Console

  1. In the Google Cloud console, go to the TLS inspection policies page.

    Go to TLS inspection policies

  2. In the project selector menu, select your project.

  3. The TLS inspection policies are listed in the TLS inspections section.

  4. To view the details, click the name of your TLS inspection policy.

Add TLS inspection policy to a firewall endpoint association

To add the TLS inspection policy to a firewall endpoint association, follow the steps mentioned in Create firewall endpoint associations.

Configure firewall policy rules with TLS inspection

To enable TLS inspection for your Virtual Private Cloud (VPC) network, set the --tls-inspect flag in your firewall policy rule. This flag indicates that the TLS inspection can be performed when the security profile group is applied.

To learn more about how to enable the --tls-inspect flag in hierarchical firewall policy rules, see Create firewall rules.

To learn more about how to enable the --tls-inspect flag in global network firewall policy rules, see Create global network firewall rules.

Manage TLS inspection policy

You can list, update, and delete TLS inspection policies in your project.

List all TLS inspection policies

You can list all the TLS inspection policies in a project.

Console

  1. In the Google Cloud console, go to the TLS inspection policies page.

    Go to TLS inspection policies

  2. In the project selector menu, select your project.

  3. The TLS inspection policies are listed in the TLS inspections section.

gcloud

To list all TLS inspection policies, use the gcloud network-security tls-inspection-policies list command:

gcloud network-security tls-inspection-policies list \
    --project PROJECT_ID \
    --location REGION

Replace the following:

  • PROJECT_ID: the project ID for the TLS inspection policy
  • REGION: the name of the region for which you want to list the TLS inspection policy

Edit a TLS inspection policy

You can modify an existing TLS inspection policy in your project.

Console

  1. In the Google Cloud console, go to the TLS inspection policies page.

    Go to TLS inspection policies

  2. In the project selector menu, select your project.

  3. The TLS inspection policies are listed in the TLS inspections section.

  4. To edit a policy, click the name of your TLS inspection policy.

  5. Click Edit.

  6. Modify the required fields. For more information about each field, see Create a TLS inspection policy.

  7. Click Save.

Delete a TLS inspection policy

You can delete a TLS inspection policy from your project. However, if the TLS inspection policy is referenced by a firewall endpoint association, that TLS inspection policy cannot be deleted.

Console

  1. In the Google Cloud console, go to the TLS inspection policies page.

    Go to TLS inspection policies

  2. In the project selector menu, select your project.

  3. The TLS inspection policies are listed in the TLS inspections section.

  4. To delete a TLS inspection policy, select the checkbox next to its name.

  5. Click Delete.

  6. Click Delete again.

gcloud

To delete a TLS inspection policy, use the gcloud network-security tls-inspection-policies delete command:

gcloud network-security tls-inspection-policies delete \
    projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME \
    --location REGION

Replace the following:

  • PROJECT_ID: the project ID of the TLS inspection policy
  • TLS_INSPECTION_NAME: the name of the TLS inspection
  • REGION: the region where the TLS inspection policy is created

What's next?