Post

GCP Firewall Endpoint for IPS & URL Filtering

Posted
By Sena Perdiana 1 min read

A Firewall Endpoint is a managed, zonal resource within Cloud NGFW Enterprise that performs deep packet inspection (Layer 7) using Palo Alto Networks threat prevention technology. By configuring hierarchical firewall policies to “intercept” and redirect specific traffic flows to this endpoint, we enable inline Intrusion Prevention (IPS) and URL Filtering to block advanced threats and enforce compliance directly within the VPC fabric.


Security Profiles

First we need to create Security Profiles, first one is for IPS Profile. Here we set the Deny Override for pretty much every alert apart for Informational

x


Next we create a URL Filtering Profile, here we’ll whitelist 2 URLs while blocking the rest

x


Now we have both our Security Profiles configured

x


After that we’d need to create a Security Profile Group to contain those 2 profiles

x

x


Firewall Endpoint

Next we can setup the Firewall Endpoint, here we select the region (FW Endpoint is regional), give it name and select the Billing Project

x


For Jumbo frames we’ll leave the default

x


And for association, we’ll associate this FW Endpoint to the ext-vpc, the internet facing VPC, and then hit create

x


After about 20 minutes, the Firewall Endpoint is now up and running

x


Firewall Policy

Next we’ll create a Firewall Policy

x


And then create the rules where we attach the Security Profile Groups

x


For mirroring we’ll leave it as is

x


And for network association we’ll select our ext-vpc, and then hit create

x


Here’s the configure Firewall Policy

x


With 2 rules for egress & ingress applying Security Profile Group for IPS & URL Filtering

x


Testing

First from a VM inside GCP, we are now only allowed to access the whitelisted URLs while the rest will result in a failure

x


We can see the logs for this event inside the firewall policy

x


And for testing the IPS, we will try to attach the VM inside GCP from outside network, here we use a Kali Linux to send a simple Denial of Service (DOS) attack by attempting to exhaust the VM’s connection pool by keeping sockets open

x


On the GCP Threat Events, we can see that the Firewall Endpoint has successfully identified and prevented this attack

x


Cloud, Google Cloud Platform (GCP)
GCP
This post is licensed under CC BY 4.0 by the author.