Focus

AI Runtime Security

GCP

Table of Contents

GCP

AI Runtime Security post deployment configurations in Strata Cloud Manager (SCM) to protect VM workloads and K8s clusters.

Where Can I Use This?	What Do I Need?
Secure VMs and K8s in Strata Cloud Manager (SCM)	Deploy AI Runtime Security instance in GCP

Configure AI Runtime Security instance (firewall) Interfaces:

Select

Manage

→ Configuration

→ NGFW and Prisma Access

Select

Device Settings

→ Interfaces

Set the Configuration Scope
to your AI Runtime Security folder.

In Ethernet
tab:

Configure a Layer 3 Interface

for eth1/1 and eth1/2:

Interfaces: eth1/1 and eth1/2

Location: Specify location if applicable

Interface Type: Layer3

IP Address: Dynamic (DHCP Client)

Select the Loopback tab
, to configure the

Loopback interface

In IPv4s,
enter the ILB (Internal Load Balancer) private IP address

Set Security Zone to trust for eth1/2 and untrust for eth1/1

Ensure VR (Virtual Router) is set to default or the same as eth1/2

Create Zones. Select

Manage

→ Configuration

→ NGFW and Prisma Access

→ Device Settings

→ Zones

Configure a Logical Router:

Create a Logical Router and add the Layer 3 interfaces (eth1/1 and eth1/2).

Configure a Static Route with the ILB static IP addresses for routing. Use the trust interface gateway IP address.

Add a security policy (

Manage

→ Configuration

→ NGFW and Prisma Access

→ Security Services

→ Security Policy

→ Add Rule

Ensure the policy allows health checks from the GCP Load Balancer (LB) pool to the internal LB IP from SCM. Check session IDs to ensure the firewall responds correctly on the designated interfaces.

Configurations to Secure VM Workloads

Configure Static Routes for VPC Endpoints.

Select

Manage

→ Configuration

→ NGFW and Prisma Access

→ Device Settings

→ Routing

→ Logical Routers

For VPC Subnet:

Edit
the IPv4 Static Routes
and add the route for the VPC IPv4 range CIDR subnets.

Set the Next Hop
as eth1/2.

Set the Destination
as the trust subnet gateway IP from SCM.

Update
the static route.

Save
the logical router.

Select

Manage

→ Operations

→ Push Config

and push the policy configurations to the AI Runtime Security instance.

Configurations to Secure the Kubernetes Clusters

Add pod and service IP Subnets to AI Runtime Security trust firewall rules:

Get the IP addresses for pod and service subnets:

Go to Kubernetes Engine -> Clusters
.

Select a Cluster and copy the Cluster Pod IPv4 and IPv4 Service range IP addresses.

Follow the AI Runtime Security Instance deployment in GCP to save and download the Terraform template.

Edit the Terraform template to whitelist the following IP addresses in your VPC network firewall rules:

Navigate to the `<unzipped-folder>/architecture/security_project` directory.

Edit the `terraform.tfvars` file to add the copied IP addresses list to your `source_ranges`.


firewall_rules = {
      allow-trust-ingress = {
        name             = "allow-trust-vpc"
        source_ranges    = ["35.xxx.0.0/16", "130.xxx.0.0/22", "192.xxx.0.0/16", "10.xxx.0.0/14", "10.xx.208.0/20"] # 1st 2 IPs are for health check packets. Add APP VPC/Pod/Service CIDRs
        priority         = "1000"
     
       allowed_protocol = "all"
        allowed_ports    = []
      }
}

Apply the Terraform:

terraform init
terraform plan
terraform apply

Add static routes on the Logical Router for Kubernetes workloads:

Select

Manage

→ Configuration

→ NGFW and Prisma Access

→ Device Settings

→ Routing

→ Logical Routers

Configure Static Routes for the pod and service subnets for the Kubernetes workloads:

Pod Subnet
:

Edit
the IPv4 Static Routes
and add a route with the Pod IPv4 range CIDR.

Set the Next Hop
as eth1/2 (trust interface).

Set the Destination
as the trust subnet gateway IP from SCM.

Service Subnet
:

Edit
the IPv4 Static Routes
add a route with the IPv4 Service range CIDR.

Set the Next Hop
as eth1/2 (trust interface).

Set the Destination
as the trust subnet gateway IP from SCM.

Add Source NAT Policy for Outbound Traffic:

Select

Manage

→ Configuration

→ NGFW and Prisma Access

→ Network Policies

→ NAT

Create or modify a Source NAT Policy:

Source Zone: Trust

Destination Zone: Untrust (eth1/1)

Policy Name: trust2untrust or similar.

Configure NAT settings:

Interface Address Section:

Set the Interface to eth1/1. (The translation happens at eth1/1).

If needed, create a complementary rule for the reverse direction (for example, untrust2trust).

Select

Manage

→ Operations

→ Push Config

and push the policy configurations to the AI Runtime Security instance.

Note: If you have a Kubernetes cluster running, follow the section to install a kubernetes application with Helm.

Install a Kubernetes Application with Helm

Follow the below steps to install a Kubernetes application on a K8s cluster.

Change the directory to the Helm folder:

cd <unzipped-folder>/architecture/helm

Create the `ai-runtime-security` directory and move the below files to this directory:

mkdir ai-runtime-security

mv Chart.yaml ai-runtime-security
mv values.yaml ai-runtime-security
mv templates ai-runtime-security

Install the Helm chart:

helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yaml

Verify the Helm installation:

#List all Helm releases
helm list -A

#Ensure the output shows your installation with details such as:
NAME                    NAMESPACE      REVISION  UPDATED                   STATUS      CHART                         APP VERSION
ai-runtime-security     kube-system    1         2024-08-13 07:00 PDT      deployed   ai-runtime-security-0.1.0    11.2.2

Check the pod status:

kubectl get pods -A
#Verify that the pods with names similar to `pan-cni-*****` are present.

Check the endpoint slices:

kubectl get endpointslice -n kube-system

#Confirm that the output shows an ILB IP address:
NAME             ADDRESSTYPE PORTS   ENDPOINTS            AGE
my-endpointslice IPv4      80/TCP  10.2xx.0.1,10.2xx.0.2 12h

Check the services running in the `kube-system` namespace:

kubectl get svc -n kube-system

#Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed:
NAME                    TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)        AGE
pan-cni-sa              ClusterIP      10.xx.0.1        <none>         443/TCP        24h
pan-plugin-user-secret  ClusterIP      10.xx.0.2        <none>         443/TCP        24h

Annotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.

annotations:       	   	 paloaltonetworks.com/firewall: pan-fw

For example, for all new pods in the "default" namespace:

kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw

AI Runtime Security Docs

GCP

AI Runtime Security Docs

GCP

Configurations to Secure VM Workloads

Configurations to Secure the Kubernetes Clusters

Install a Kubernetes Application with Helm

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Visibility & Monitoring