Configure intrusion detection and prevention service
Stay organized with collections
Save and categorize content based on your preferences.
To enable intrusion detection and prevention service in your network, you must set up
multiple Cloud Next Generation Firewall components. This document provides a high-level
workflow that describes how to configure these components and enable threat
detection and prevention.
Configure intrusion detection and prevention service without TLS inspection
To configure intrusion detection and prevention service in your network, perform the
following tasks.
Create a security profile of type Threat prevention. Set up threat or
severity overrides as required by your network. You can create one
or more profiles. To learn how to create security profiles,
see Create a security profile.
Create a security profile group with the security profile created in the
preceding step. To learn how to create a security profile group,
see Create a security profile group.
Create a firewall endpoint in the same zone as your workloads where you want
to enable threat prevention. To learn how to create
a firewall endpoint, see Create a firewall endpoint.
Associate the firewall endpoint with one or more VPC networks
where you want to enable threat detection and prevention. Make sure that you're
running your workloads in the same zone as the firewall endpoint. To learn
how to associate a firewall endpoint with a VPC network,
see Create firewall endpoint associations.
In a new or existing global firewall policy, add a firewall policy rule with
Layer 7 inspection enabled (apply_security_profile_group action) and
specify the name of the security profile group that you created
in the preceding step. Make sure that the firewall policy is associated
with the same VPC network as the workloads that require
inspection. To learn more about global network firewall policy and the
parameters required to create a firewall policy rule with threat
prevention enabled, see Create global network firewall policy and
Create global network firewall policy rules.
You can also use a hierarchical firewall policy to add a firewall policy
rule with a security profile group configured. To learn more about the
parameters required to create hierarchical firewall policy rules with
threat prevention enabled, see Create firewall
rules.
Configure intrusion detection and prevention service with TLS inspection
Create a security profile of type Threat prevention. Set up threat or
severity overrides as required by your network. You can create one
or more profiles. To learn how to create security profiles,
see Create a security profile.
Create a security profile group with the security profile created in the
preceding step. To learn how to create a security profile group,
see Create a security profile group.
Create a CA pool and a trust config, and add them to your TLS inspection
policy. To learn how to enable TLS inspection in Cloud NGFW, see
Set up TLS inspection.
Create a firewall endpoint in the same zone as your workloads where you want
to enable threat prevention. To learn how to create
a firewall endpoint, see Create a firewall endpoint.
Associate the firewall endpoint with one or more VPC networks
where you want to enable threat detection and prevention. Add the TLS
inspection policy you created in the preceding step to the firewall endpoint
association. Make sure that you're running your workloads in the same zone
as the firewall endpoint.
In a new or existing global firewall policy, add a firewall policy rule with
Layer 7 inspection enabled (apply_security_profile_group action) and
specify the name of the security profile group that you created
in the preceding step. To enable TLS inspection, specify the
--tls-inspect flag. Make sure that the firewall policy is associated
with the same VPC network as the workloads that require
inspection. To learn more about global network firewall policy and the
parameters required to create a firewall policy rule with threat
prevention enabled, see Create global network firewall policy and
Create global network firewall policy rules.
You can also use a hierarchical firewall policy to add a firewall policy
rule with a security profile group configured. To learn more about the
parameters required to create hierarchical firewall policy rules with
threat prevention enabled, see Create firewall
rules.
Example deployment model
Figure 1 shows an example deployment with intrusion detection and prevention service configured for
two VPC networks in the same region but two different
zones.
Figure 1. Deploy intrusion detection and prevention service in a region (click to enlarge).
The example deployment has the following threat prevention configuration:
Two security profile groups:
Security profile group 1 with security profile Security profile 1.
Security profile group 2 with security profile Security profile 2.
Customer VPC 1 (VPC 1) has firewall policy with security profile group
set to Security profile group 1.
Customer VPC 2 (VPC 2) has firewall policy with security profile group
set to Security profile group 2.
Firewall endpoint Firewall endpoint 1 performs threat detection and
prevention for workloads running on VPC 1andVPC 2 in zone us-west1-a.
Firewall endpoint Firewall endpoint 2 performs threat detection and
prevention with TLS inspection enabled for workloads running on VPC 1 and
VPC 2 in zone us-west1-b.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis document outlines the steps to configure intrusion prevention services within a network using Cloud Next Generation Firewall components, including both with and without TLS inspection.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating security profiles, security profile groups, and firewall endpoints in the same zone as the workloads requiring threat prevention.\u003c/p\u003e\n"],["\u003cp\u003eFirewall endpoints must be associated with Virtual Private Cloud (VPC) networks to enable threat detection and prevention for the workloads in those networks.\u003c/p\u003e\n"],["\u003cp\u003eGlobal or hierarchical firewall policies are utilized to apply security profile groups with Layer 7 inspection enabled to specified VPC networks, thus implementing intrusion prevention.\u003c/p\u003e\n"],["\u003cp\u003eTLS inspection setup requires the creation of a CA pool and trust config, which are added to the TLS inspection policy and then to the firewall endpoint association, to ensure secure traffic inspection.\u003c/p\u003e\n"]]],[],null,["# Configure intrusion detection and prevention service\n\nTo enable intrusion detection and prevention service in your network, you must set up\nmultiple Cloud Next Generation Firewall components. This document provides a high-level\nworkflow that describes how to configure these components and enable threat\ndetection and prevention.\n\nConfigure intrusion detection and prevention service without TLS inspection\n---------------------------------------------------------------------------\n\nTo configure intrusion detection and prevention service in your network, perform the\nfollowing tasks.\n| **Note:** The following workflow provides a high-level sequence of steps required to configure intrusion detection and prevention service in your network. This workflow assumes that you have already set up your Virtual Private Cloud (VPC) network, subnets, VM instances, and other required Google Cloud resources and components.\n\n1. Create a security profile of type `Threat prevention`. Set up threat or\n severity overrides as required by your network. You can create one\n or more profiles. To learn how to create security profiles,\n see [Create a security profile](/firewall/docs/configure-security-profiles#create-security-profile).\n\n2. Create a security profile group with the security profile created in the\n preceding step. To learn how to create a security profile group,\n see [Create a security profile group](/firewall/docs/configure-security-profile-groups#create-security-profile-group).\n\n3. Create a firewall endpoint in the same zone as your workloads where you want\n to enable threat prevention. To learn how to create\n a firewall endpoint, see [Create a firewall endpoint](/firewall/docs/configure-firewall-endpoints#create-firewall-endpoint).\n\n4. Associate the firewall endpoint with one or more VPC networks\n where you want to enable threat detection and prevention. Make sure that you're\n running your workloads in the same zone as the firewall endpoint. To learn\n how to associate a firewall endpoint with a VPC network,\n see [Create firewall endpoint associations](/firewall/docs/configure-firewall-endpoint-associations#create-endpoint-association).\n\n5. You can use [global network firewall policies](/firewall/docs/network-firewall-policies)\n or [hierarchical firewall policies](/firewall/docs/firewall-policies) to\n configure intrusion detection and prevention service.\n\n - In a new or existing global firewall policy, add a firewall policy rule with\n Layer 7 inspection enabled (`apply_security_profile_group` action) and\n specify the name of the security profile group that you created\n in the preceding step. Make sure that the firewall policy is associated\n with the same VPC network as the workloads that require\n inspection. To learn more about global network firewall policy and the\n parameters required to create a firewall policy rule with threat\n prevention enabled, see [Create global network firewall policy](/firewall/docs/use-network-firewall-policies#create-network-firewall-policy) and\n [Create global network firewall policy rules](/firewall/docs/use-network-firewall-policies#create-rules).\n\n - You can also use a hierarchical firewall policy to add a firewall policy\n rule with a security profile group configured. To learn more about the\n parameters required to create hierarchical firewall policy rules with\n threat prevention enabled, see [Create firewall\n rules](/firewall/docs/using-firewall-policies#create-rules).\n\nConfigure intrusion detection and prevention service with TLS inspection\n------------------------------------------------------------------------\n\nTo configure intrusion detection and prevention service with\n[Transport Layer Security (TLS) inspection](/firewall/docs/about-tls-inspection)\nin your network, perform the following tasks.\n| **Note:** The following workflow provides a high-level sequence of steps required to configure intrusion detection and prevention service with TLS inspection in your network. This workflow assumes that you have already set up your VPC network, subnets, VM instances, and other required Google Cloud resources and components.\n\n1. Create a security profile of type `Threat prevention`. Set up threat or\n severity overrides as required by your network. You can create one\n or more profiles. To learn how to create security profiles,\n see [Create a security profile](/firewall/docs/configure-security-profiles#create-security-profile).\n\n2. Create a security profile group with the security profile created in the\n preceding step. To learn how to create a security profile group,\n see [Create a security profile group](/firewall/docs/configure-security-profile-groups#create-security-profile-group).\n\n3. Create a CA pool and a trust config, and add them to your TLS inspection\n policy. To learn how to enable TLS inspection in Cloud NGFW, see\n [Set up TLS inspection](/firewall/docs/setup-tls-inspection).\n\n4. Create a firewall endpoint in the same zone as your workloads where you want\n to enable threat prevention. To learn how to create\n a firewall endpoint, see [Create a firewall endpoint](/firewall/docs/configure-firewall-endpoints#create-firewall-endpoint).\n\n5. Associate the firewall endpoint with one or more VPC networks\n where you want to enable threat detection and prevention. Add the TLS\n inspection policy you created in the preceding step to the firewall endpoint\n association. Make sure that you're running your workloads in the same zone\n as the firewall endpoint.\n\n To learn how to associate a firewall endpoint with\n a VPC network and enable TLS inspection,\n see [Create firewall endpoint associations](/firewall/docs/configure-firewall-endpoint-associations#create-endpoint-association).\n6. You can use [global network firewall policies](/firewall/docs/network-firewall-policies)\n or [hierarchical firewall policies](/firewall/docs/firewall-policies) to\n configure intrusion detection and prevention service.\n\n - In a new or existing global firewall policy, add a firewall policy rule with\n Layer 7 inspection enabled (`apply_security_profile_group` action) and\n specify the name of the security profile group that you created\n in the preceding step. To enable TLS inspection, specify the\n `--tls-inspect` flag. Make sure that the firewall policy is associated\n with the same VPC network as the workloads that require\n inspection. To learn more about global network firewall policy and the\n parameters required to create a firewall policy rule with threat\n prevention enabled, see [Create global network firewall policy](/firewall/docs/use-network-firewall-policies#create-network-firewall-policy) and\n [Create global network firewall policy rules](/firewall/docs/use-network-firewall-policies#create-rules).\n\n - You can also use a hierarchical firewall policy to add a firewall policy\n rule with a security profile group configured. To learn more about the\n parameters required to create hierarchical firewall policy rules with\n threat prevention enabled, see [Create firewall\n rules](/firewall/docs/using-firewall-policies#create-rules).\n\nExample deployment model\n------------------------\n\nFigure 1 shows an example deployment with intrusion detection and prevention service configured for\ntwo VPC networks in the same region but two different\nzones.\n[](/static/firewall/images/firewall-ips/ips-sample-deployment-in-region.svg) **Figure 1.** Deploy intrusion detection and prevention service in a region (click to enlarge).\n\nThe example deployment has the following threat prevention configuration:\n\n1. Two security profile groups:\n\n 1. `Security profile group 1` with security profile `Security profile 1`.\n\n 2. `Security profile group 2` with security profile `Security profile 2`.\n\n2. Customer VPC 1 (`VPC 1`) has firewall policy with security profile group\n set to `Security profile group 1`.\n\n3. Customer VPC 2 (`VPC 2`) has firewall policy with security profile group\n set to `Security profile group 2`.\n\n4. Firewall endpoint `Firewall endpoint 1` performs threat detection and\n prevention for workloads running on `VPC 1`and`VPC 2` in zone `us-west1-a`.\n\n5. Firewall endpoint `Firewall endpoint 2` performs threat detection and\n prevention with TLS inspection enabled for workloads running on `VPC 1` and\n `VPC 2` in zone `us-west1-b`.\n\nWhat's next\n-----------\n\n- [Security profile overview](/firewall/docs/about-security-profiles)\n- [Security profile group overview](/firewall/docs/about-security-profile-groups)\n- [Firewall endpoint overview](/firewall/docs/about-firewall-endpoints)"]]
