FR: Add Cloud NGFW Essential capability with optional Standard or Enterprise based IPS in the TEF 3-networks-hub-and-spoke folder and associated terraform-google-modules

[fmichaelobrien]

20240515 See ngfw terraform support

• https://github.com/hashicorp/terraform-provider-google/issues/15779
• https://github.com/hashicorp/terraform-provider-google/pull/18139
• https://github.com/hashicorp/terraform-provider-google/issues/17491

shadow https://github.com/terraform-google-modules/terraform-example-foundation/issues/1183 see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/616

• https://github.com/hashicorp/terraform-provider-google/issues/17865
• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/wiki/Design-Issues#di3-20240506-ngfw--firewall-teraform-module can be a direct copy/overlay on 3-networks-hub-and-spoke or a pluggable architecture where we can use any of the 3 - transitive VMs, Fortigates ( https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/389) or GCP NFGW

TL;DR

A request by a large federal client for IDS or NGFW (formerly Firewall+) capabilities in the TEF that includes GPS(Standard) IPS(Enterprise) and micro segmentation

Pull out the default transitivity NVA VMs in 3-n-h-a-s and overlay NGFW

Optional: modularize around 3rd party NGFW like https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/389

Add GCP Cloud NGFW (Firewall plus) NGFW https://cloud.google.com/security/products/firewall?hl=en#cloud-ngfw-tiers NGFW https://cloud.google.com/firewall/docs/about-firewalls NGFW enterprise with IPS https://cloud.google.com/firewall/docs/about-intrusion-prevention https://www.paloaltonetworks.com/blog/network-security/netsec-google-cloud-firewall-plus/ likely location next to https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy

Links

GCP Firewall plus - https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-firewall-plus-with-intrusion-prevention config connector IDS version https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/ids Palo Alto VM Series NGFW https://cloud.google.com/architecture/partners/palo-alto-networks-ngfw PA VM Series NGFW example https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/google/latest/examples/standalone_vmseries_with_metadata_bootstrap IDS https://cloud.google.com/security/products/intrusion-detection-system?hl=en https://github.com/GoogleCloudPlatform/terraform-google-network-forensics standard firewall https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall Fortinet based Fortigate NGFW https://github.com/fortinet/fortigate-tutorial-gcp

Terraform Resources

No response

Detailed design

No response

Additional information

No response

[fmichaelobrien]

see https://github.com/terraform-google-modules/terraform-google-network/tree/master/modules/network-firewall-policy see https://github.com/hashicorp/terraform-provider-google/issues/17030 b/321386368

[fmichaelobrien]

Video on Google NGFW from Ryan https://www.youtube.com/watch?v=OCqnf2E6zn0

[fmichaelobrien]

See ngfw terraform support

• https://github.com/hashicorp/terraform-provider-google/issues/15779
• https://github.com/hashicorp/terraform-provider-google/pull/18139