This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Google Cloud NGFW Tutorial

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Audit
Last Reviewed: 06-17-2025 07:50 AM
Audited By: banand
General Articles
3 min read

Google Cloud NGFW Tutorial

mmclimans
L3 Networker

‎10-06-2023 08:19 AM - edited ‎03-06-2025 02:00 PM

100% helpful (1/1)

This tutorial shows how to deploy and prevent threats with Google Cloud NGFW Enterprise, a native Google Cloud service powered by Palo Alto Networks Threat Prevention technologies.

 

ℹ️ Note

For the most recent version of this guide, please see the Google Cloud NGFW Enterprise Tutorial Github repository.

 

Cloud NGFW Enterprise is a fully distributed firewall service with advanced protection capabilities to protect your Google Cloud workloads from internal & external threats, including: intrusion, malware, spyware, and command-and-control. The service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently intercept workload traffic for deep packet inspection.

 

ArchitectureArchitecture

 

Requirements

The following outline the required tools and IAM roles to complete this tutorial.

 

Tools

  • Access to Google Cloud Shell, or a local machine with a Terraform or gcloud installation.
  • A Google Cloud project to host the deployment.
  • A Google Cloud billing project.
Ability Level Roles
Create/modify/view firewall endpoints, endpoint associations, security profiles, and security profile groups. Organization

compute.networkAdmin
compute.networkUser
compute.networkViewer
Create/modify/view global network firewall policies and view effective rules for VPC networks and virtual machines. Project

compute.securityAdmin
compute.networkAdmin
compute.networkViewer
compute.viewer
compute.instanceAdmin

compute.instanceAdmin 

 

For more information, please see:

Topology

In this tutorial, a VPC network contains two virtual machines, client-vm & web-vm. The client-vm simulates threats for both north/south internet traffic and east/west traffic to a web application on the web-vm.

 

To prevent the malicious traffic, a Cloud NGFW endpoint is created and associated to the network, where network firewall policies define how the traffic should be inspected by Cloud NGFW.

 

TopologyTopology

 

 

Prepare for deployment

Enable the required APIs, retrieve the deployment files, and configure the environment variables.

 

ℹ️ Important

This tutorial assumes you are using Cloud Shell to provision all resources.


1. Open Google Cloud Shell and enable the required APIs.

gcloud services enable compute.googleapis.com
gcloud services enable networksecurity.googleapis.com
gcloud services enable firewallinsights.googleapis.com

 

2. Set environment variables for your deployment project and billing project. 

 export PROJECT_ID=YOUR_PROJECT_ID
 export BILLING_ID=YOUR_BILLING_PROJECT_ID

 

3. Set environment variables for your organization ID, deployment region, zone, and naming prefix.

export ORG_ID=$(gcloud projects describe $PROJECT_ID --format=json | jq -r '.parent.id')
export REGION=us-central1
export ZONE=us-central1-a
export PREFIX=panw

 

Select Deployment Option

Select a deployment option. Both options deploy identical environments.

 

After deploying the resources, continue with the guide on the Github repository to complete the tutorial.  For any issues related to the tutorial, kindly submit a pull request.

 

More Information

Please see the materials below for more information about the topics discussed in this tutorial.

Rate this article:
(1)
  • 7158 Views
  • 0 comments
  • 5 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎03-06-2025 02:00 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks