[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-03-04。"],[[["\u003cp\u003eCloud NGFW's intrusion prevention service actively monitors Google Cloud traffic for malicious activities, such as intrusions, malware, spyware, and command-and-control attacks, and takes preemptive actions to prevent them.\u003c/p\u003e\n"],["\u003cp\u003eThis service utilizes Google-managed zonal firewall endpoints with packet intercept technology to transparently inspect workloads for configured threat signatures and protect against threats, powered by Palo Alto Networks.\u003c/p\u003e\n"],["\u003cp\u003eIntrusion prevention service is configured through security profiles and security profile groups, allowing for the customization of threat prevention actions and the identification of traffic for inspection via firewall policy rules.\u003c/p\u003e\n"],["\u003cp\u003eFirewall endpoints scan intercepted traffic for threats, performing actions defined in security profiles upon detection, and firewall policies and rules are used to control what type of traffic is intercepted and inspected.\u003c/p\u003e\n"],["\u003cp\u003eCloud NGFW supports Transport Layer Security (TLS) interception and decryption to inspect selected encrypted traffic for threats within Google Cloud.\u003c/p\u003e\n"]]],[],null,["# Intrusion detection and prevention service overview\n\nCloud Next Generation Firewall intrusion detection and prevention service continuously\nmonitors your Google Cloud workload traffic for any malicious activity and\ntakes preemptive actions to prevent it. The malicious activity can include threats\nsuch as intrusions, malware, spyware, and command-and-control attacks\non your network.\n\nCloud NGFW intrusion detection and prevention service works by creating Google-managed\nzonal firewall endpoints that use packet intercept technology to transparently\ninspect the workloads for the configured threat signatures and protect them\nagainst threats. These threat prevention capabilities are powered by\nPalo Alto Networks threat prevention technologies.\n\nCloud NGFW supports the following threat signature categories:\n\n- Anti-spyware\n- Vulnerability protection\n- Antivirus\n\nFor more information about the threat categories, see [Default threat\nsignatures](/firewall/docs/about-threats#default-threat-signatures).\n\nIntrusion detection and prevention service is offered as part of Cloud Next Generation Firewall Enterprise\ncapabilities. For more information,\nsee [Cloud NGFW Enterprise](/firewall/docs/about-firewalls#firewall-plus) and\n[Cloud NGFW pricing](/firewall/pricing).\n\nThis document provides a high-level overview of the various Cloud NGFW\nintrusion detection and prevention service components and how these components provide\nadvanced protection capabilities for your Google Cloud workloads in\nVirtual Private Cloud (VPC) networks.\n\nHow intrusion detection and prevention service works\n----------------------------------------------------\n\nIntrusion detection and prevention service processes the traffic in the following sequence:\n\n1. Firewall policy rules are applied to the traffic to and from the virtual\n machine (VM) instances or Google Kubernetes Engine (GKE) clusters, in the\n network.\n\n2. The matched traffic is intercepted, and the packets are sent to the firewall\n endpoint for Layer 7 inspection.\n\n3. The firewall endpoint scans the packets for configured threat signatures.\n\n4. If a threat is detected, the action configured in the security profile\n is performed on that packet.\n\nFigure 1 describes a simplified deployment model of intrusion detection and prevention service.\n[](/static/firewall/images/firewall-ips/ips-simple-deployment-model.svg) **Figure 1.** Sample deployment model of intrusion detection and prevention service (click to enlarge).\n\nThe rest of the section explains the components and configurations required\nto set up intrusion detection and prevention service.\n\n### Security profiles and security profile groups\n\nCloud NGFW references security profiles and security profile groups to\nimplement deep packet inspection for intrusion detection and prevention service.\n\n- **Security profiles** are generic policy structures that are used in\n intrusion detection and prevention service to override specific threat prevention\n scenarios. To configure intrusion detection and prevention service, you define a security\n profile of type `threat-prevention`. To learn more about security profiles,\n see [Security profile overview](/firewall/docs/about-security-profiles).\n\n- **Security profile groups** contain a security profile of type `threat prevention`.\n To configure intrusion detection and prevention service, firewall policy rules reference\n these security profile groups to enable threat detection and prevention\n for network traffic. To learn more about security profile groups,\n see [Security profile group overview](/firewall/docs/about-security-profile-groups).\n\n### Firewall endpoint\n\nA firewall endpoint is an organization-level resource created in a specific zone\nthat can inspect traffic in the same zone.\n\nFor intrusion detection and prevention service, the firewall endpoint scans the\nintercepted traffic for any threats. If a threat is detected, an action\nassociated with the threat is performed on that packet. This action can be a\ndefault action, or an action (if configured) in the `threat-prevention` security profile.\n\nTo learn more about firewall endpoints and how to configure them, see\n[Firewall endpoint overview](/firewall/docs/about-firewall-endpoints).\n\n### Firewall policies\n\n[Firewall policies](/firewall/docs/firewall-policies-overview) apply directly\nto all traffic moving in and out of the VM. You can use\n[hierarchical firewall policies](/firewall/docs/firewall-policies) and\n[global network firewall policies](/firewall/docs/network-firewall-policies)\nto configure firewall policy rules with Layer 7 inspection.\n| **Note:** Cloud NGFW Enterprise capabilities are only available through firewall policies. In this document, the term *firewall rules* refers to the firewall policy rules, not the VPC firewall rules.\n\n#### Firewall policy rules\n\nFirewall policy rules enable you to control the type of\ntraffic to be intercepted and inspected. To configure the intrusion detection and prevention service,\ncreate a firewall policy rule to do the following:\n\n- Identify the type of traffic to be inspected by using multiple\n [Layer 3 and Layer 4 firewall policy rule components](/firewall/docs/firewall-policies-rule-details#firewall_policy_rule_components).\n\n- For the matched traffic, specify the security profile group name for\n the `apply_security_profile_group` action.\n\nFor the complete intrusion detection and prevention service workflow,\nsee [Configure intrusion detection and prevention service](/firewall/docs/configure-intrusion-prevention).\n\nYou can also use [secure tags](/firewall/docs/tags-firewalls-overview) in\nfirewall rules to configure intrusion detection and prevention service. You can build on any\nsegmentation that you have set up by using tags in your network, and enhance\nthe traffic inspection logic to include intrusion detection and prevention service.\n\n### Inspect encrypted traffic\n\nCloud NGFW supports Transport Layer Security (TLS) interception and\ndecryption to inspect selected encrypted traffic for threats. TLS lets you\ninspect both inbound and outbound connections, including traffic to and from\nthe internet and traffic within Google Cloud.\n\nTo learn more about TLS inspection in Cloud NGFW, see\n[TLS inspection overview](/firewall/docs/about-tls-inspection).\n\nTo learn how to enable TLS inspection in Cloud NGFW, see\n[Set up TLS inspection](/firewall/docs/setup-tls-inspection).\n\n### Threat signatures\n\nCloud NGFW threat detection and prevention capabilities are powered\nby Palo Alto Networks threat prevention technologies.\nCloud NGFW supports a default set of threat signatures with\npredefined severity levels to help protect your network. You can also override\nthe default actions associated with these threat signatures by using security\nprofiles.\n\nTo learn more about threat signatures, see [Threat signatures overview](/firewall/docs/about-threats).\n\nTo view the threats detected in your network, see [View threats](/firewall/docs/view-threats).\n\nLimitations\n-----------\n\n- Cloud NGFW does not support jumbo frame [maximum transmission unit (MTU)](/vpc/docs/mtu).\n\n- Firewall endpoints ignore X-Forwarded-For (XFF) headers. Therefore, these\n headers are not included in the Firewall Rules Logging.\n\nWhat's next\n-----------\n\n- [Configure intrusion detection and prevention service](/firewall/docs/configure-intrusion-prevention)"]]