This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.

GSP1115

Overview

In this lab, you will deploy and scale VM-Series ML-NGFW to secure a hub and spoke architecture in Google Cloud. VM-Series enables enterprises to secure their applications, users, and data deployed across Google Cloud and other virtualization environments.

What you'll learn

In this lab, you will perform the following tasks:

• Understand the lab topology.
• Secure VPC network traffic with VM-Series.
• Autoscale the VM-Series with cloud workloads.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details panel.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details panel.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left. Note: Keep your labs open in a separate browser tab or window. The outputs generated in the are used throughout the lab.

Task 1. Review the lab topology

In this task, take a moment to review the diagram of the lab environment. VM-Series firewalls are deployed within a regional managed instance group to secure north/south and east/west traffic for two spoke VPC networks.

Flow	Description
Internet to workload	Traffic from the internet to applications in the spoke networks are distributed by the External TCP/UDP Load Balancer to the VM-Series untrust interfaces (NIC0). The VM-Series inspects the traffic and forwards permissible traffic through its trust interface (NIC2) to the application in the spoke network.
Workload to internet	Traffic from the spoke networks destined to the internet is routed to the Internal TCP/UDP Load Balancer in the hub VPC. The VM-Series inspects the traffic and forwards permissible traffic through its untrust interface (NIC0) to the internet.
Workload to workload	Traffic between spoke networks is routed to the Internal TCP/UDP Load Balancer in the hub VPC. The VM-Series inspects and forwards the traffic through the trust interface (NIC2) into the hub network which routes permissible traffic to the destination spoke network.

Task 2. Secure traffic with VM-Series

In this task, protect a VPC network from internet bound threats by using App-ID™ and Threat Prevention™ on the VM-Series firewall.

Step 1. Secure internet inbound traffic

Internet inbound traffic is distributed by an external TCP/UDP load balancer to the VM-Series untrust interfaces. The VM-Series inspects and translates the traffic to VM A in the spoke 1 VPC.

1. Access the web service on VM A through the external load balancer and VM-Series firewall.

   http://{{{project_0.startup_script.ext_lb_ip|pending}}}
   The reqiest to the web service is successful because the VM-Series is pre-configured to allow web-browsing traffic from the internet to VM A.

2. Access the Jenkins service on VM A by appending :8080 to the external load balancer URL.

   http://{{{project_0.startup_script.ext_lb_ip|pending}}}:8080
   > The request to the Jenkins server fails because the Jenkins application has not been enabled in the VM-Series security policies. Palo Alto Networks firewalls leverage App-ID^TM to identify and enable applications with layer-7 controls.

Step 2. Access the VM-Series

Access the VM-Series UI through the external address attached to its MGT interface.

1. Click Activate Cloud Shell at the top of the Google Cloud console.

   

2. In Cloud Shell, retrieve the EXTERNAL_IP attached to the VM-Series MGT interface.

   gcloud compute instances list \ --filter='tags.items=(vmseries-tutorial)' \ --format='value(EXTERNAL_IP)' 1.2.3.4

3. In a separate browser tab, log into the VM-Series the EXTERNAL_IP (use https).

   Key	Value
   Username
   Password

Step 3. Safely enable applications

Palo Alto Networks App-ID™ enables you to see applications on your network and learn their behavioral characteristics with their relative risk. You can use App-ID™ to enable Jenkins traffic through the VM-Series security policies.

1. On the VM-Series, go to Policies → Security. Click the allowed applications column within the inbound-web security policy.

   

2. Click ADD and search for jenkins. Click OK.

   

3. Click Commit → Commit to apply the changes to the VM-Series configuration.

   

4. Once the commit completes, access the Jenkins service again.

   http://{{{project_0.startup_script.ext_lb_ip|pending}}}:8080
   The Jenkins page resolves because you enabled the jenkins application within the VM-Series security policies.

5. On the VM-Series, go to Monitor → Traffic. Enter the query below to filter for jenkins traffic.

   ( app eq jenkins ) Notice the jenkins application was denied before the jenkins application was added to the inbound-web security policy.
   
   This is because the VM-Series use multiple identification techniques to determine the exact identity of applications traversing your network, including those that try to evade detection by masquerading as legitimate traffic.

Step 4. Secure egress VPC traffic

The VM-Series secures outbound internet traffic from the spoke networks and east-west traffic traversing between spoke networks. All egress traffic from the spoke networks is routed to an internal TCP/UDP load balancer that distributes traffic to the VM-Series trust interfaces for inspection.

1. In Cloud Shell, SSH to VM B in the spoke2 network.

   ssh paloalto@{{{project_0.startup_script.ext_lb_ip|pending}}} Pal0Alt0@123 Just like the jenkins example in the previous step, the SSH session is distributed by the external load balancer. The VM-Series inspects and translates the traffic to VM B

2. From VM B, attempt to download a pseudo malicious file from the internet.

   wget www.eicar.org/download/eicar.com.txt Resolving www.eicar.org (www.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2 Connecting to www.eicar.org (www.eicar.org)|89.238.73.97|:80... connected. HTTP request sent, awaiting response... 503 Service Unavailable 2023-04-14 20:16:57 ERROR 503: Service Unavailable. The eicar file is considered safe and is used to test threat prevention capabilities.

3. Generate pseudo malicious traffic from VM B to VM A.

   curl http://10.1.0.10/cgi-bin/../../../..//bin/cat%20/etc/passwd curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://10.1.0.10/cgi-bin/test-critical

4. On the VM-Series, go to Monitor → Threat to view the threat logs.

   

The firewall’s security policies enable you to allow or block traffic on your network based on the user, application, and device. When traffic matches the allow rule defined in the security policy, the security profiles that are attached to the rule provide further content inspection.

Security profiles include:

• Antivirus
• Anti-Spyware
• Vulnerability Protection
• URL Filtering
• File Blocking
• WildFire Analysis

Click Check my progress to verify the objective. Safely enable the jenkins application with App-ID

Task 3. Autoscale the VM-Series

Autoscaling enables you to scale the VM-Series protecting your cloud assets while providing high availability through cross-zone redundancy.

The VM-Series firewall publishes native PAN-OS™ metrics to Google Cloud Monitoring. Each metric can be set as an autoscaling parameter within the managed instance group.

Custom PAN-OS metrics include:

• Dataplane CPU utilization
• Dataplane packet buffer utilization
• New connections per second
• Throughput (Kbps)
• Throughput (packets per second)
• Total number of active sessions
• Session utilization
• SSL forward proxy utilization

Step 1. Review PAN-OS metrics in Cloud Monitoring

The lab creates a custom Cloud Monitoring dashboard that displays several of the VM-Series metrics.

1. In Google Cloud, select Monitoring → Dashboards. Select the dashboard VM-Series Metrics.

   

2. The dashboard displays various PAN-OS metrics from the VM-Series instance group.

   These metrics can be used within the regional managed instance group to scale the VM-Series firewalls.
   
   For example, you can scale VM-Series if Dataplane CPU utilization exceeds 90% for more than 5 minutes.

Step 2. Scaling the VM-Series

The managed instance group created within the lab sets the minimum and the maximum number of VM-Series replicas to 1. Here, modify the minimum and the maximum number of replicas to manually increase the number of running firewalls.

1. In Google Cloud, go to Compute Engine → Instance Groups → vmseries. Click EDIT.

   

2. In the Autoscaling section, modify the min and max number of instances:

   Key	Value
   Minimum number of instances	2
   Maximum number of instances	3

   

3. Click Save.

4. Go to Compute Engine → VM instances. A new firewall should now be deployed.

5. Copy the public IP attached to NIC1 on the new firewall and paste it into a browser tab (use https).

   Key	Value
   Username
   Password

   In production environments, it is recommended to use Panorama. Panorama enables you to scale firewalls horizontally while managing the firewalls as a single entity.

6. On the scaled VM-Series, navigate to Monitor → Traffic. The traffic logs should be populated demonstrating the scaled VM-Series is now processing traffic.

   

Click Check my progress to verify the objective. Autoscale the VM-Series

Congratulations!

Congratulations! You have completed the lab. You have learned about the fundamental networking concepts that enable you to deploy and scale Palo Alto Networks VM-Series next generation firewall in Google Cloud.

Next steps / Learn more

Please click the following links for additional information:

• To learn more, please visit us at https://paloaltonetworks.com.
• For issues with this lab, please email us at google-tech@paloaltonetworks.com.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated: September 20, 2023

Lab Last Tested: September 20, 2023

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.