Console
    Contact Us Start free

    Enable TLS inspection

    This page describes how to enable Transport Layer Security (TLS) inspection for your Secure Web Proxy instance. Secure Web Proxy offers a TLS inspection service that lets you intercept the TLS traffic, inspect the encrypted request, and enforce security policies. For more information about TLS inspection, see TLS inspection overview .

    Before you begin

    Before you configure your Secure Web Proxy instance for TLS inspection, complete the tasks in the following sections.

    Enable Certificate Authority Service

    Secure Web Proxy uses Certificate Authority Service to generate the certificates used for TLS inspection.

    To enable CA Service, use the following command:

    gcloud services enable privateca.googleapis.com

    Create a CA pool

    A certificate authority (CA) pool is a collection of multiple CAs with a common certificate issuance policy and Identity and Access Management (IAM) policy. CA pools provide the ability to rotate trust chains without any outage or downtime for their payloads.

    You must create a CA pool before you can use CA Service to create a CA. This section walks you through the permissions that you need to complete this task and then describes how to create a CA pool.

    To generate certificates, TLS inspection uses a separate service account for each project called service-[ PROJECT_NUMBER ]@gcp-sa-networksecurity.iam.gserviceaccount.com . Make sure that you have granted permissions to this service account to use your CA pool. If this access is revoked, then TLS inspection stops working.

    To retrieve the PROJECT_NUMBER by using the PROJECT_ID of the CA pool project, use the following command:

      gcloud 
  
 projects 
  
 describe 
  
< var>PROJECT_ID 
< / 
 var 
>  
 -- 
 format 
 = 
 "value(projectNumber)"

    To create the pool, use the gcloud privateca pools create command and specify the subordinate pool ID, tier, project ID, and location.

    gcloud privateca pools create SUBORDINATE_POOL_ID 
\
    --tier= TIER 
\
    --project= PROJECT_ID 
\
    --location= REGION

    Replace the following:

    • SUBORDINATE_POOL_ID : name of the CA pool

    • TIER : CA tier, either devops or enterprise

      We recommend that you create the CA pool in the devops tier because tracking individually issued certificates is unnecessary.

    • PROJECT_ID : ID of the CA pool project

    • REGION : location of the CA pool

    Create a subordinate CA pool

    If you have multiple certificate issuance scenarios, then you can create a subordinate CA for each of those scenarios. You can create a subordinate CA in a CA pool , and the root CA signs all the CAs in that CA pool. These certificates are used to sign server certificates that are generated for TLS inspection.

    To create a subordinate CA pool, use one of the following methods.

    Create a subordinate CA pool by using an existing root CA stored within Certificate Authority Service

    To generate a subordinate CA, do the following:

    1. Create a CA pool
    2. Create subordinate CAs within a CA pool

    Create a subordinate CA pool by using an existing root CA held externally

    To generate a subordinate CA, do the following:

    1. Create a CA pool
    2. Create subordinate CAs signed by an external root CA

    Create a root CA

    If a root CA doesn't exist, then you can create one within CA Service.

    To create a root CA, do the following:

    1. Create a root CA
    2. Create a subordinate CA pool by using an existing root CA stored within CA Service

    A service account helps provide the necessary permissions for TLS inspection without compromising either the security of your user accounts or your Secure Web Proxy instance itself.

    If you don't have a service account, you must create one and then grant the required permissions to that service account.

    1. Create a service account.

       gcloud beta services identity create \
    --service=networksecurity.googleapis.com \
    --project= PROJECT_ID

      In response, the Google Cloud CLI creates a service account called service-[PROJECT_NUMBER]@gcp-sa-networksecurity.iam.gserviceaccount.com .

      To retrieve the PROJECT_NUMBER by using the PROJECT_ID of the CA pool project, use the following command:

       gcloud projects describe PROJECT_ID 
--format="value(projectNumber)"

    2. For the service account that you created, grant permissions to generate certificates with your CA pool.

       gcloud privateca pools add-iam-policy-binding CA_POOL 
\
    --member='serviceAccount: SERVICE_ACCOUNT 
' \
    --role='roles/privateca.certificateManager' \
    --location=' REGION 
'

    Configure Secure Web Proxy for TLS inspection

    You can proceed with the tasks in this section only after you have completed the prerequisite tasks listed in the Before you begin section.

    To configure TLS inspection, complete the tasks in the following sections.

    Create a TLS inspection policy

    Console

    1. In the Google Cloud console, go to the TLS inspection policiespage.

      Go to TLS inspection policies

    2. In the project selector menu, select your project.

    3. Click Create TLS Inspection Policy.

    4. For Name, enter a name.

    5. Optional: In the Descriptionfield, enter a description.

    6. In the Regionlist, select the region for which you want to create the TLS inspection policy.

    7. In the CA poollist, select the CA pool from where you want to create the certificates.

      If you haven't configured a CA pool, then click New Pooland follow the instructions in Create a CA pool .

    8. Optional: In the Minimum TLS versionlist, select the minimum TLS version supported by the policy.

    9. For the Trust Configuration, select any one of the following options:

      • Public CAs only: select this option if you want to trust servers with publicly signed certificates.

      • Private CAs only: select this option if you want to trust servers with privately signed certificates.

        In the Private trust configurationlist, select the trust config with the configured trust store to use for trusting upstream server certificates. For more information about how to create a trust config, see Create a trust config .

      • Public and private CAs: select this option if you want to use both public and private CAs.

    10. Optional: In the Cipher suite profilelist, select the TLS profile type. You can choose from any one of the following values:

      • Compatible: allows the broadest set of clients, including clients that support only out-of-date TLS features, to negotiate TLS.
      • Modern: supports a wide set of TLS features, allowing modern clients to negotiate TLS.
      • Restricted: supports a reduced set of TLS features intended to meet stricter compliance requirements.

      • Custom: lets you select TLS features individually.

        In the Cipher suiteslist, select the cipher suites supported by the custom profile.

    11. Click Create.

    gcloud

    1. Create the TLS_INSPECTION_FILE .yaml file. Replace TLS_INSPECTION_FILE with the required filename.

    2. Add the following code to the YAML file to configure the required TlsInspectionPolicy:

        name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/tlsInspectionPolicies/ TLS_INSPECTION_NAME 
 
 caPool 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/caPools/ CA_POOL

      Replace the following:

      • PROJECT_ID : ID of the project
      • REGION : region in which the policy is to be created
      • TLS_INSPECTION_NAME : name of the Secure Web Proxy TLS inspection policy
      • CA_POOL : name of the CA pool from which the certificates are to be created

      The CA pool must exist within the same region.

    Import the TLS inspection policy

    Import the TLS inspection policy that you created in the previous step:

     gcloud network-security tls-inspection-policies import TLS_INSPECTION_NAME 
\
    --source= TLS_INSPECTION_FILE 
.yaml \
    --location= REGION

    Add the TLS inspection policy to the security policy

    Console

    Create the web proxy policy

    1. In the Google Cloud console, go to the SWP Policiespage.

      Go to SWP Policies

    2. Click Create a policy.

    3. Enter a name for the policy that you want to create, such as myswppolicy .

    4. Enter a description of the policy, such as My new swp policy .

    5. In the Regionslist, select the region where you want to create the Secure Web Proxy policy.

    6. To configure TLS inspection, select Configure TLS inspection.

    7. In the TLS inspection policylist, select the TLS inspection policy that you created.

    8. If you want to create rules for your policy, click Continue, and then click Add rule. For details, see Create Secure Web Proxy rules .

    9. Click Create.

    Create Secure Web Proxy rules

    1. In the Google Cloud console, go to the SWP Policiespage.

      Go to SWP Policies

    2. In the project selector menu, select your organization ID or the folder that contains your policy.

    3. Click the name of your policy.

    4. Click Add rule.

    5. Populate the rule fields:

      1. Name
      2. Description
      3. Status
      4. Priority: the numeric evaluation order of the rule. The rules are evaluated from highest to lowest priority where 0 is the highest priority.
      5. In the Actionsection, specify whether connections that match the rule are allowed ( Allow) or denied ( Deny).
      6. In the Session Matchsection, specify the criteria for matching the session. For more information about the syntax for SessionMatcher , see the CEL matcher language reference .
      7. To enable TLS inspection, select Enable TLS inspection.
      8. In the Application Matchsection, specify the criteria for matching the request. If you don't enable the rule for TLS inspection, then the request can only match HTTP traffic.
      9. Click Create.

    6. Click Add ruleto add another rule.

    7. Click Createto create the policy.

    Set up a web proxy

    1. In the Google Cloud console, go to the Web Proxiespage.

      Go to Web Proxies

    2. Click Create a secure web proxy.

    3. Enter a name for the web proxy that you want to create, such as myswp .

    4. Enter a description of the web proxy, such as My new swp .

    5. In the Regionslist, select the region where you want to create the web proxy.

    6. In the Networklist, select the network where you want to create the web proxy.

    7. In the Subnetworklist, select the subnetwork where you want to create the web proxy.

    8. Optional: Enter the Secure Web Proxy IP address. You can enter an IP address from the range of Secure Web Proxy IP addresses that reside in the subnetwork you created in the previous step. If you don't enter the IP address, then your Secure Web Proxy instance automatically chooses an IP address from the selected subnetwork.

    9. In the Certificatelist, select the certificate that you want to use to create the web proxy.

    10. In the Policylist, select the policy that you created to associate the web proxy with.

    11. Click Create.

    Cloud Shell

    1. Create the file policy.yaml :

         
 description 
 : 
  
 basic Secure Web Proxy policy 
  
 name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/policy1 
  
 tlsInspectionPolicy 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/tlsInspectionPolicies/ TLS_INSPECTION_NAME

    2. Create the Secure Web Proxy policy:

       gcloud network-security gateway-security-policies import policy1 \
      --source=policy.yaml --location= REGION

    3. Create the file rule.yaml :

         
 name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/policy1/rules/allow-example-com 
  
 description 
 : 
  
 Allow example.com 
  
 enabled 
 : 
  
 true 
  
 priority 
 : 
  
 1 
  
 basicProfile 
 : 
  
 ALLOW 
  
 sessionMatcher 
 : 
  
 host() == 'example.com' 
  
 applicationMatcher 
 : 
  
 request.path.contains('index.html') 
  
 tlsInspectionEnabled 
 : 
  
 true

    4. Create the security policy rule.

       gcloud network-security gateway-security-policies rules import allow-example-com \
      --source=rule.yaml \
      --location= REGION 
\
      --gateway-security-policy=policy1

    5. To attach a TLS inspection policy to an existing security policy, create the file POLICY_FILE .yaml. Replace POLICY_FILE with your filename.

         
 description 
 : 
  
 My Secure Web Proxy policy 
  
 name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/ POLICY_NAME 
 
  
 tlsInspectionPolicy 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/tlsInspectionPolicies/ TLS_INSPECTION_NAME

    What's next?
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: