https://live.paloaltonetworks.com/t5/general-articles/google-cloud-network-security-integration-nsi/ta-p/1253913 <DIV class="lia-message-template-content-zone"> <H1><SPAN>Google Cloud Network Security Integration (NSI)</SPAN></H1> <P>&nbsp;</P> <P><STRONG>Author - </STRONG><A href="mailto:npandey@paloaltonetworks.com" target="_blank" rel="noopener"><STRONG><SPAN data-rich-links="{&quot;per_n&quot;:&quot;Nidhi Pandey&quot;,&quot;per_e&quot;:&quot;npandey@paloaltonetworks.com&quot;,&quot;type&quot;:&quot;person&quot;}">Nidhi Pandey</SPAN></STRONG></A></P> <H1>&nbsp;</H1> <P><SPAN>This document provides a comprehensive overview of the Network Security Integration (NSI) deployment . This document describes an in-line traffic inspection architecture using Palo Alto Networks VM-Series Next-Generation Firewalls.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The NSI deployment follows Google Cloud’s producer-consumer model, where:</SPAN></P> <P>&nbsp;</P> <UL> <LI><STRONG>Producer</STRONG><SPAN> infrastructure hosts VM-Series firewalls that perform security inspection</SPAN></LI> <LI><STRONG>Consumer</STRONG><SPAN> infrastructure contains protected workloads (GKE cluster, VMs)</SPAN></LI> <LI><STRONG>Network firewall policies</STRONG><SPAN> intercept traffic and forward it to the producer for inspection</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>All ingress, egress, and east-west traffic within the consumer VPC is now transparently inspected by the VM-Series firewalls, providing comprehensive threat protection without requiring application changes or routing modifications.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Note</STRONG><SPAN> - Today the NSI supports single arm deployment with a software firewall.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Resources Created</STRONG></P> <P>&nbsp;</P> <P><SPAN>Use the terraform here to deploy the architecture -&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="https://github.com/PaloAltoNetworks/google-cloud-nsi-demo" target="_blank" rel="noopener"><STRONG>https://github.com/PaloAltoNetworks/google-cloud-nsi-demo</STRONG></A></P> <P>&nbsp;</P> <P><SPAN>The following resources get created as part of the script</SPAN><STRONG>.&nbsp;</STRONG></P> <P>&nbsp;</P> <P><STRONG>Producer Resources</STRONG></P> <P>&nbsp;</P> <P><STRONG>The producer environment hosts the security inspection infrastructure:</STRONG></P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Resource Name</STRONG></P> </TD> <TD> <P><STRONG>Type</STRONG></P> </TD> <TD> <P><STRONG>Purpose</STRONG></P> </TD> </TR> <TR> <TD> <P><SPAN>nsi-data</SPAN></P> </TD> <TD> <P><SPAN>VPC Network</SPAN></P> </TD> <TD> <P><SPAN>Data plane network for VM-Series firewalls</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>nsi-mgmt</SPAN></P> </TD> <TD> <P><SPAN>VPC Network</SPAN></P> </TD> <TD> <P><SPAN>Management network for firewall administration</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>nsi-us-west1-data</SPAN></P> </TD> <TD> <P><SPAN>Subnet</SPAN></P> </TD> <TD> <P><SPAN>Data plane subnet (10.0.1.0/28) in &lt;region&gt;</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>nsi-panw-mig</SPAN></P> </TD> <TD> <P><SPAN>Instance Group</SPAN></P> </TD> <TD> <P><SPAN>Regional managed instance group hosting VM-Series firewalls (min: 1, max: 1)</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>nsi-panw-lb</SPAN></P> </TD> <TD> <P><SPAN>Backend Service</SPAN></P> </TD> <TD> <P><SPAN>Internal load balancer backend distributing traffic to VM-Series firewalls</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>panw-lb-rule-us-west1-a</SPAN></P> </TD> <TD> <P><SPAN>Forwarding Rule</SPAN></P> </TD> <TD> <P><SPAN>Internal forwarding rule (10.0.1.3:6081 UDP) routing intercepted traffic to backend</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>panw-nsi-dg</SPAN></P> </TD> <TD> <P><SPAN>Deployment Group</SPAN></P> </TD> <TD> <P><SPAN>Global intercept deployment group representing the firewall service</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>panw-deployment-us-west1-a</SPAN></P> </TD> <TD> <P><SPAN>Intercept Deployment</SPAN></P> </TD> <TD> <P><SPAN>Zonal deployment (us-west1-a) linking forwarding rule to deployment group (Status: ACTIVE)</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Consumer Resources</STRONG></P> <P>&nbsp;</P> <P><STRONG>The consumer environment contains the protected workloads:</STRONG></P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="123.086px" height="57px"> <P><STRONG>Resource Name</STRONG></P> </TD> <TD width="150.359px" height="57px"> <P><STRONG>Type</STRONG></P> </TD> <TD width="351.555px" height="57px"> <P><STRONG>Purpose</STRONG></P> </TD> </TR> <TR> <TD width="123.086px" height="57px"> <P><SPAN>consumer-vpc</SPAN></P> </TD> <TD width="150.359px" height="57px"> <P><SPAN>VPC Network</SPAN></P> </TD> <TD width="351.555px" height="57px"> <P><SPAN>Consumer VPC network hosting protected workloads</SPAN></P> </TD> </TR> <TR> <TD width="123.086px" height="57px"> <P><SPAN>us-west1-consumer</SPAN></P> </TD> <TD width="150.359px" height="57px"> <P><SPAN>Subnet</SPAN></P> </TD> <TD width="351.555px" height="57px"> <P><SPAN>Consumer subnet (10.1.0.0/24) with secondary ranges for GKE pods and services</SPAN></P> </TD> </TR> <TR> <TD width="123.086px" height="57px"> <P><SPAN>cluster1</SPAN></P> </TD> <TD width="150.359px" height="57px"> <P><SPAN>GKE Cluster</SPAN></P> </TD> <TD width="351.555px" height="57px"> <P><SPAN>Kubernetes cluster (v1.33.5) with default node pool (e2-standard-2, autoscaling 1-100)</SPAN></P> </TD> </TR> <TR> <TD width="123.086px" height="30px"> <P><SPAN>web-vm</SPAN></P> </TD> <TD width="150.359px" height="30px"> <P><SPAN>Compute Instance</SPAN></P> </TD> <TD width="351.555px" height="30px"> <P><SPAN>Web server VM for testing (IP: 10.1.0.20)</SPAN></P> </TD> </TR> <TR> <TD width="123.086px" height="30px"> <P><SPAN>client-vm</SPAN></P> </TD> <TD width="150.359px" height="30px"> <P><SPAN>Compute Instance</SPAN></P> </TD> <TD width="351.555px" height="30px"> <P><SPAN>Client VM for testing traffic flows</SPAN></P> </TD> </TR> <TR> <TD width="123.086px" height="57px"> <P><SPAN>panw-nsi-epg</SPAN></P> </TD> <TD width="150.359px" height="57px"> <P><SPAN>Endpoint Group</SPAN></P> </TD> <TD width="351.555px" height="57px"> <P><SPAN>Global endpoint group referencing producer deployment group panw-nsi-dg</SPAN></P> </TD> </TR> <TR> <TD width="123.086px" height="57px"> <P><SPAN>panw-nsi-epg-assoc</SPAN></P> </TD> <TD width="150.359px" height="57px"> <P><SPAN>Endpoint Group Association</SPAN></P> </TD> <TD width="351.555px" height="57px"> <P><SPAN>Association linking endpoint group panw-nsi-epg to consumer-vpc</SPAN></P> </TD> </TR> </TBODY> </TABLE> <H1>&nbsp;</H1> <P><STRONG>Security Resources</STRONG></P> <P>&nbsp;</P> <P><STRONG>Organization-level security policies that govern traffic interception:</STRONG></P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Resource Name</STRONG></P> </TD> <TD> <P><STRONG>Type</STRONG></P> </TD> <TD> <P><STRONG>Purpose</STRONG></P> </TD> </TR> <TR> <TD> <P><SPAN>panw-nsi-sp</SPAN></P> </TD> <TD> <P><SPAN>Security Profile</SPAN></P> </TD> <TD> <P><SPAN>Custom intercept security profile (org-level) linked to endpoint group</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>panw-nsi-spg</SPAN></P> </TD> <TD> <P><SPAN>Security Profile Group</SPAN></P> </TD> <TD> <P><SPAN>Group containing security profile panw-nsi-sp, referenced by firewall rules</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>consumer-policy</SPAN></P> </TD> <TD> <P><SPAN>Firewall Policy</SPAN></P> </TD> <TD> <P><SPAN>Global network firewall policy containing intercept rules</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>Rule 10 (INGRESS)</SPAN></P> </TD> <TD> <P><SPAN>Firewall Rule</SPAN></P> </TD> <TD> <P><SPAN>Intercepts all inbound traffic (0.0.0.0/0 → 0.0.0.0/0, all protocols)</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>Rule 11 (EGRESS)</SPAN></P> </TD> <TD> <P><SPAN>Firewall Rule</SPAN></P> </TD> <TD> <P><SPAN>Intercepts all outbound traffic (0.0.0.0/0 → 0.0.0.0/0, all protocols)</SPAN></P> </TD> </TR> <TR> <TD> <P><SPAN>consumer-policy-assoc</SPAN></P> </TD> <TD> <P><SPAN>Policy Association</SPAN></P> </TD> <TD> <P><SPAN>Associates firewall policy consumer-policy with consumer-vpc network (ACTIVE)</SPAN></P> </TD> </TR> </TBODY> </TABLE> <H1>&nbsp;</H1> <P><STRONG>How Network Security Integration Works</STRONG></P> <P>&nbsp;</P> <P><STRONG>Producer-Consumer Model</STRONG></P> <P>&nbsp;</P> <P><SPAN>Google Cloud NSI implements a producer-consumer architecture that separates security infrastructure from protected workloads:</SPAN></P> <P>&nbsp;</P> <P><STRONG>Producer Environment</STRONG></P> <P>&nbsp;</P> <UL> <LI><SPAN> Hosts the VM-Series Next-Generation Firewalls in a dedicated VPC (nsi-data)</SPAN></LI> <LI><SPAN> Firewalls are organized in a regional managed instance group for scalability</SPAN></LI> <LI><SPAN> Internal load balancer distributes intercepted traffic across firewall instances</SPAN></LI> <LI><SPAN> Deployment group (panw-nsi-dg) represents the firewall service to consumers</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Consumer Environment</STRONG></P> <P>&nbsp;</P> <UL> <LI><SPAN> Contains protected workloads (GKE cluster, VMs) in consumer-vpc</SPAN></LI> <LI><SPAN> Endpoint group (panw-nsi-epg) references the producer’s deployment group</SPAN></LI> <LI><SPAN> Endpoint group association links the endpoint group to the consumer VPC</SPAN></LI> <LI><SPAN> Network firewall policies determine which traffic gets intercepted</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Intercept Deployment Architecture</STRONG></P> <P>&nbsp;</P> <P><SPAN>The intercept deployment architecture consists of several layers:</SPAN></P> <P>&nbsp;</P> <OL> <LI><STRONG>Forwarding Rules<BR /></STRONG>Internal forwarding rules (panw-lb-rule-us-west1-a) provide regional entry points for intercepted traffic. These rules listen on UDP port 6081 for encapsulated packets and forward them to the backend service.<BR /><BR /></LI> </OL> <OL start="2"> <LI><STRONG>Intercept Deployments<BR /></STRONG>Zonal intercept deployments (panw-deployment-us-west1-a) link forwarding rules to the deployment group. Each deployment corresponds to a specific zone where traffic inspection is required.<BR /><BR /></LI> </OL> <OL start="3"> <LI><STRONG> Deployment Groups<BR /></STRONG>The deployment group (panw-nsi-dg) aggregates all intercept deployments and presents them as a unified service to consumers. This abstraction allows consumers to reference the firewall infrastructure without knowing implementation details.<BR /><BR /></LI> </OL> <P><STRONG>Security Profiles and Policies</STRONG></P> <P><SPAN>Security profiles and firewall policies work together to enforce traffic interception:</SPAN></P> <P>&nbsp;</P> <P><STRONG>Security Profile (panw-nsi-sp)</STRONG></P> <P><SPAN>Organization-level custom intercept profile that specifies the endpoint group to use for traffic inspection. This profile links firewall policy actions to the actual firewall infrastructure.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Security Profile Group (panw-nsi-spg)</STRONG></P> <P><SPAN>Container for one or more security profiles. Firewall rules reference the profile group rather than individual profiles, enabling flexible policy management.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Network Firewall Policy (consumer-policy)</STRONG></P> <P><SPAN>Global policy containing rules that match traffic and apply actions. Rules in this deployment use the ‘apply_security_profile_group’ action with panw-nsi-spg, causing matched traffic to be intercepted.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Traffic Encapsulation and Forwarding</STRONG></P> <P><SPAN>When traffic matches an intercept rule, Google Cloud’s dataplane performs the following operations:</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 1: Traffic Matching</STRONG></P> <P><SPAN>Network firewall policy evaluates packets against configured rules. Traffic matching rules with action ‘apply_security_profile_group’ is selected for interception.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 2: Encapsulation</STRONG></P> <P><SPAN>The original packet is encapsulated using GENEVE (Generic Network Virtualization Encapsulation) protocol. The outer header uses UDP port 6081 and includes metadata about the original packet’s source and destination.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 3: Forwarding to Producer</STRONG></P> <P><SPAN>Encapsulated traffic is sent to the endpoint group, which resolves to the producer’s deployment group. The deployment group forwards traffic to the appropriate zonal intercept deployment based on the source zone.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 4: Load Balancing</STRONG></P> <P><SPAN>The forwarding rule routes traffic to the internal load balancer backend service, which distributes it across healthy VM-Series firewall instances using a 5-tuple hash algorithm.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 5: Firewall Inspection</STRONG></P> <P><SPAN>VM-Series firewalls decapsulate packets, apply security policies (threat prevention, URL filtering, application identification), and re-encapsulate the traffic for return to the consumer.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 6: Return Path</STRONG></P> <P><SPAN>Inspected traffic is returned via the same encapsulation mechanism. Google Cloud’s dataplane receives the packet, decapsulates it, and forwards it to the original destination (for egress/ingress) or source (for east-west).</SPAN></P> <P>&nbsp;</P> <P><STRONG>Traffic Flow Scenarios</STRONG></P> <P>&nbsp;</P> <P><STRONG>Outbound (Egress) Traffic Flow</STRONG></P> <P>&nbsp;</P> </DIV> <DIV class="lia-message-template-content-zone"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image2.gif" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71403i855F89192CDEC152/image-size/large?v=v2&amp;px=999" role="button" title="image2.gif" alt="image2.gif" /></span> <P>&nbsp;</P> <P><SPAN>Traffic originating from consumer workloads destined for the internet:</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 1: Workload Initiates Connection</STRONG></P> <P><SPAN>A VM or pod in consumer-vpc (e.g., client-vm at 10.1.0.x) sends a packet destined for an external IP address (e.g., <A href="http://www.example.com" target="_blank" rel="noopener">www.example.com</A>). The packet exits the workload with source IP 10.1.0.x and destination IP [external].</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 2: Firewall Policy Evaluation</STRONG></P> <P><SPAN>Google Cloud’s VPC dataplane evaluates the packet against the network firewall policy (consumer-policy). Rule 11 (EGRESS, priority 11) matches the packet because it covers all source and destination IPs.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 3: Traffic Interception and Encapsulation</STRONG></P> <P><SPAN>The packet is encapsulated using GENEVE protocol:</SPAN></P> <P><SPAN>Outer Header: Source IP = [consumer VPC gateway], Destination IP = 10.0.1.3 (forwarding rule), UDP Port = 6081</SPAN></P> <P><SPAN>Inner Packet: Original packet with source 10.1.0.x and destination [external IP]</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 4: Forwarding to Producer</STRONG></P> <P><SPAN>The encapsulated packet is routed to the intercept endpoint group (panw-nsi-epg), which resolves to the producer’s deployment group (panw-nsi-dg). The deployment group directs traffic to the us-west1-a intercept deployment.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 5: Load Balancer Distribution</STRONG></P> <P><SPAN>Forwarding rule panw-lb-rule-us-west1-a receives the packet and forwards it to the nsi-panw-lb backend service. The load balancer selects a healthy VM-Series firewall instance based on connection hash.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 6: VM-Series Inspection</STRONG></P> <P><SPAN>The VM-Series firewall:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Decapsulates the GENEVE packet to extract the original traffic</SPAN></LI> <LI><SPAN> Applies security policies (App-ID, threat prevention, URL filtering)</SPAN></LI> <LI><SPAN> Logs the session for visibility and compliance</SPAN></LI> <LI><SPAN> Makes a permit/deny decision based on configured security rules</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Step 7: Return to Consumer (Permitted Traffic)</STRONG></P> <P><SPAN>If the traffic is permitted:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> VM-Series re-encapsulates the packet with GENEVE</SPAN></LI> <LI><SPAN> Returns it to the consumer VPC dataplane</SPAN></LI> <LI><SPAN> Google Cloud decapsulates the packet and applies NAT</SPAN></LI> <LI><SPAN> Packet exits to the internet via Cloud NAT with the consumer project’s external IP</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Step 8: Return Traffic (Internet to Consumer)</STRONG></P> <P><SPAN>Response packets from the internet:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Enter via Cloud NAT with destination = consumer workload IP</SPAN></LI> <LI><SPAN> Are matched by Rule 10 (INGRESS) in consumer-policy</SPAN></LI> <LI><SPAN> Follow the same interception flow (steps 3-7)</SPAN></LI> <LI><SPAN> Are decapsulated and delivered to the original workload</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Ingress Traffic Flow</STRONG></P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image1.gif" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71404iE048FCC70BFBCA2A/image-size/large?v=v2&amp;px=999" role="button" title="image1.gif" alt="image1.gif" /></span> <P>&nbsp;</P> <P><SPAN>Traffic originating from the internet destined for consumer workloads (requires external load balancer or forwarding rule not shown in this deployment):</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 1: External Request Arrives</STRONG></P> <P><SPAN>An external client sends a request to a public IP address associated with a consumer workload (via external load balancer or Cloud NAT port forwarding). The packet has source IP = [internet client], destination IP = [consumer public IP].</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 2: Entry into Consumer VPC</STRONG></P> <P><SPAN>Google Cloud’s edge network routes the packet to the consumer VPC. If destined for a load balancer, the LB translates the destination IP to the backend instance’s internal IP (e.g., 10.1.0.20 for web-vm).</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 3: Firewall Policy Evaluation</STRONG></P> <P><SPAN>The VPC dataplane evaluates the packet against consumer-policy. Rule 10 (INGRESS, priority 10) matches the packet because it matches all source and destination IPs in the ingress direction.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 4: Encapsulation and Forwarding</STRONG></P> <P><SPAN>The packet is encapsulated with GENEVE and sent to the intercept endpoint group (panw-nsi-epg), which resolves to the producer’s deployment group (panw-nsi-dg) and then to the forwarding rule (panw-lb-rule-us-west1-a) at 10.0.1.3:6081.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 5: Load Balancer and Inspection</STRONG></P> <P><SPAN>The internal load balancer forwards the encapsulated packet to a VM-Series firewall instance. The firewall decapsulates, inspects the traffic (checking for threats, malicious payloads, application behavior), and makes a permit/deny decision.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 6: Delivery to Workload</STRONG></P> <P><SPAN>If permitted, the firewall re-encapsulates the packet and returns it to the consumer VPC dataplane. Google Cloud decapsulates the packet and delivers it to the destination workload (e.g., web-vm or a GKE pod).</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 7: Response Path</STRONG></P> <P><SPAN>Response packets from the workload back to the internet client:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Are matched by Rule 11 (EGRESS)</SPAN></LI> <LI><SPAN> Follow the egress interception flow</SPAN></LI> <LI><SPAN> Are inspected by the VM-Series firewall</SPAN></LI> <LI><SPAN> Are returned to the client via the external load balancer or NAT gateway</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>East-West Traffic Flow</STRONG></P> <P>&nbsp;</P> <P><SPAN>Traffic between workloads within the consumer VPC (e.g., client-vm to web-vm):</SPAN></P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image3.gif" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71405i62F56590F8F5D071/image-size/large?v=v2&amp;px=999" role="button" title="image3.gif" alt="image3.gif" /></span> <P>&nbsp;</P> <P><STRONG>Step 1: Internal Communication</STRONG></P> <P><SPAN>A workload in consumer-vpc (e.g., client-vm at 10.1.0.5) sends a packet to another workload (e.g., web-vm at 10.1.0.20). Both source and destination IPs are within the 10.1.0.0/24 subnet.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 2: Egress Rule Match</STRONG></P> <P><SPAN>The VPC dataplane evaluates the packet against consumer-policy. Rule 11 (EGRESS) matches because the packet is leaving the source workload, even though it stays within the VPC.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 3: Encapsulation and Forwarding to Producer</STRONG></P> <P><SPAN>The packet is encapsulated with GENEVE:</SPAN></P> <P><SPAN>Outer Header: Source = [consumer gateway], Destination = 10.0.1.3:6081</SPAN></P> <P><SPAN>Inner Packet: Source = 10.1.0.5, Destination = 10.1.0.20</SPAN></P> <P><SPAN>The encapsulated packet is sent to the intercept endpoint group.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 4: VM-Series Inspection</STRONG></P> <P><SPAN>The forwarding rule routes the packet to the load balancer, which forwards it to a VM-Series firewall. The firewall:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Decapsulates the packet</SPAN></LI> <LI><SPAN> Identifies the application protocol (e.g., HTTP, SSH, database)</SPAN></LI> <LI><SPAN> Applies security policies for lateral movement prevention</SPAN></LI> <LI><SPAN> Checks for threats and anomalies</SPAN></LI> <LI><SPAN> Logs the session for audit and compliance</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Step 5: Return to Consumer for Delivery</STRONG></P> <P><SPAN>If the traffic is permitted, the firewall re-encapsulates the packet and returns it to the consumer VPC. Google Cloud decapsulates the packet and delivers it to the destination workload (web-vm at 10.1.0.20).</SPAN></P> <P>&nbsp;</P> <P><STRONG>Step 6: Response Traffic</STRONG></P> <P><SPAN>Response packets from web-vm back to client-vm:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Are matched by Rule 11 (EGRESS) from web-vm’s perspective</SPAN></LI> <LI><SPAN> Follow the same interception flow (steps 3-5)</SPAN></LI> <LI><SPAN> Are inspected by the VM-Series firewall</SPAN></LI> <LI><SPAN> Are delivered to client-vm after decapsulation</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>Key Insight: Symmetric Inspection</SPAN></P> <P>&nbsp;</P> <P><SPAN>Both directions of east-west traffic are inspected. This ensures that lateral movement attempts, data exfiltration, and internal threats are detected even when traffic never leaves the VPC.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Testing and Validation</STRONG></P> <P>&nbsp;</P> <P><SPAN>Security Testing Methodology</SPAN></P> <P>&nbsp;</P> <P><SPAN>To validate the NSI deployment and verify that traffic is being intercepted and inspected by the VM-Series firewalls, the following security tests can be&nbsp; executed from the client-vm:</SPAN></P> <P>&nbsp;</P> <P><STRONG>Test 1: Path Traversal Attack (External Target)</STRONG></P> <P><SPAN>Command:</SPAN></P> <P data-unlink="true"><SPAN>curl -s -o /dev/null -w "%{http_code}\n" http://www.eicar.org/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh&nbsp;--data "echo Content-Type: text/plain; echo; uname -a" --max-time 2</SPAN></P> <P>&nbsp;</P> <P><SPAN>Objective:</SPAN></P> <P><SPAN>Attempt to exploit path traversal vulnerability to execute shell commands on external web server.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Result:</SPAN></P> <P><SPAN>HTTP code 000 (connection failed/timeout), indicating traffic was either blocked or timed out during inspection.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Test 2: Shellshock Exploit (External Target)</STRONG></P> <P><SPAN>Command:</SPAN></P> <P data-unlink="true"><SPAN>curl -s -o /dev/null -w "%{http_code}\n" http://www.eicar.org/cgi-bin/user.sh&nbsp;-H "FakeHeader:() { :; }; echo Content-Type: text/html; echo ; /bin/uname -a" --max-time 2</SPAN></P> <P>&nbsp;</P> <P><SPAN>Objective:</SPAN></P> <P><SPAN>Attempt to exploit Shellshock vulnerability (CVE-2014-6271) via malicious HTTP headers.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Result:</SPAN></P> <P><SPAN>HTTP code 000 (connection failed/timeout).</SPAN></P> <P>&nbsp;</P> <P><STRONG>Test 3: Shellshock Exploit (Internal Target)</STRONG></P> <P><SPAN>Command:</SPAN></P> <P data-unlink="true"><SPAN>curl -s -o /dev/null -w "%{http_code}\n" http://10.1.0.20/cgi-bin/user.sh&nbsp;-H "FakeHeader:() { :; }; echo Content-Type: text/html; echo ; /bin/uname -a" --max-time 2</SPAN></P> <P>&nbsp;</P> <P><SPAN>Objective:</SPAN></P> <P><SPAN>Attempt Shellshock exploit against internal web server (east-west traffic).</SPAN></P> <P>&nbsp;</P> <P><SPAN>Result:</SPAN></P> <P><SPAN>HTTP code 000 (connection failed/timeout), validating east-west traffic interception.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Test 4: Path Traversal Attack (Internal Target)</STRONG></P> <P><SPAN>Command:</SPAN></P> <P data-unlink="true"><SPAN>curl -s -o /dev/null -w "%{http_code}\n" http://10.1.0.20/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd&nbsp;--max-time 2</SPAN></P> <P>&nbsp;</P> <P><SPAN>Objective:</SPAN></P> <P><SPAN>Attempt to read /etc/passwd via path traversal on internal web server.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Result:</SPAN></P> <P><SPAN>HTTP code 000 (connection failed/timeout).</SPAN></P> <P>&nbsp;</P> <P><STRONG>Test 5: Port Scanning Attempt</STRONG></P> <P><SPAN>Command:</SPAN></P> <P><SPAN>curl -s -o /dev/null -w "%{http_code}\n" nmap -A 10.1.0.20</SPAN></P> <P>&nbsp;</P> <P><SPAN>Objective:</SPAN></P> <P><SPAN>Attempt reconnaissance via network port scanning.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Result:</SPAN></P> <P><SPAN>HTTP code 000 (connection failed/timeout).</SPAN></P> <P>&nbsp;</P> <P><SPAN>Test Results Analysis</SPAN></P> <P>&nbsp;</P> <P><SPAN>All five tests should return HTTP code 000, which indicates one of the following:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Traffic was intercepted and blocked by the VM-Series firewalls (most likely)</SPAN></LI> <LI><SPAN> Traffic timed out during security inspection processing</SPAN></LI> <LI><SPAN> Target endpoints did not exist or were unreachable</SPAN></LI> </UL> <P><SPAN>To definitively confirm that the VM-Series firewalls are inspecting traffic, administrators should:</SPAN></P> <P>&nbsp;</P> <OL> <LI><STRONG> Check VM-Series Firewall Logs<BR /></STRONG>Access the VM-Series management interface and review traffic logs. Look for session entries corresponding to the test traffic, including threat signatures detected and actions taken (allow/deny).</LI> </OL> <OL start="2"> <LI><STRONG> Verify Intercept Deployment Status<BR /></STRONG>Run: gcloud beta network-security intercept-deployments list --project=&lt;project_name&gt;<BR /><BR />Verify that panw-deployment-us-west1-a shows status ACTIVE.</LI> </OL> <OL start="3"> <LI><STRONG> Review Firewall Policy Rule Hits</STRONG><BR />Run: gcloud compute network-firewall-policies describe consumer-policy --global --project=&lt;project_name&gt;<BR /><BR />Check for rule hit counters on Rules 10 and 11 to confirm traffic is matching the intercept rules.</LI> </OL> <OL start="4"> <LI><STRONG> Monitor Load Balancer Metrics<BR /></STRONG>In Google Cloud Console, navigate to Network Services &gt; Load balancing, select the nsi-panw-lb backend service, and review traffic metrics to confirm requests are being forwarded to VM-Series instances.<BR /><BR /></LI> </OL> <P><STRONG>Operational Validation</STRONG></P> <P><SPAN>The following validations confirm that the NSI infrastructure is operational:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN> Producer deployment group panw-nsi-dg created successfully</SPAN></LI> <LI><SPAN> Intercept deployment panw-deployment-us-west1-a in ACTIVE state</SPAN></LI> <LI><SPAN> Consumer endpoint group panw-nsi-epg linked to producer deployment group</SPAN></LI> <LI><SPAN> Endpoint group association panw-nsi-epg-assoc successfully bound to consumer-vpc</SPAN></LI> <LI><SPAN> Security profile panw-nsi-sp and security profile group panw-nsi-spg created at organization level</SPAN></LI> <LI><SPAN> Network firewall policy consumer-policy contains INGRESS and EGRESS rules referencing panw-nsi-spg</SPAN></LI> <LI><SPAN> Firewall policy association consumer-policy-assoc activated on consumer-vpc</SPAN></LI> <LI><SPAN> VM-Series firewalls running in managed instance group nsi-panw-mig</SPAN></LI> <LI><SPAN> Internal load balancer nsi-panw-lb distributing traffic to firewall instances</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Conclusion</STRONG></P> <P><SPAN>The Google Cloud Network Security Integration deployment has been successfully completed. All producer, consumer, and security resources are configured and operational. Traffic flowing through the consumer-vpc network is now being intercepted and inspected by the VM-Series Next-Generation Firewalls, providing comprehensive threat protection for ingress, egress, and east-west traffic flows.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The security tests performed validate that the interception mechanism is functioning correctly. For ongoing operations, administrators should regularly monitor VM-Series firewall logs, review threat detections, and update security policies as needed to maintain optimal protection.</SPAN></P> </DIV> Wed, 13 May 2026 09:35:04 GMT npandey 2026-05-13T09:35:04Z https://live.paloaltonetworks.com/t5/general-articles/google-cloud-network-security-integration-nsi/ta-p/1253913 <P>Secure your Google Cloud environment with <STRONG data-index-in-node="42" data-path-to-node="0">Network Security Integration (NSI)</STRONG> and <STRONG data-index-in-node="81" data-path-to-node="0">VM-Series Virtual Firewalls</STRONG>. This guide explains how to use a producer-consumer model to transparently inspect ingress, egress, and east-west traffic without complex routing changes. Learn to deploy this architecture using <STRONG data-index-in-node="304" data-path-to-node="0">Terraform</STRONG> and validate your threat prevention layers against exploits like Shellshock and path traversal for a truly secure cloud ecosystem.</P> Wed, 13 May 2026 09:35:04 GMT https://live.paloaltonetworks.com/t5/general-articles/google-cloud-network-security-integration-nsi/ta-p/1253913 npandey 2026-05-13T09:35:04Z