检查点
Safely enable applications with App-ID
/ 50
Autoscale the VM-Series
/ 50
Scaling VM-Series to Secure Google Cloud Networks
This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.
GSP1115
Overview
In this lab, you will deploy and scale VM-Series ML-NGFW to secure a hub and spoke architecture in Google Cloud. VM-Series enables enterprises to secure their applications, users, and data deployed across Google Cloud and other virtualization environments.
What you'll learn
In this lab, you will perform the following tasks:
- Understand the lab topology.
- Secure VPC network traffic with VM-Series.
- Autoscale the VM-Series with cloud workloads.
Setup and requirements
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
- Time to complete the lab---remember, once you start, you cannot pause a lab.
How to start your lab and sign in to the Google Cloud console
-
Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:
- The Open Google Cloud console button
- Time remaining
- The temporary credentials that you must use for this lab
- Other information, if needed, to step through this lab
-
Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).
The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Arrange the tabs in separate windows, side-by-side.
Note: If you see the Choose an account dialog, click Use Another Account. -
If necessary, copy the Username below and paste it into the Sign in dialog.
{{{user_0.username | "Username"}}} You can also find the Username in the Lab Details panel.
-
Click Next.
-
Copy the Password below and paste it into the Welcome dialog.
{{{user_0.password | "Password"}}} You can also find the Password in the Lab Details panel.
-
Click Next.
Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges. -
Click through the subsequent pages:
- Accept the terms and conditions.
- Do not add recovery options or two-factor authentication (because this is a temporary account).
- Do not sign up for free trials.
After a few moments, the Google Cloud console opens in this tab.
Task 1. Review the lab topology
In this task, take a moment to review the diagram of the lab environment. VM-Series firewalls are deployed within a regional managed instance group to secure north/south and east/west traffic for two spoke VPC networks.
Flow | Description |
---|---|
Internet to workload | Traffic from the internet to applications in the spoke networks are distributed by the External TCP/UDP Load Balancer to the VM-Series untrust interfaces (NIC0 ). The VM-Series inspects the traffic and forwards permissible traffic through its trust interface (NIC2 ) to the application in the spoke network. |
Workload to internet | Traffic from the spoke networks destined to the internet is routed to the Internal TCP/UDP Load Balancer in the hub VPC. The VM-Series inspects the traffic and forwards permissible traffic through its untrust interface (NIC0) to the internet. |
Workload to workload | Traffic between spoke networks is routed to the Internal TCP/UDP Load Balancer in the hub VPC. The VM-Series inspects and forwards the traffic through the trust interface (NIC2 ) into the hub network which routes permissible traffic to the destination spoke network. |
Task 2. Secure traffic with VM-Series
In this task, protect a VPC network from internet bound threats by using App-ID™ and Threat Prevention™ on the VM-Series firewall.
Step 1. Secure internet inbound traffic
Internet inbound traffic is distributed by an external TCP/UDP load balancer to the VM-Series untrust interfaces. The VM-Series inspects and translates the traffic to VM A
in the spoke 1 VPC
.
-
Access the web service on
VM A
through the external load balancer and VM-Series firewall.http://{{{project_0.startup_script.ext_lb_ip|pending}}}
The request to the web service is successful because the VM-Series is pre-configured to allow web-browsing
traffic from the internet toVM A
. -
Access the Jenkins service on
VM A
by appending:8080
to the external load balancer URL.http://{{{project_0.startup_script.ext_lb_ip|pending}}}:8080
>The request to the Jenkins server fails because the Jenkins application has not been enabled in the VM-Series security policies. Palo Alto Networks firewalls leverage App-IDTM to identify and enable applications with layer-7 controls.
Step 2. Access the VM-Series
Access the VM-Series UI through the external address attached to its MGT interface.
-
Click Activate Cloud Shell at the top of the Google Cloud console.
-
In Cloud Shell, retrieve the
EXTERNAL_IP
attached to the VM-Series MGT interface.gcloud compute instances list \ --filter='tags.items=(vmseries-tutorial)' \ --format='value(EXTERNAL_IP)' 1.2.3.4 -
In a separate browser tab, log into the VM-Series the
EXTERNAL_IP
(usehttps
).Key Value Username Password
Step 3. Safely enable applications
Palo Alto Networks App-ID™ enables you to see applications on your network and learn their behavioral characteristics with their relative risk. You can use App-ID™ to enable Jenkins traffic through the VM-Series security policies.
-
On the VM-Series, go to Policies → Security. Click the allowed applications column within the
inbound-web
security policy. -
Click ADD and search for
jenkins
. Click OK. -
Click Commit → Commit to apply the changes to the VM-Series configuration.
-
Once the commit completes, access the Jenkins service again.
http://{{{project_0.startup_script.ext_lb_ip|pending}}}:8080
The Jenkins page resolves because you enabled the jenkins
application within the VM-Series security policies. -
On the VM-Series, go to Monitor → Traffic. Enter the query below to filter for
jenkins
traffic.( app eq jenkins ) Notice the jenkins
application was denied before thejenkins
application was added to the inbound-web security policy.
This is because the VM-Series use multiple identification techniques to determine the exact identity of applications traversing your network, including those that try to evade detection by masquerading as legitimate traffic.
Step 4. Secure egress VPC traffic
The VM-Series secures outbound internet traffic from the spoke networks and east-west traffic traversing between spoke networks. All egress traffic from the spoke networks is routed to an internal TCP/UDP load balancer that distributes traffic to the VM-Series trust interfaces for inspection.
-
In Cloud Shell, SSH to
VM B
in thespoke2
network.ssh paloalto@{{{project_0.startup_script.ext_lb_ip|pending}}} Pal0Alt0@123 Just like the jenkins
example in the previous step, the SSH session is distributed by the external load balancer. The VM-Series inspects and translates the traffic toVM B
-
From
VM B
, attempt to download a pseudo malicious file from the internet.wget www.eicar.org/download/eicar.com.txt Resolving www.eicar.org (www.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2 Connecting to www.eicar.org (www.eicar.org)|89.238.73.97|:80... connected. HTTP request sent, awaiting response... 503 Service Unavailable 2023-04-14 20:16:57 ERROR 503: Service Unavailable. The eicar
file is considered safe and is used to test threat prevention capabilities. -
Generate pseudo malicious traffic from
VM B
toVM A
.curl http://10.1.0.10/cgi-bin/../../../..//bin/cat%20/etc/passwd curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://10.1.0.10/cgi-bin/test-critical -
On the VM-Series, go to Monitor → Threat to view the threat logs.
Security profiles include:
- Antivirus
- Anti-Spyware
- Vulnerability Protection
- URL Filtering
- File Blocking
- WildFire Analysis
Click Check my progress to verify the objective.
Task 3. Autoscale the VM-Series
Autoscaling enables you to scale the VM-Series protecting your cloud assets while providing high availability through cross-zone redundancy.
The VM-Series firewall publishes native PAN-OS™ metrics to Google Cloud Monitoring. Each metric can be set as an autoscaling parameter within the managed instance group.
- Dataplane CPU utilization
- Dataplane packet buffer utilization
- New connections per second
- Throughput (Kbps)
- Throughput (packets per second)
- Total number of active sessions
- Session utilization
- SSL forward proxy utilization
Step 1. Review PAN-OS metrics in Cloud Monitoring
The lab creates a custom Cloud Monitoring dashboard that displays several of the VM-Series metrics.
-
In Google Cloud, select Monitoring → Dashboards. Select the dashboard VM-Series Metrics.
-
The dashboard displays various PAN-OS metrics from the VM-Series instance group.
These metrics can be used within the regional managed instance group to scale the VM-Series firewalls.
For example, you can scale VM-Series ifDataplane CPU utilization
exceeds90%
for more than5
minutes.
Step 2. Scaling the VM-Series
The managed instance group created within the lab sets the minimum and the maximum number of VM-Series replicas to 1
. Here, modify the minimum and the maximum number of replicas to manually increase the number of running firewalls.
-
In Google Cloud, go to Compute Engine → Instance Groups → vmseries. Click EDIT.
-
In the Autoscaling section, modify the
min
andmax
number of instances:Key Value Minimum number of instances 2
Maximum number of instances 3
-
Click Save.
-
Go to Compute Engine → VM instances. A new firewall should now be deployed.
-
Copy the public IP attached to
NIC1
on the new firewall and paste it into a browser tab (usehttps
).Key Value Username Password In production environments, it is recommended to use Panorama. Panorama enables you to scale firewalls horizontally while managing the firewalls as a single entity. -
On the scaled VM-Series, navigate to Monitor → Traffic. The traffic logs should be populated demonstrating the scaled VM-Series is now processing traffic.
Click Check my progress to verify the objective.
Congratulations!
Congratulations! You have completed the lab. You have learned about the fundamental networking concepts that enable you to deploy and scale Palo Alto Networks VM-Series next generation firewall in Google Cloud.
Next steps / Learn more
Please click the following links for additional information:
- To learn more, please visit us at https://paloaltonetworks.com.
- For issues with this lab, please email us at google-tech@paloaltonetworks.com.
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated: November 5, 2024
Lab Last Tested: November 5, 2024
Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.