Firewall Insights overview

Firewall Insights enables you to better understand and safely optimize your firewall configurations. Firewall Insights provides reports that contain information about firewall usage and the impact of various firewall rules on your Virtual Private Cloud (VPC) network.

For more information about Insights concepts, see Insights in the Recommender documentation.

Benefits

Firewall Insights metric reports and insight reports enable you to manage your firewall configurations in the following ways.

With metrics reports, you can perform the following tasks:

  • Verify that firewall rules are being used in the intended way.
  • Over specified time periods, verify that firewall rules allow or block their intended connections.
  • Perform live debugging of connections that are inadvertently dropped due to firewall rules.
  • Use Cloud Monitoring to discover malicious attempts to access your network, including getting alerts when there are significant changes in the hit counts of firewall rules.

With insight reports, you can review the results of an intelligent analysis that results in one or more insights. These insights enable you to perform the following tasks:

Metrics reports

The metrics that track firewall utilization help you to analyze the usage of firewall rules in your VPC network. Metrics are available through the API for Cloud Monitoring.

For more information, see Viewing Firewall Insights metrics.

Firewall hit count metrics

Firewall Insights tracks the firewall hit count for all traffic logged by Firewall Rules Logging. For each firewall rule with logging enabled, you can see how many times the firewall rule has blocked or allowed connections. You can also see these metrics for the interface of specific virtual machine (VM) instances.

The data for a hit count can lag several minutes behind the actual event. Firewall Insights only generates firewall hit count metrics for traffic that fits the specifications for Firewall Rules Logging. For example, only TCP and UDP traffic can be logged.

Firewall last used metrics

You can see the last time a particular firewall rule was applied to allow or deny traffic by viewing the Firewall last used metrics. Viewing these metrics enables you to find out which firewall rules haven't been used recently.

This metric captures the total hit count for the last 24 months or for however long logging has been enabled, whichever is less. This time period is determined by the retention period for Cloud Logging. If the last hit occurred before the last 24 months, the last hit time is shown as N/A (not applicable).

Firewall rule usage metrics are accurate only for the period of time during which Firewall Rules Logging is enabled.

Insight reports

Insight reports give you an intelligent analysis of the configuration of your firewalls. A report contains one or more insights.

Insight types and states

The insight type for Firewall Insights is called google.compute.firewall.Insight.

Each insight can have one of the following states, which you can change as described in the following table.

State Description
ACTIVE The insight is active. Google continues to update content for ACTIVE insights based on the latest information.
DISMISSED

The insight is dismissed and is no longer shown on any active insight list to any user. You can restore the DISMISSED state back to ACTIVE on the Dismissed History page.

For more information, see Marking an insight as DISMISSED.

Shadowed firewall rules

Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as IP address range and ports, overlapped by attributes from one or more other firewall rules with higher or equal priority, called shadowing rules.

Enabling the Firewall Insights API is required for generating shadowed-firewall-rule insights. Shadowed rules are calculated within 24 hours after you enable Firewall Rules Logging, and shadowed rules information is refreshed daily.

Examples of shadowed rules

In this example, some shadowed rules and shadowing rules have overlapping source IP range filters, and others have differing rule priorities.

The following table shows firewall rules A through E. See the sections that follow the table for different shadowed rule scenarios.

Type Targets Filters Protocols or ports Action Priority
Firewall rule A Ingress Apply to all 10.10.0.0/16 tcp:80 Allow 1000
Firewall rule B Ingress Apply to all 10.10.0.0/24 tcp:80 Allow 1000
Firewall rule C Ingress web 10.10.2.0/24 tcp:80
tcp:443
Allow 1000
Firewall rule D Ingress web 10.10.2.0/24 tcp:80 Deny 900
Firewall rule E Ingress web 10.10.2.0/24 tcp:443 Deny 900

Example 1: Firewall rule B is shadowed by firewall rule A

In this example, there are two firewall rules, A and B. These rules are almost the same, except for their source IP range filters. Firewall rule A's IP range is 10.10.0.0/16, while firewall rule B's address range is 10.10.0.0/24. Thus, firewall rule B is shadowed by firewall rule A.

The shadowed firewall rules insight usually indicates firewall misconfiguration. For example, firewall rule A's IP filters setting is unnecessarily broad, or firewall rule B's filters setting is too restrictive and not needed.

Example 2: Firewall rule C is shadowed by firewall rules D and E

In this example, there are three firewall rules: C, D, and E. Firewall rule C allows the ingress of HTTP port 80and HTTPS port 443 web traffic, and has a priority of 1000 (default priority). Firewall rules D and E deny the ingress of HTTP and HTTPS web traffic, respectively, and both have a priority of 900 (high priority). Thus, firewall C is shadowed by firewall rules D and E combined.

Allow rules with no hit in the observation period

The data provided by the Cloud Console for this metric is based on Firewall Rules Logging. The data is accurate only if Firewall Rules Logging has been continuously enabled for the firewall rule for the relevant time period. Otherwise, the actual count could be higher than indicated. The default observation period is six weeks.

Deny rules with hits in the observation period

When you enable Firewall Rules Logging, Firewall Insights analyzes logs to surface insights for any deny rule used in the specified observation period, which by default is the last 24 hours.

These insights provide you firewall packet-drop signals, which you can check to verify that the dropped packets are expected due to security protections, or that they are unexpected due to network misconfigurations, for example.

Where you can view metrics and insights

You can view Firewall Insights metrics and insights in the following Cloud Console locations:

What's next