Secure Google Cloud VPC Networks with Palo Alto Networks Next Generation Firewall
What is Next Generation Firewall
With the growth in cloud adoption and the increasing cloud based threats, it’s important to set up the right network security controls in place to protect the workloads deployed in the cloud. One of the key technologies that organizations are implementing to protect against network based threats is the Next Generation Firewall (NGFW). A Next Generation firewall is an advanced security technology which provides layer 3, layer 4 and layer 7 security against network based threats. A Next Generation Firewall has inbuilt technologies like intrusion prevention, anti-bot systems, anti-malware and threat protection, application inspection and URL filtering among others which helps with protection against any network based threats in cloud environments.
Palo Alto Networks Next Generation Firewall
Palo Alto Networks NGFW (Next-Generation Firewall) is a state of the art modular security solution that can help protect your applications, users, and data in Google Cloud. Palo Alto Networks VM-Series NGFW on Google Cloud provides advanced threat protection for your applications and data. It delivers the same security capabilities as Palo Alto Networks PA-Series NGFWs for on-premises networks, but with the agility and scalability of the cloud. Palo Alto Networks NGFW on Google Cloud gets provisioned as a managed VM, so you don’t have to worry about managing or maintaining the underlying infrastructure.
Furthermore, the VM-Series NGFW also helps improve the security posture of the cloud and helps achieve various compliance requirements like PCI DSS.
Palo Alto Networks NGFW in Google Cloud provides comprehensive protection against a wide range of threats, including malware, viruses, worms, Trojan horses, spyware, adware, and phishing attacks. It also provides advanced threat protection capabilities, such as intrusion prevention, application control, and URL Filtering.
Palo alto Networks NGFW Active/Passive Deployment Architecture
The architecture is very similar to the traditional Load Balancer (LB) architecture recommended for GCP in which the external LB points manages the untrust traffic and an internal LB manages the trust/egress or east-west traffic.
In the above architecture diagram, the VM-Series firewalls are deployed in an Active-Passive pair. Each firewall belongs to an Unmanaged Instance Group that is deployed to separate zones within the same region. Each firewall has four interfaces: MGMT/HA1, untrust, trust, and HA2, and each interface is connected to a dedicated VPC network.
Components
The following sections explain the network components in more detail.
Unmanaged Instance Groups
Each firewall is associated with an Unmanaged Instance Group, deployed across different zones to ensure redundancy and fault tolerance. The Instance Group allows the VM-Series to function as the backend service for Google Cloud’s network load balancers. In the load balancer configuration, each instance group is designated as an active backend service. However, the health check performed by the load balancer towards the passive firewall will fail since its dataplane is inactive.
Backend Service
The Backend Service contains a crucial piece of configuration that would enable session stickiness on failover. The “Connection Tracking Policy” on the Backend Service configuration should have the following values;
- Tracking Mode — Per Session
- Connection Persistence on Unhealthy Backends — Never Persist
- Idle Timeout Seconds — 600 seconds
It must also be noted that the Session Affinity on the Backend Service configuration should be set as “None” for best results.
External Load Balancer
The external TCP/UDP load balancer forwards inbound traffic from the internet to the untrust interface of the active VM-Series firewall. It also serves as the internet gateway for egress traffic from Google Cloud resources protected by the VM-Series. For the VM-Series to receive traffic from any external load balancer, a management interface swap must be performed. The swap enables the untrust interface to serve as the primary interface of the compute instance.
Internal Load Balancer
The internal TCP/UDP load balancer forwards outbound traffic from Google Cloud resources to the trust interface of the active VM-Series firewall. Custom routes are defined in the workload networks to use the internal TCP/UDP load balancer’s forwarding rule as the next hop.
HA2 Network
In addition to the three VPC Networks that are required for Management, Untrust and Trust traffic arriving at the VM-Series firewalls, we need another VPC Network, HA2, that will be specifically used for session synchronization between the active and passive firewalls. The configuration synchronization will be performed using the Management network.
VM-Series Configuration
The VM-Series firewalls are configured as an Active-Passive pair. Configuration changes are automatically synced across the firewalls. It is crucial that the firewalls have identical licenses and are running the same PAN-OS version. This ensures consistency and compatibility between the firewalls, enabling seamless failover and synchronization of configurations and policies.
Traffic Flows
Incoming traffic flows
The diagram below illustrates how incoming traffic flows are processed with the Active-Passive architecture. The External Load Balancer, being a pass-through service, passes the flows onto the Active VM-Series firewall. The VM-Series firewall performs Destination NAT on the traffic to forward the flows to the intended destination after processing. Because the workload network has a default route returning the internal load balancer, source NAT is not required.
Outgoing traffic flows
The diagram below illustrates how outgoing traffic flows are processed with this architecture. All traffic flows originating from the internal networks are forwarded to the Internal Load Balancer through custom routes. The VM-Series applies a source NAT to translate the traffic to the external load balancer’s forwarding rule.
Active-Passive Architecture with VM-Series NGFW
The Active-Passive architecture design for VM-Series Next-Generation Firewalls provides solutions for some of the requirements that cannot be achieved through the Active-Active design with Autoscaling like;
Session synchronization and Stateful failover
With this design, we can achieve Session Synchronization and Stateful failover in case the Active Firewall goes down. Furthermore, the stateful failover can be achieved as quickly as 3 seconds.
IPSec termination of Site-to-Site VPN Tunnels
By using the public IP address of the External Load Balancer as the VPN Gateway, we can now terminate the IPSec tunnels directly on the VM-Series firewalls, thereby achieving highly available and resilient VPN connections.
No SNAT Solution
Some legacy applications may need visibility into the original source client IP address. With this design, there is no inherent need to apply Source Network Address Translation on the incoming traffic flows as traffic symmetry is always maintained.
Conclusion
The Palo Alto Networks VM-Series NGFW is one of the best network security solutions to secure your Google Cloud infrastructure. It has flexible deployment options to secure the VPC traffic and protect the networks against advanced attacks.
To know more about Palo Alto Networks VM-Series NGFWs, see VM-Series Virtual Next-Generation Firewalls. For more information on licensing, see VM-Series Firewall Licensing and to generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial. Check VM-Series on Google Cloud Performance and Capacity for firewall sizing guidance on Google Cloud.
To learn more about VM Series getting deployed in Google cloud, please visit here
To learn more about Google Cloud Security, please visit here
This is a joint blog co authored by Prasanna Bhaskaran Surendran Partner Customer Engineer, Security Specialist Tech ISV Google Cloud & Shiva V Senior Technical Marketing Engineer at Palo Alto Networks
