Firewall Insights enables you to better understand and safely optimize your firewall configurations. Firewall Insights provides reports that contain information about firewall usage and the impact of various firewall rules on your Virtual Private Cloud (VPC) network.
For more information about Insights concepts, see Insights in the Recommender documentation.
Benefits
Firewall Insights metric reports and insight reports enable you to manage your firewall configurations in the following ways.
With metrics reports, you can perform the following tasks:
- Verify that firewall rules are being used in the intended way.
- Over specified time periods, verify that firewall rules allow or block their intended connections.
- Perform live debugging of connections that are inadvertently dropped due to firewall rules.
- Use Cloud Monitoring to discover malicious attempts to access your network, including getting alerts when there are significant changes in the hit counts of firewall rules.
With insight reports, you can review the results of an intelligent analysis that results in one or more insights. These insights enable you to perform the following tasks:
- Identify firewall misconfigurations.
- Identify security attacks.
- Optimize firewall rules and tighten security boundaries by detecting and
removing
allowrules that have not been used during an observation period (the time period leading up to the insight), which defaults to 6 weeks but is customizable from one day to 24 months.
Metrics reports
The metrics that track firewall utilization help you to analyze the usage of firewall rules in your VPC network. Metrics are available through the API for Cloud Monitoring.
For more information, see Viewing Firewall Insights metrics.
Firewall hit count metrics
Firewall Insights tracks the firewall hit count for all traffic logged by Firewall Rules Logging. For each firewall rule with logging enabled, you can see how many times the firewall rule has blocked or allowed connections. You can also see these metrics for the interface of specific virtual machine (VM) instances.
The data for a hit count can lag several minutes behind the actual event. Firewall Insights only generates firewall hit count metrics for traffic that fits the specifications for Firewall Rules Logging. For example, only TCP and UDP traffic can be logged.
Firewall last used metrics
You can see the last time a particular firewall rule was applied to allow or
deny traffic by viewing the Firewall last used metrics. Viewing these metrics
enables you to find out which firewall rules haven't been used recently.
This metric captures the total hit count for the last 24 months or for
however long logging has been enabled, whichever is less. This time
period is determined by the retention period for Cloud Logging.
If the last hit occurred before the last 24 months, the last hit time is
shown as N/A (not applicable).
Firewall rule usage metrics are accurate only for the period of time during which Firewall Rules Logging is enabled.
Insight reports
Insight reports give you an intelligent analysis of the configuration of your firewalls. A report contains one or more insights.
Insight types and states
The insight type for Firewall Insights is called
google.compute.firewall.Insight.
Each insight can have one of the following states, which you can change as described in the following table.
| State | Description |
|---|---|
ACTIVE |
The insight is active. Google continues to update content for
ACTIVE insights based on the latest information. |
DISMISSED |
The insight is dismissed and is no longer shown on any active
insight list to any user. You can restore the For more information, see
Marking
an insight as |
Shadowed firewall rules
Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as IP address range and ports, overlapped by attributes from one or more other firewall rules with higher or equal priority, called shadowing rules.
Enabling the Firewall Insights API
is required for generating shadowed-firewall-rule insights.
Shadowed rules are calculated within 24 hours after you
enable Firewall Rules Logging, and shadowed rules information
is refreshed daily.
Examples of shadowed rules
In this example, some shadowed rules and shadowing rules have overlapping source IP range filters, and others have differing rule priorities.
The following table shows firewall rules A through E. See the sections
that follow the table for different shadowed rule scenarios.
| Type | Targets | Filters | Protocols or ports | Action | Priority | |
|---|---|---|---|---|---|---|
| Firewall rule A | Ingress | Apply to all | 10.10.0.0/16 | tcp:80 | Allow | 1000 |
| Firewall rule B | Ingress | Apply to all | 10.10.0.0/24 | tcp:80 | Allow | 1000 |
| Firewall rule C | Ingress | web | 10.10.2.0/24 | tcp:80 tcp:443 | Allow | 1000 |
| Firewall rule D | Ingress | web | 10.10.2.0/24 | tcp:80 | Deny | 900 |
| Firewall rule E | Ingress | web | 10.10.2.0/24 | tcp:443 | Deny | 900 |
Example 1: Firewall rule B is shadowed by firewall rule A
In this example, there are two firewall rules, A and B. These rules are almost
the same, except for their source IP range filters. Firewall rule A's IP range
is 10.10.0.0/16, while firewall rule B's address range is 10.10.0.0/24.
Thus, firewall rule B is shadowed by firewall rule A.
The shadowed firewall rules insight usually indicates firewall
misconfiguration. For example, firewall rule A's IP filters setting is
unnecessarily broad, or firewall rule B's filters setting is too restrictive
and not needed.
Example 2: Firewall rule C is shadowed by firewall rules D and E
In this example, there are three firewall rules: C, D, and E. Firewall rule
C allows the ingress of HTTP port 80and HTTPS port 443 web traffic, and has
a priority of 1000 (default priority). Firewall rules D and E
deny the ingress of HTTP and HTTPS web traffic, respectively, and both have a
priority of 900 (high priority). Thus, firewall C is shadowed by firewall
rules D and E combined.
Allow rules with no hit in the observation period
The data provided by the Cloud Console for this metric is based on Firewall Rules Logging. The data is accurate only if Firewall Rules Logging has been continuously enabled for the firewall rule for the relevant time period. Otherwise, the actual count could be higher than indicated. The default observation period is six weeks.
Deny rules with hits in the observation period
When you enable Firewall Rules Logging, Firewall Insights
analyzes logs to surface insights for any deny rule used in the specified
observation period, which by default is the last 24 hours.
These insights provide you firewall packet-drop signals, which you can check to verify that the dropped packets are expected due to security protections, or that they are unexpected due to network misconfigurations, for example.
Where you can view metrics and insights
You can view Firewall Insights metrics and insights in the following Cloud Console locations:
- On the details screen for a VPC firewall rule
- On the details screen for a VPC network interface
- On the landing page for Network Intelligence Center
- On the landing page for Recommendation Hub
What's next
- To view all metrics and insights, see Using Firewall Insights.