Palo Alto Networks is proud to partner with Google Cloud to offer Google Cloud Intrusion Detection System (Cloud IDS) — a network threat detection system delivered as a cloud-native service built with the industry-leading security technologies of Palo Alto Networks . Now in preview, Cloud IDS will allow organizations to deploy best-in-class network threat detection capability powered by Palo Alto Networks with the simplicity and scale of Google Cloud native service.
Discover unprecedented application visibility and threat detection
Cloud IDS can analyze the raw traffic data from Google Cloud workloads and provide contextually rich application and threat information. More importantly, organizations can monitor even the traffic traversing within the VPC boundary using Cloud IDS. This capability complements the visibility and protection VM-Series virtual firewalls provide with traffic crossing the VPC boundary.
Based on this more in-depth inspection, customers can choose to enable alerts for a wide range of security issues, for example:
High priority security alerts: Attacks for known exploits (for example, an attempt to exploit CVE-2017-5638 for Apache Struts-based web servers running in GCP).
Traffic to inappropriate, malicious destinations and command-and-control systems: Detect whether the source/destination is inappropriate or malicious, whether there are geoblocking restrictions to be met, or whether there is bitcoin traffic or an SSH session to a known command-and-control (C2) domain.
Figure 1: Comprehensive visibility and protection of workload traffic
Combining Cloud IDS with VM-Series allows Google Cloud customers to implement a critical principle of Zero Trust: Trust but verify. While the VM-Series protects the trust boundaries (VPCs), with Cloud IDS customers can now verify the application traffic and detect any lateral threat movement within the trust boundary.
Advanced security analysis with minimal investment
With the constantly evolving nature of the threat landscape, customers find it difficult—especially with limited resources—to address every incident and alert that occurs in their cloud environments. Cloud IDS, powered by the Palo Alto Networks Threat Prevention security service, helps cut through the clutter of false positives to prioritize threat alerts effectively and take rapid remediation actions.
Customers can also export the logs to their custom Security Information and Event Management systems (SIEMs) such as Splunk Cloud Platform, Splunk Enterprise Platform, Exabeam Advanced Analytics, and the Devo Platform. Additionally, Palo Alto Customers using SIEMs to correlate logs from different Palo Alto Networks security platform products can adapt their specific custom configurations to Cloud IDS logs with minimal or no additional investment.
All of this enables a holistic view of infrastructure and security posture, enabling faster investigation, analysis, and response to the threats detected on Google Cloud with minimal additional investment. Furthermore, integrations with SOAR tools such as Cortex XSOAR allow customers to automate responses to the alerts and events detected.
Achieving compliance the cloud gets far easier
The compliance mandates of PCI-DSS, HIPAA, and other regulatory standards require customers to use an IDS/IPS to monitor and detect network-based threats. Using Cloud IDS, customers can now quickly and easily support their compliance objectives in a matter of a few clicks. In addition, Cloud IDS policy options such as monitoring all or select subnets within a VPC or monitoring based on network tags ensure that the customers stay compliant even in a dynamically changing environment.
Learn more about Google Cloud IDS.
... View more
There are a couple of options around XFF in PAN-OS:
If the requirement is to enforce security on XFF IP, the option you are currently using is the right one. However, with this PAN-OS feature, the policy enforcement and the corresponding logs will apply only to the last IP in the XFF list. In GCP, ALB inserts the source IP of the packet received followed by the ALB's IP. So the last IP in this case always happens to be ALB IP. So, unfortunately in GCP's ALB case, this feature is limited in its application.
If the requirement is only to log the original client IP (and not policy enforcement), then another option is to use the attached PAN-OS feature. With this feature though, the 'first' IP address in the XFF list is logged in the URL filtering logs. If the packet traverses multiple proxies on the path, there could be multiple IP addresses (comma separated) in the XFF header. And this feature will use the first IP address in the list to add to the URL filtering log.
Hope this helps.
... View more