Verify that an IDS endpoint is functional
To confirm that an IDS endpoint is functional, do the following:
- Verify that the IDS endpoint appears in the Cloud IDS Google Cloud console,
and that there is a packet mirroring policy in the
Attached Policiescolumn. - Ensure that the attached policy is enabled by clicking the policy name, and
make sure that
Policy Enforcementis set to Enabled. - To verify that traffic is being mirrored, choose a VM Instance in the
monitored VPC, go to the Observability tab, and make sure that the
Mirrored Bytesdashboard shows traffic being mirrored to the IDS endpoint. - Ensure that the same traffic (or VM) is not affected by more than one
packet mirroring policy, as each packet can be mirrored to only one
destination. Check the
Attached Policiescolumn, and ensure that there is only one policy per VM. Generate a test alert by using SSH to connect to a VM in the monitored network, then run the following command:
curl http://example.com/cgi-bin/../../../..//bin/cat%%20/etc/passwd
If curl is unavailable on the platform, you can use a similar tool for performing HTTP requests.
After a few seconds, an alert should show up in both the Cloud IDS UI and in Cloud Logging (Threat Log).
Decrypting traffic for inspection
Cloud IDS needs to see decrypted traffic. You can decrypt traffic at the L7 load balancer, or deploy a third party appliance. If you want to decrypt traffic at the load balancing level, read the following section.
Because external Application Load Balancers require SSL certificates, SSL traffic between the load balancer and the client is encrypted. Traffic from the GFE to the backends is standard HTTP traffic, which Cloud IDS can inspect. See the following resources for setting up decryption:
Only a small volume of traffic is inspected
Cloud IDS can only inspect traffic to VMs or GKE Pods. If your subnet or VPC does not contain any VMs or GKE Pods, Cloud IDS cannot inspect the traffic directed toward your other resources.