Firewall rules logging: a closer look at our new network compliance and security tool

As you migrate your workloads to the cloud, you need full visibility into accesses into your cloud workloads, to ensure that every established connection is authorized, and that every unwanted connection attempt is successfully blocked. As we announced last week, we are boosting Google Cloud Platform’s (GCP) network security audit and forensic capabilities with the introduction of firewall rule logging, allowing you to track every connection that has been allowed or denied in your VM instances, in near-real-time.

A part of our Network Telemetry offerings, firewall rules logging let you audit, verify, and analyze the effects of your firewall rules. In other words, you can validate that every connection established in your workload matches the conditions in your allow-access firewall rules; and similarly, that every connection matching a deny-access firewall rule is blocked.

Additionally, firewall logs shows allowed or denied connection records every five seconds, providing you with near real-time visibility into potential security risks.

Firewall logs captures coverage of all firewalls applied to every workload, including:

• Allow and deny firewall rules

• Ingress and egress connections

• Connections from within a VPC and from the internet

The logs generated by this process produce records that  include a variety of data points, including the connection’s 5-tuple, whether the disposition was ALLOWED or DENIED, and which rule that was applied at the time of the log. You can also  natively export this data to Stackdriver Logging or BigQuery. Or, using Cloud Pub/Sub, you can export these logs to any number of real-time analytics or SIEM platforms.

Debug, audit and analyze your network security

The availability of firewall rules logging is useful for a wide variety of network security operations tasks:

• Network security debugging - Firewall logs allows you to troubleshoot network connections, telling you in near real-time whether your 5-tuple connections were allowed or denied, by which firewall rule name and the exact conditions.

• Network security forensics - Firewall logs allows you to investigate suspicious and unwanted network behavior, for example, large numbers of unauthorized connections from specific sources that are being blocked from access.

• Network security auditing and compliance: Firewall logs also helps you ensure compliance, by logging every allowed connection and blocked unauthorized attempt at any given time. It also flags and logs VM instances trying to initiate unauthorised egress connections.

• Real-time security analysis - With the Cloud Pub/Sub API, you can easily export your logs into any SIEM ecosystem that you may already be using.