Troubleshooting

Verifying that an IDS endpoint is functional

To confirm that an IDS endpoint is functional, do the following:

  1. Verify that the IDS endpoint appears in the Cloud IDS Google Cloud Console, and that there is a packet mirroring policy in the Attached Policies column.
  2. Ensure that the attached policy is enabled by clicking the policy name, and make sure that Policy Enforcement is set to Enabled.
  3. To verify that traffic is being mirrored, choose a VM Instance in the monitored VPC, go to the Observability tab, and make sure that the Mirrored Bytes dashboard shows traffic being mirrored to the IDS endpoint.
  4. Ensure that the same traffic (or VM) is not affected by more than one packet mirroring policy, as each packet can be mirrored to only one destination. Check the Attached Policies column, and ensure that there is only one policy per VM.
  5. Generate a test alert by using SSH to connect to a VM in the monitored network, then run the following command:

    curl http://example.com/cgi-bin/../../../..//bin/cat%%20/etc/passwd
    

    If curl is unavailable on the platform, you can use a similar tool for performing HTTP requests.

    After a few seconds, an alert should show up in both the Cloud IDS UI and in Cloud Logging (Threat Log).

Decrypting traffic for inspection

Cloud IDS needs to see decrypted traffic. You can decrypt traffic at the L7 load balancer, or deploy a third party appliance. If you want to decrypt traffic at the load balancing level, read the following section.

Because external HTTP(S) load balancer require SSL certificates, SSL traffic between the load balancer and the client is encrypted. Traffic from the GFE to the backends is standard HTTP traffic, which Cloud IDS can inspect. See the following resources for setting up decryption: