This page describes how to set up Transport Layer Security (TLS) inspection for Cloud Next Generation Firewall.
Before you begin
Before you configure TLS inspection, complete the tasks in the following sections.
Enable Certificate Authority Service
Cloud NGFW uses Certificate Authority Service to generate intermediate certificate authorities (CAs). Cloud NGFW uses these intermediate CAs to generate the certificates used for TLS inspection.
To enable CA Service, use the following command:
gcloud services enable privateca.googleapis.com
Enable Certificate Manager
Cloud NGFW uses Certificate Manager to create trust configs. If you don't want to use trust configs, skip this step.
To enable Certificate Manager, use the following command:
gcloud services enable certificatemanager.googleapis.com
Create a trust config
This is an optional step. To create a trust config , follow the steps in this section.
-
The CA pool that you create in this step is different from the one you create for configuring the TLS inspection policy.
-
Create a root CA by using the CA pool you created earlier.
-
Create a certificate using an auto-generated key . Use the same CA pool name that you created earlier.
-
Get the public certificate of the CA from the created certificate.
$PEM-CERT=$(gcloud privateca roots describe ROOT_CA_NAME \ --location LOCATION \ --project PROJECT_ID \ --pool CA_POOL \ --format "value(pemCaCertificates)")
Replace the following:
-
ROOT_CA_NAME
: the name of the root CA -
LOCATION
: the location of the root CA -
PROJECT_ID
: the project ID of the root CA -
CA_POOL
: the name of the CA pool to create the certificates from
-
-
Create and import a trust config by using the
PEM-CERT
obtained in the preceding step. If you use your own CA, use the public certificate obtained from your CA.
You use this trust config to create a TLS inspection policy .
Create a CA pool
You must create a CA pool before you can use CA Service to create a CA. To create a CA pool, follow the instructions in Creating CA pools .
You use this CA pool to create a TLS inspection policy .
Create a root CA
If you don't have an existing root CA, you can create one within CA Service. To create a root CA, follow the instructions in Creating a root CA , and use the same CA pool that you created earlier (see section Create a CA pool ).
Create a service account
If you don't have a service account, you must create one and grant the required permissions.
-
Create a service account:
gcloud services identity create \ --service networksecurity.googleapis.com \ --project PROJECT_ID
Replace
PROJECT_ID
with the project ID of the service account.The Google Cloud CLI creates a service account called
service- PROJECT_NUMBER @gcp-sa-networksecurity.iam.gserviceaccount.com
. Here,PROJECT_NUMBER
is the unique identifier of thePROJECT_ID
you provided in the preceding command. -
Grant permission to your service account to generate certificates that use your CA pool:
gcloud privateca pools add-iam-policy-binding CA_POOL \ --member 'serviceAccount: SERVICE_ACCOUNT ' \ --role 'roles/privateca.certificateRequester' \ --location REGION
Replace the following:
-
CA_POOL
: the name of the CA pool to create the certificates from -
SERVICE_ACCOUNT
: the name of the service account you created in the preceding step -
LOCATION
: the region of the CA pool
-
Configure TLS inspection
Before you proceed with the tasks in this section, make sure you have configured your certificates, or you have completed the prerequisite tasks listed in the Before you begin section.
To configure TLS inspection, complete the tasks in the following sections.
Create a TLS inspection policy
Console
-
In the Google Cloud console, go to the TLS inspection policiespage.
-
In the project selector menu, select your project.
-
Click Create TLS inspection policy.
-
For Name, enter a name.
-
Optional: In the Descriptionfield, enter a description.
-
In the Regionlist, select the region where you want to create the TLS inspection policy.
-
In the CA poollist, select the CA pool from where you want to create the certificates.
If you don't have a CA pool configured, click New Pooland follow the instructions in Create a CA pool .
-
Optional: In the Minimum TLS versionlist, select the minimum TLS version supported by the policy.
-
For the Trust Configuration, select one of the following options:
- Public CAs only:Select this option if you want to trust servers with publicly signed certificates.
-
Private CAs only:Select this option if you want to trust servers with privately signed certificates.
In the Private trust configurationlist, select the trust config with the configured trust store to use for trusting upstream server certificates. For more information about how to create a trust config, see Create a trust config .
-
Public and private CAs:Select this option if you want to use both public and private CAs.
-
Optional: In the Cipher suite profilelist, select the TLS profile type. You can choose from one of the following values:
- Compatible: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.
- Modern: supports a wide set of TLS features, allowing modern clients to negotiate TLS.
- Restricted: supports a reduced set of TLS features intended to meet stricter compliance requirements.
-
Custom: lets you select TLS features individually.
In the Cipher suiteslist, select the name of the cipher suites supported by the custom profile.
-
Click Create.
gcloud
-
Create a YAML file
TLS_INSPECTION_FILE .yaml
. ReplaceTLS_INSPECTION_FILE
with a filename of your choice. -
Add the following code to the YAML file to configure the TLS inspection policy.
name: projects/ PROJECT_ID /locations/ REGION /tlsInspectionPolicies/ TLS_INSPECTION_NAME caPool: projects/ PROJECT_ID /locations/ REGION /caPools/ CA_POOL minTlsVersion: TLS_VERSION tlsFeatureProfile: PROFILE_TYPE CIPHER_NAME excludePublicCaSet: `TRUE`|`FALSE` trustConfig: projects/ PROJECT_ID /locations/ REGION /trustConfigs/ TRUST_CONFIG_NAME
Replace the following:
-
PROJECT_ID
: the project ID of the TLS inspection policy -
REGION
: the region where the TLS inspection policy is created -
TLS_INSPECTION_NAME
: the name of the TLS inspection policy -
CA_POOL
: the name of the CA pool to create the certificates fromThe CA pool must exist within the same region.
-
TLS_VERSION
: an optional argument that specifies the minimum TLS version supported by Cloud NGFWYou can select from one of the following values:
-
TLS_1_0
-
TLS_1_1
-
TLS_1_2
-
-
PROFILE_TYPE
: an optional argument that specifies the type of TLS profileYou can select from one of the following values:
-
PROFILE_COMPATIBLE
: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS. -
PROFILE_MODERN
: supports a wide set of TLS features, allowing modern clients to negotiate TLS. -
PROFILE_RESTRICTED
: supports a reduced set of TLS features intended to meet stricter compliance requirements. -
PROFILE_CUSTOM
: lets you select TLS features individually.
-
-
CIPHER_NAME
: an optional argument to specify the name of the cipher suite supported by the custom profileYou specify this argument only when the profile type is set to
PROFILE_CUSTOM
. -
excludePublicCaSet
: an optional flag to include or exclude a public CA set. By default, this flag is set to false. When this flag is set to true, TLS connections don't trust public CA servers. In this case, Cloud NGFW can only make TLS connections to servers with certificates signed by CAs in the trust config. -
TRUST_CONFIG_NAME
: an optional argument to specify the name of the trust config resource
-
-
Import the TLS inspection policy that you created in the section Create a TLS inspection policy
gcloud network-security tls-inspection-policies import TLS_INSPECTION_NAME \ --source TLS_INSPECTION_FILE .yaml \ --location REGION
Replace the following:
-
TLS_INSPECTION_NAME
: the name of the TLS inspection policy -
TLS_INSPECTION_FILE
: the name of the TLS inspection policy YAML file
-
View details for a TLS inspection policy
You can view information about the TLS inspection policy that you created in your project.
Console
-
In the Google Cloud console, go to the TLS inspection policiespage.
-
In the project selector menu, select your project.
-
The TLS inspection policies are listed in the TLS inspectionssection.
-
To view the details, click the name of your TLS inspection policy.
Add TLS inspection policy to a firewall endpoint association
To add the TLS inspection policy to a firewall endpoint association, follow the steps mentioned in Create firewall endpoint associations .
Configure firewall policy rules with TLS inspection
To enable TLS inspection for your Virtual Private Cloud (VPC) network,
set the --tls-inspect
flag in your firewall policy rule. This flag indicates
that the TLS inspection can be performed when the security profile group
is applied.
To learn more about how to enable the --tls-inspect
flag in hierarchical firewall
policy rules, see Create firewall rules
.
To learn more about how to enable the --tls-inspect
flag in global network firewall
policy rules, see Create global network firewall rules
.
Manage TLS inspection policy
You can list, update, and delete TLS inspection policies in your project.
List all TLS inspection policies
You can list all the TLS inspection policies in a project.
Console
-
In the Google Cloud console, go to the TLS inspection policiespage.
-
In the project selector menu, select your project.
-
The TLS inspection policies are listed in the TLS inspectionssection.
gcloud
To list all TLS inspection policies, use the gcloud network-security tls-inspection-policies list
command
:
gcloud network-security tls-inspection-policies list \ --project PROJECT_ID \ --location REGION
Replace the following:
-
PROJECT_ID
: the project ID for the TLS inspection policy -
REGION
: the name of the region for which you want to list the TLS inspection policy
Edit a TLS inspection policy
You can modify an existing TLS inspection policy in your project.
Console
-
In the Google Cloud console, go to the TLS inspection policiespage.
-
In the project selector menu, select your project.
-
The TLS inspection policies are listed in the TLS inspectionssection.
-
To edit a policy, click the name of your TLS inspection policy.
-
Click Edit.
-
Modify the required fields. For more information about each field, see Create a TLS inspection policy .
-
Click Save.
Delete a TLS inspection policy
You can delete a TLS inspection policy from your project. However, if the TLS inspection policy is referenced by a firewall endpoint association, that TLS inspection policy cannot be deleted.
Console
-
In the Google Cloud console, go to the TLS inspection policiespage.
-
In the project selector menu, select your project.
-
The TLS inspection policies are listed in the TLS inspectionssection.
-
To delete a TLS inspection policy, select the checkbox next to its name.
-
Click Delete.
-
Click Deleteagain.
gcloud
To delete a TLS inspection policy, use the gcloud network-security tls-inspection-policies delete
command
:
gcloud network-security tls-inspection-policies delete \ projects/ PROJECT_ID /locations/ REGION /tlsInspectionPolicies/ TLS_INSPECTION_NAME \ --location REGION
Replace the following:
-
PROJECT_ID
: the project ID of the TLS inspection policy -
TLS_INSPECTION_NAME
: the name of the TLS inspection -
REGION
: the region where the TLS inspection policy is created