Application layer inspection overview

Cloud Next Generation Firewall application layer inspection provides advanced protection for your Google Cloud resources. Application layer inspection (also known as deep packet inspection or Layer 7 inspection) is a security process that examines the content of network packets as they pass through the firewall.

This document describes the services and components used for application layer inspection in Cloud NGFW.

Application layer inspection services

Cloud NGFW offers the following application layer inspection services: URL filtering service and Intrusion detection and prevention service. Application layer inspection features are available in the Cloud NGFW Enterprise tier. For more information, see Cloud NGFW Enterprise.

URL filtering service

URL filtering service lets you control access to websites by blocking or allowing specific URLs. This service can use Server Name Indication (SNI) to filter by domain. For more information, see URL filtering service overview.

Intrusion detection and prevention service

Intrusion detection and prevention service continuously monitors your Google Cloud workload traffic for malicious activity and takes preemptive actions to prevent it. The malicious activity can include threats such as intrusions, malware, spyware, and command-and-control attacks on your network. For more information, see Intrusion detection and prevention service overview.

Core components

Application layer inspection services use the following components:

• Firewall endpoints and Firewall endpoint associations: Firewall endpoint is a Google-managed zonal resource that performs deep packet inspection in your network. A firewall endpoint association links a firewall endpoint to a zone of a VPC network. You create one endpoint per zone in the region where you want to inspect traffic. For more information, see Firewall endpoint overview.

  To inspect the contents of encrypted traffic, create a TLS inspection policy and add the policy to the firewall endpoint association. For more information, see TLS inspection overview.

• Security profiles: an object that contains the configuration for a specific security service. Firewall endpoints use security profiles to scan intercepted traffic. For more information, see Security profiles overview.

  Cloud NGFW supports the following types of security profiles:

  • url-filtering: defines rules for the URL filtering service.
  • threat-prevention: configures the intrusion detection and prevention service.

• Security profile group: a container for security profiles. A security profile group can only contain one security profile of each type. For more information, see Security profile group overview.

• apply_security_profile_group action: a firewall rule action that redirects the intercepted traffic to a firewall endpoint for inspection. For more information, see Action on match.

To understand how the core components work together, see How the URL filtering service works and How intrusion detection and prevention service works.

What's next

• URL filtering service overview
• Intrusion detection and prevention service overview
• TLS inspection overview