Troubleshoot endpoints and inspection

Verify that an IDS endpoint is functional

To confirm that an IDS endpoint is functional, do the following:

1. Verify that the IDS endpoint appears in the Cloud IDS Google Cloud console, and that there is a packet mirroring policy in the Attached Policies column.
2. Ensure that the attached policy is enabled by clicking the policy name, and make sure that Policy Enforcement is set to Enabled.
3. To verify that traffic is being mirrored, choose a VM Instance in the monitored VPC, go to the Observability tab, and make sure that the Mirrored Bytes dashboard shows traffic being mirrored to the IDS endpoint.
4. Ensure that the same traffic (or VM) is not affected by more than one packet mirroring policy, as each packet can be mirrored to only one destination. Check the Attached Policies column, and ensure that there is only one policy per VM.

5. Generate a test alert by using SSH to connect to a VM in the monitored network, then run the following command:

   curl http://example.com/cgi-bin/../../../..//bin/cat%%20/etc/passwd
   

   If curl is unavailable on the platform, you can use a similar tool for performing HTTP requests.

   After a few seconds, an alert should show up in both the Cloud IDS UI and in Cloud Logging (Threat Log).

Decrypting traffic for inspection

Cloud IDS needs to see decrypted traffic. You can decrypt traffic at the L7 load balancer, or deploy a third party appliance. If you want to decrypt traffic at the load balancing level, read the following section.

Because external Application Load Balancers require SSL certificates, SSL traffic between the load balancer and the client is encrypted. Traffic from the GFE to the backends is standard HTTP traffic, which Cloud IDS can inspect. See the following resources for setting up decryption:

• Self-managed certificates
• Google-managed certificates

Only a small volume of traffic is inspected

Cloud IDS can only inspect traffic to VMs or GKE Pods. If your subnet or VPC does not contain any VMs or GKE Pods, Cloud IDS cannot inspect the traffic directed toward your other resources.

Endpoint policies are ignored when using Cloud Next Generation Firewall

When you use Cloud Next Generation Firewall L7 inspection policies and Cloud IDS endpoint policies, ensure that the policies don't apply to the same traffic. If the policies overlap, the L7 inspection policy takes priority, and the traffic is not mirrored.