Firewall Insights overview

Firewall Insights helps you better understand and safely optimize your firewall rules. It provides data about how your firewall rules are being used, exposes misconfigurations, and identifies rules that could be made more strict. It also uses machine learning to predict future usage of your firewall rules so that you can make informed decisions about whether to remove or tighten rules that appear to be overly permissive. Features designed to identify overly permissive rules are currently in preview.

Firewall Insights uses Cloud Monitoring metrics and Recommender insights. For background on these products, see the following documentation:

Benefits

Firewall Insights produces metrics and insights that let you make better decisions about your firewall rules.

With Firewall Insights metrics, you can perform the following tasks:

  • Verify that firewall rules are being used in the intended way.
  • Over specified time periods, verify that firewall rules allow or block their intended connections.
  • Perform live debugging of connections that are inadvertently dropped because of firewall rules.
  • Discover malicious attempts to access your network, in part by getting alerts about significant changes in the hit counts of firewall rules.

With insights, you can perform the following tasks:

  • Identify firewall misconfigurations.
  • Identify security attacks.
  • Optimize firewall rules and tighten security boundaries by identifying overly permissive allow rules and reviewing predictions about their future usage. These capabilities are in preview.

Metrics

Firewall Insights metrics let you analyze the way that your firewall rules are being used. Firewall Insights metrics are available through Cloud Monitoring and the Google Cloud Console. Metrics are derived through Firewall Rules Logging.

For more information, see Viewing Firewall Insights metrics.

Firewall hit count metrics

The firewall_hit_count metric tracks the hit count for firewall rules. To do this, it evaluates all traffic logged by Firewall Rules Logging. For each firewall rule with logging enabled, you can see how many times the firewall rule has blocked or allowed connections. You can also see these metrics for the interface of specific virtual machine (VM) instances.

The data for a hit count can lag several minutes behind the actual event. Firewall Insights generates firewall hit count metrics only for traffic that fits the specifications for Firewall Rules Logging. For example, only TCP and UDP traffic can be logged.

Firewall last used metrics

You can see the last time a particular firewall rule was applied to allow or deny traffic by viewing the firewall_last_used_timestamp metric. Viewing these metrics lets you see which firewall rules haven't been used recently.

This metric captures the total hit count for the last 24 months or for however long logging has been enabled, whichever is less. This time period is determined by the retention period for Cloud Logging. If the last hit occurred before the last 24 months, the last hit time is shown as N/A (not applicable).

Firewall rule usage metrics are accurate only for the period of time during which Firewall Rules Logging is enabled.

Insights

Insights provide analysis about your firewall rule configuration and usage of your firewall rules. They use the google.compute.firewall.Insight insight type.

Insight categories and states

This section describes the categories of Firewall Insights, as well as the states that an insight can have.

Insight categories

Within Firewall Insights, insights fall into two general categories. These categories are described in the following table.

Category Description Insights
Configuration-based These insights are generated based on data about how your firewall rules are configured. Shadowed rules
Log-based These insights are generated based on logging about the usage of your firewall rules, plus information about how the rules are configured.
  • Overly permissive rules (preview):
    • Allow rules with no hits
    • Allow rules with unused attributes
    • Allow rules with overly permissive IP address or port ranges
  • Deny rules with hits

Insight states

Each insight can have one of the following states, which you can change as described in the following table.

State Description
ACTIVE The insight is active. Google continues to update content for ACTIVE insights based on the latest information.
DISMISSED

The insight is dismissed and is no longer shown on any active insight list to any user. You can restore the DISMISSED state back to ACTIVE on the Dismissed History page.

For more information, see Marking an insight as dismissed.

Shadowed rules

Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.

Enabling the Firewall Insights API is required for generating shadowed-firewall-rule insights. Shadowed rules are calculated within 24 hours after you enable Firewall Rules Logging, and shadowed rules information is refreshed daily.

Firewall Insights does not identify all possible shadowing rules. Specifically, it does not identify that the tags of a firewall rule have been shadowed by multiple tags from other firewall rules.

Examples of shadowed rules

In this example, some shadowed rules and shadowing rules have overlapping source IP range filters, and others have differing rule priorities.

The following table shows firewall rules A through E. For different shadowed rule scenarios, see the sections that follow the table.

Type Targets Filters Protocols or ports Action Priority
Firewall rule A Ingress Apply to all 10.10.0.0/16 tcp:80 Allow 1000
Firewall rule B Ingress Apply to all 10.10.0.0/24 tcp:80 Allow 1000
Firewall rule C Ingress web 10.10.2.0/24 tcp:80
tcp:443
Allow 1000
Firewall rule D Ingress web 10.10.2.0/24 tcp:80 Deny 900
Firewall rule E Ingress web 10.10.2.0/24 tcp:443 Deny 900

Example 1: Firewall rule B is shadowed by firewall rule A

In this example, there are two firewall rules, A and B. These rules are almost the same, except for their source IP range filters. Firewall rule A's IP range is 10.10.0.0/16, while firewall rule B's address range is 10.10.0.0/24. Thus, firewall rule B is shadowed by firewall rule A.

The shadowed firewall rules insight usually indicates firewall misconfiguration. For example, firewall rule A's IP filters setting is unnecessarily broad, or firewall rule B's filters setting is too restrictive and not needed.

Example 2: Firewall rule C is shadowed by firewall rules D and E

In this example, there are three firewall rules: C, D, and E. Firewall rule C allows the ingress of HTTP port 80and HTTPS port 443 web traffic, and has a priority of 1000 (default priority). Firewall rules D and E deny the ingress of HTTP and HTTPS web traffic, respectively, and both have a priority of 900 (high priority). Thus, firewall C is shadowed by firewall rules D and E combined.

Overly permissive rules

Firewall Insights provides comprehensive analysis of whether your firewall rules are overly permissive. This analysis includes the following insights:

As described in Machine learning predictions, some of these insights include predictions about whether a rule or attribute is likely to be hit in the future.

Overly permissive rule insights evaluate firewall rules that are enforced for TCP and UDP traffic. If a firewall rule allows or denies any other type of traffic, it is not included in overly permissive rules insight analysis.

The data provided by these insights is based on Firewall Rules Logging. This data is accurate only if Firewall Rules Logging has been continuously enabled for the entire observation period. Otherwise, the actual number of rules in each insight category could be higher than indicated.

Allow rules with no hits

This insight identifies allow rules that had no hits during the observation period.

For each rule identified, this insight also reports the probability of whether the rule is likely to be hit in the future. This prediction is produced by a machine learning (ML) analysis that takes into account the historical traffic pattern of this rule and similar rules in the same organization.

To help you understand the prediction, this insight identifies similar rules in the same project to the rule that the insight identified. The insight lists the hit count of these rules and summarizes their configuration details. These details include each rule's priority and attributes, such as its IP address and port ranges.

For information about the predictions that Firewall Insights uses, see Machine learning predictions.

Allow rules with unused attributes

For allow rules that were hit during the observation period, this insight reports any attributes of this rule—such as IP address and port ranges—that were not hit during the same period.

For these unused attributes, this insight reports the probability of whether they will be hit in the future. This prediction is based on an ML analysis that takes into account the historical traffic patterns of this rule and similar rules in the same organization.

To help you understand the prediction, the insight summarizes other firewall rules in the same project that have similar attributes. This summary includes data about whether those rules' attributes were hit.

For information about the predictions that Firewall Insights uses, see Machine learning predictions.

Allow rules with overly permissive IP address or port ranges

For allow rules that were hit during the observation period, this insight identifies rules that might have overly broad IP address or port ranges.

This insight is useful because firewall rules are often created with a broader scope than is necessary. An overly broad scope can lead to security risks.

This insight helps mitigate this problem by analyzing the actual usage of your rules' IP address and port ranges. For rules with overly broad ranges, it also suggests an alternate combination of IP address and port ranges. With this knowledge, you can remove the ranges that appear to be unneeded based on traffic patterns during the observation period.

Be aware that your project might have firewall rules that allow access from certain IP address blocks for load balancer health checks or for other Google Cloud functionality. These IP addresses might not be hit, but they should not be removed from your firewall rules. For more information about these ranges, see the Compute Engine documentation.

Machine learning predictions

As described in the preceding sections, two insights—allow rules with no hits and allow rules with unused attributes—use ML predictions.

To generate predictions, Firewall Insights trains an ML model across all of the firewall rules in the same organization. In this way, Firewall Insights learns common patterns. For example, Firewall Insights learns about combinations of attributes that tend to be hit. These attributes can include IP address ranges, port ranges, and IP protocols. If the firewall rule that is being analyzed contains some of the common patterns that historically have been likely to be hit, Firewall Insights has higher confidence that the rule might be hit in the future. The reverse is also true.

For each insight that uses predictions, Firewall Insights shows details about rules that were considered similar to the rule identified by the insight. Specifically, in the Insight details panel, Firewall Insights shows details about the three rules that are most similar to the rule that is the subject of the prediction. The more overlap exists between two rules' attributes, the more similar they are considered.

For allow rules with no hits, consider the following example:

Suppose Rule A has the following attributes:

Source IP ranges: 10.0.1.0/24
Target tags: http-server
Protocol and ports: TCP:80

And suppose Rule B has the following attributes:

Source IP ranges: 10.0.2.0/24
Target tags: http-server
Protocol and ports: TCP:80

These two rules share the same target tags, protocol attributes, and port attributes. They differ only in source attribute. For this reason, they are considered similar.

For allow rules with unused attributes, similarity is determined in the same way. For this insight, Firewall Insights considers rules similar when their configuration includes the same attributes.

Deny rules with hits

This insight provides details about deny rules that had hits during the observation period.

These insights provide you with firewall packet-drop signals. You can then check to see whether the dropped packets are expected due to security protections or whether they are the result of network misconfiguration.

Where you can view metrics and insights

You can view Firewall Insights metrics and insights in the following Cloud Console locations:

What's next