Secure Firewalls Deployed in GCP with Dynamic Address Groups

Learn how to configure the VM-Series firewall to monitor VMs in your project’s VPC.
In a dynamic environment such as the Google® Cloud Platform (GCP™), where you launch new instances on demand, the administrative overhead in managing Security policy can be cumbersome. Using use dynamic address groups in policy enables agility and prevents disruption in services or gaps in protection.
This workflow assumes that you have deployed the VM-Series firewall, configured some applications on instances, and enabled Google Stackdriver Monitoring.
  1. Configure the deployed firewall to monitor the VPC as described in Enable VM Monitoring to Track VM Changes on GCP.
  2. Label instances in the VPC.
    A label is a name-value pair. You can label resources from the Google Cloud Console, from Google API calls, or from the Google Cloud Shell. In this task we are labeling instances; however, labels can be applied to many resources, as described in Labeling Resources.
    You can also add labels from the Instance browser.
    The labels you create support your strategy for differentiating your resources in ways that are useful to your Security policy.
  3. Create a dynamic address group on the firewall.
    1. Select
      Objects
      Address Groups
      .
    2. Add
      a dynamic address group and specify a
      Name
      and a
      Description
      .
    3. Set
      Type
      to
      Dynamic
      .
    4. Define the match criteria.
      1. Add Match Criteria
        and select the
        And
        operator.
      2. Select the attributes to filter for or to match against.
    5. Click
      OK
      .
    6. Click
      Commit
      .
  4. Use the dynamic address group in a Security policy rule.
    Create a rule to allow internet access to any web server that belongs to the dynamic address group called my-data.
    1. Select
      Policies
      Security
      .
    2. Add
      a rule and a
      Name
      for the rule and verify that the
      Rule Type
      is
      universal
      .
    3. In the
      Source
      tab, add trust as the
      Source Zone
      .
    4. In the Source Address section,
      Add
      your new my-data group.
    5. In the
      Destination
      tab, add untrust as the
      Destination Zone
      .
    6. In the
      Service/URL Category
      tab, verify that the service is set to
      application-default
      .
    7. In the
      Actions
      tab, set the
      Action
      to Allow.
    8. In the Profile Settings, set the
      Profile Type
      to
      Profiles
      and then attach the default profiles for Antivirus, Anti-Spyware, and Vulnerability Protection.
    9. Click
      OK
      .
    10. Click
      Commit
      .
  5. Verify that members of the dynamic address group are populated on the firewall.
    Policy will be enforced for all IP addresses that belong to this address group and that are displayed here.
    1. Select
      Policies
      Security
      and select the rule.
    2. Select
      Inspect
      from the drop-down. You can also verify that the match criteria is accurate.
    3. Click
      more
      to verify that the list of registered IP addresses is displayed.

Recommended For You