Use Dynamic Address Groups to Secure Instances Within the VPC
Learn how to configure the VM-Series firewall to monitor VMs in your project’s VPC.
In a dynamic environment such as the Google® Cloud Platform (GCP™), where you launch new instances on demand, the administrative overhead in managing Security policy can be cumbersome. Using use dynamic address groups in policy enables agility and prevents disruption in services or gaps in protection.
This workflow assumes that you have deployed the VM-Series firewall, configured some applications on instances, and enabled Google Stackdriver monitoring.
- Configure the firewall to monitor the VPC.
- Label instances in the VPC.A label is a name-value pair. You can label resources from the Google Cloud Console, from Google API calls, or from the Google Cloud Shell. In this task we are labeling instances; however, labels can be applied to many resources, as described in Labeling Resources.You can also add labels from the Instance browser.The labels you create support your strategy for differentiating your resources in ways that are useful to your Security policy.
- Create a dynamic address group on the firewall.
- Select ObjectsAddress Groups.
- Add a dynamic address group and specify a Name and a Description.
- Set Type to Dynamic.
- Define the match criteria.
- Add Match Criteria and select the And operator.
- Select the attributes to filter for or to match against.
- Click OK.
- Click Commit.
- Use the dynamic address group in a Security policy rule.Create a rule to allow internet access to any web server that belongs to the dynamic address group called my-data.
- Select PoliciesSecurity.
- Add a rule and a Name for the rule and verify that the Rule Type is universal.
- In the Source tab, add trust as the Source Zone.
- In the Source Address section, Add your new my-data group.
- In the Destination tab, add untrust as the Destination Zone.
- In the Service/URL Category tab, verify that the service is set to application-default.
- In the Actions tab, set the Action to Allow.
- In the Profile Settings, set the Profile Type to Profiles and then attach the default profiles for Antivirus, Anti-Spyware, and Vulnerability Protection.
- Click OK.
- Click Commit.
- Verify that members of the dynamic address group are
populated on the firewall.Policy will be enforced for all IP addresses that belong to this address group and that are displayed here.
- Select PoliciesSecurity and select the rule.
- Select Inspect from the drop-down. You can also verify that the match criteria is accurate.
- Click more to verify that the list of registered IP addresses is displayed.
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC In a dynamic environment such as the AWS-VPC where you launch ...
Enable VM Monitoring to Track VM Changes on Google Cloud Platform
Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP) You can enable any firewall that runs PAN-OS 9.0 (virtual or physical) to ...
Use Case: Secure the EC2 Instances in the AWS Cloud
Use Case: Secure the EC2 Instances in the AWS Cloud In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: ...
Set Up the VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series Firewall on a Google Cloud Engine instance. ...
Set Up the AWS Plugin for VM Monitoring on Panorama
Get started with installing the AWS plugin and configure it for monitoring your EC2 instances on the AWS public cloud. ...
Settings to Enable VM Information Sources for Google Comput...
Enable monitoring of GCE instances to consistently enforce policy for workloads. ...
Create Objects for Use in Shared or Device Group Policy
Create Objects for Use in Shared or Device Group Policy You can use an object in any policy rule that is in the Shared location, ...
Set Up Dynamic Address Groups on Panorama
Set Up Dynamic Address Groups on Panorama A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. When ...
Install Panorama on AWS
How to deploy a Panorama™ virtual appliance and a virtual Dedicated Log Collector in Amazon Web Services. ...