This page describes how to enable the APIs and features required to use Firewall Insights.
Before using Firewall Insights, select a project, ensure that you have the required roles and permissions, and then complete the required setup tasks. For more information about the first two steps, see Roles and permissions.
The setup tasks vary based on the metrics and insights that you want to use. For details, see the following table.
| Task | All metrics | Shadowed rule insights | Overly permissive rule insights | Deny rules with hits |
|---|---|---|---|---|
| Enable the Firewall Insights API | ✔ | ✔ | ✔ | ✔ |
| Enable Firewall Rules Logging | ✔ | ✔ | ✔ | |
| Enable the Recommender API | ✔ | ✔ | ||
| Enable this type of insight | ✔ | ✔ | ||
| Configure an observation period | ✔ | ✔ | Schedule a custom refresh cycle | ✔ |
The following sections describe how to enable the APIs and features.
Enable the Firewall Insights API
Before performing any tasks using Firewall Insights, you must enable the Firewall Insights API.
To enable the API, you can use the following steps or the Google Cloud console API Library, described in Enabling APIs in the Cloud APIs documentation.
Console
In the Google Cloud console, go to the Firewall Insights page.
On the Firewall Insights API page, click Enable.
gcloud
Use the following command:
gcloud services enable firewallinsights.googleapis.com
Enable Firewall Rules Logging
If you want to view any of the following, you must enable Firewall Rules Logging:
- Metrics about firewall rules
- Insights about overly permissive rules
or
denyrules; these insights are known collectively as log-based insights
Firewall Insights produces metrics and log-based insights only for those rules that have logging enabled. For more information, see the Firewall Rules Logging overview.
Enable the Recommender API
Enable the Recommender API to do the following:
- Use shadowed rule insights
- Use overly permissive rule insights
Retrieve any data by making API calls or by using the Google Cloud CLI
Console
In the Google Cloud console, go to the Enable access to API page.
Make sure that the correct project is selected, and then click Next.
Click Enable.
gcloud
Use the following command:
gcloud services enable recommender.googleapis.com
Enable shadowed rule or overly permissive rule insights
Firewall Insights does not generate shadowed or overly permissive rule insights unless you actively enable these features on the Firewall Insights page.
After you enable either feature, you might have to wait up to 48 hours to see the generated insights.
When you create or update a firewall rule, you might have to wait up to ten days to see machine learning predictions for overly permissive rule insights. In the meantime, you can view insights based on data gathered from Firewall Rules Logging.
Console
In the Google Cloud console, go to the Firewall Insights page.
Click Configuration.
Click Enablement.
As appropriate, move the slider to Enabled or Disabled for one or both of the following:
Shadowed rule insights
Overly permissive rule insights
API
You can use the Recommender API to enable or disable shadowed rule insights and overly permissive rule insights. You can also use the API to set the observation period for overly permissive rule insights and retrieve configuration details.
To enable shadowed rule insights and overly permissive rule insights, use the
updateConfig method.
To use the updateConfig method, you must set values for all of its
parameters. When you enable or disable insights, you must also configure the
observation period for overly permissive insights.
To make this type of update, use the following request.
PATCH https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config
{
"name": "projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config",
"insightTypeGenerationConfig": {
"params": {
"observation_period": "OBSERVATION_PERIOD_OVERLY_PERMISSIVE",
"enable_shadowed_rule_insights": ENABLEMENT_SHADOWED,
"enable_overly_permissive_rule_insights": ENABLEMENT_OVERLY_PERMISSIVE
}
},
"etag": "\"ETAG\"",
}
Replace the following values:
- PROJECT_ID: the ID of your project
- OBSERVATION_PERIOD_OVERLY_PERMISSIVE: the time, in seconds, of the observation period for overly permissive rules insights
- ENABLEMENT_SHADOWED: a boolean value that represents whether shadowed rule insights are enabled
- ENABLEMENT_OVERLY_PERMISSIVE: a boolean value that represents whether overly permissive rule insights are enabled
- ETAG: the IAM policy etag value; to
retrieve the etag value, use the
getConfigmethod, as described in the following section
Example
PATCH https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config
{
"name": "projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config",
"insightTypeGenerationConfig": {
"params": {
"observation_period": "604800s",
"enable_shadowed_rule_insights": true,
"enable_overly_permissive_rule_insights": true
}
},
"etag": "\"ETAG\"",
}
Retrieve configuration details
To retrieve details about how Firewall Insights is configured, use the
getConfig method
as shown in the following example.
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config
Configure an observation period
For some insights, you can configure an observation period, or the time interval that the insight covers. For more information, see Configure observation period in Set up observation period and refresh cycle.
Schedule a custom refresh cycle
You can set up a refresh cycle to generate shadowed rule insights for your project. For more information, see Schedule a custom refresh cycle in Set up observation period and refresh cycle.