Deploy Prisma AIRS AI Runtime Firewall in GCP

Where Can I Use This?	What Do I Need?
Prisma AIRS Firewall deployment in GCP	Onboard Cloud Account in GCP

This section guides you through deploying a Terraform template to add Prisma AIRS AI Runtime Firewall protection for GCP cloud resources.

On this page, you will configure Prisma AIRS AI Runtime Firewall in Strata Cloud Manager, download the corresponding Terraform template, and deploy it in your cloud environment. This setup will integrate the firewall in your cloud network architecture, enabling comprehensive monitoring and protection of your assets.

After onboarding the cloud account, the Strata Cloud Manager command center dashboard will show asset discovery with no firewall protection deployed. Unprotected traffic paths to and from applications, AI models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.

1. Log in to Strata Cloud Manager.
2. Navigate to AI Security AI Runtime Firewall.
3. Select Add Protections ("+" icon).
4. Select Cloud Service Provider as Google Cloud and select Next.

5. In Firewall Placement, select one or more traffic flows to inspect.

   The following table shows the network traffic type that the Prisma AIRS AI Runtime Firewall or the VM-Series firewall can support:

   Traffic Type	AI Runtime Security Firewall	VM-Series
   AI Traffic - Traffic between your applications and AI Models	✅
   Non-AI Traffic and namespaces (example, kube-system)	✅
   Cluster Traffic	✅
   Non-AI and non-cluster traffic	✅	✅

   When you select any namespace, the VM-Series firewall option becomes unavailable because only Prisma AIRS AI Runtime Firewall can secure these namespaces.
6. Select Next.
7. In Region & Applications:

   1. Select your cloud account to secure from the onboarded cloud accounts list.
   2. Select a region in which you want to protect the applications.
   3. In Selected applications:

   4. Select the applications to secure from the available list. This list includes application workloads such as namespaces or VPCs.

      The available applications are determined by the application definition criteria you configured during cloud account onboarding in the “Application Definition” step.
   5. Set the Public IP address on the External Load Balancer (ELB) for each application by selecting:

      • Auto generate: Automatically assigns an ephemeral (temporary) IP address to your application.
      • Input manually: Create and assign a static IP address to your application.
        For more details, refer to the Google Cloud documentation for configuring static external IP addresses.

      Each application is mapped to one public ELB IP address.
   6. Configure Traffic Inspection to protect your clusters at namespace-level only:

      Traffic steering inspection is available only when you select namespaces from the applications list. Select the namespace and configure how to handle traffic from specific network segments (Limit to 10 CIDRs per cluster that can be inspected or bypassed at any time):

      • Inspect certain CIDRs: Only inspect traffic from specified subnet ranges.
      • Bypass certain CIDRs: Exclude traffic from specified subnet ranges from inspection.
        For container applications, all traffic to and from the applications is protected by default. Use traffic inspection options only when you need granular control over which network segments are inspected or bypassed.

        When protecting traffic from namespaces using traffic inspection, select only the namespace and not its parent VPC to avoid deployment failures. The same GWLB endpoint can't be used for both VPC and namespace-level protection in the same zone.

      When configuring traffic steering using SCM, you annotate the pod in the following order:

      • kubectl annotate <namespace-to-be-annotated> paloaltonetworks.com/firewall=pan-fw (for VPC level security)
      • kubectl annotate pods --all paloaltonetworks.com/subnetfirewall=ns-secure/bypassfirewall (for namespace-level security)

      To configure Traffic Steering with Panorama, you need to:

      • Modify the Container Network Interface (CNI) to read a Palo Alto Networks customer resource. After reading the annotation, the CNI programs the routing on the app pods based on the option of FIREWALL INSPECT/BYPASS.
      • Update the custom resource file (Helm folder > Templates > Create CustomerResource.YAML). In the custom resource file, you can use FIREWALL to inspect limited CIDRs and BYPASS to avoid certain CIDRs. The appname/bypassfirewall keyword is used for both inspect and bypass traffic operations.
   7. Select the Undiscovered VPC(s) tab to discover or add a new VPC.
   8. Select Add VPC.

      Configure the following:

      • VPC Name to secure.
      • VPC CIDRs IP range values.
      • Optional K8s pod CIDRs IP range values.
      • Optional K8s service CIDRs IP range values.
      • Cluster Id.
      • CIDR ranges to be inspected in the Inspect certain CIDRs field.
      • CIDR ranges to be bypassed in the Bypass certain CIDRs field.
      • Select Submit.
   9. Select Next.
8. In Protection Settings:

   1. In the Deployment parameters, select AI Runtime Security or VM-Series firewall type based on the type of traffic you decided to protect in the Firewall Placement step.
   2. Enter the Service account attached to security VM.
   3. Enable Auto-Deploy Security; by default, this option is disabled.
   4. Enter Number of firewalls to deploy.
   5. Select zones to deploy firewalls from the available zones.
   6. Choose the instance type for the security VM. (See Machine families resource and comparison guide for details).
   7. In Firewall Scaling, select Static or Dynamic to configure autoscaling.

      With autoscaling, you can choose between static or dynamic scaling models during deployment. Dynamic scaling allows you to select from several metrics to base your autoscaling decisions on, giving you fine-grained control over how your security infrastructure adapts to changing conditions. This approach ensures that your security posture remains robust during traffic surges while optimizing license consumption during periods of lower demand. After traffic decreases and firewalls are deactivated, the system automatically removes the firewalls from inventory and returns licenses to your pool for future scaling events.

      Selecting Dynamic firewall scaling allows you to configure additional metrics:

      • Specify the Number of Firewalls to Deploy by entering a range (minimum to maximum).
      • Enter the Cloudwatch Namespace.
      • Set the Update Interval; 1-60 minutes.
      • Use the drop-down menu to select Auto-Scaling Metrics; specify the input percentage.
      • Click Apply.

      After completing the Firewall Information section you can configure IP Addressing, Licensing and Management Parameters.
9. Configure the following:

   IP addressing scheme	Licensing	Management parameters
   CIDR value for untrust VPC. CIDR value for trust VPC. CIDR value for management VPC.	Enter the following values: PAN OS version for your image from the available list. Flex authentication code (Copy AUTH CODE for the deployment profile you created for Prisma AIRS AI Runtime Firewall in Customer Support Portal). Device Certificate PIN ID. Device Certificate PIN value.	In Management parameters, enter the following: List CIDR ranges to be allowed access to the management interface. The SSH key to be used for login (see how to Create SSH keys). Manage by SCM and then select the SCM folder to group the Prisma AIRS AI Runtime Firewall. Refer to Workflows: Folders - Strata Cloud Manager. Manage by Panorama: For firewall management through Panorama, refer to the section on configuring your firewall to be managed by Panorama.

10. Select Next.
11. In the Review Architecture screen:

    • Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. (Don't use a hyphen at the beginning or end, and limit the name to under 19 characters).
    • Create terraform template.
    • Save and Download Terraform Template.
    • Close the deployment workflow to exit.
12. Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
13. Initialize and apply the Terraform for the security_project.

    The `security_project` contains the Terraform plan to deploy a Prisma AIRS AI Runtime Firewall in your architecture. The Terraform plan creates the required resources to deploy Prisma AIRS: AI Runtime Firewall with inline prevention mode, including the managed instance groups, load balancers, and health checks.

    cd architecture //Change directory to architecture/security_project
    
    cd security_project
    terraform init
    terraform plan
    terraform apply
    

    The security Terraform generates the following output. Ensure to record the IP addresses within the lbs_external_ips & lbs_internal_ips outputs.

      Apply complete! Resources: 36 added, 0 changed, 0 destroyed.
    
      Outputs:
    
      lbs_external_ips = {
        "external-lb" = {
          "airs001-all-ports" = "34.xx.xxx.xx"
        }
      }
      lbs_internal_ips = {
        "internal-lb" = "10.0.2.xxx"
      }
      pubsub_subscription_id = {
        "fw-autoscale-common" = "projects/$PROJECT_ID/subscriptions/airs001-fw-autoscale-common-mig"
      }
      pubsub_topic_id = {
        "fw-autoscale-common" = "projects/$PROJECT_ID/topics/airs001-fw-autoscale-common-mig"
      }
     

    The `security_project` Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags populate dynamic address groups (DAGs) for automated security enforcement. Refer to the section on Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules for details.
14. Run the application Terraform to peer the application VPCs.

    cd ../application_project
    terraform init
    terraform plan
    terraform apply

    The application_security Terraform generates the following output:

    Apply complete! Resources: 12 added, 0 changed, 0 destroyed.

15. Configure Strata Cloud Manager or Panorama to secure VM workloads and Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy, routers, and security policy rules.
16. Navigate to Workflows→ NGFW Setup → Device Management. The Prisma AIRS AI Runtime Firewall appears under Cloud Managed Devices.
17. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the deployed Prisma AIRS licenses.

    It takes a while before the Device Status shows as connected.

    Next, view the threat logs and AI security logs for traffic inspection details.