Using Firewall Insights

This page describes how to view insights or usage metrics for Firewall Insights, which supports access to this information from the following consoles, pages, or tools:

  • The Network Intelligence Center console
  • The Recommendation Hub
  • The Firewall rules details page for Virtual Private Cloud (VPC)
  • The Network interface details page for a Compute Engine virtual machine (VM) instance
  • The gcloud Recommender commands or the API

For an overview of Firewall Insights and their states, see the Firewall Insights overview.

For a list of firewall usage metrics, see Viewing metrics.

Before you begin

Set up the following items in Google Cloud before you use Firewall Insights:

  1. In the Google Cloud Console, go to the Project selector page.

    Go to the Project selector page

  2. Select or create a Google Cloud project.

  3. Make sure that billing is enabled for your Cloud project.

  4. Enable the Firewall Insights API as described in the next section.

Enabling shadowed rule detection

To use shadowed rule detection, you must enable the Firewall Insights API.

When you use Firewall Insights in the Cloud Console, the Cloud Console reminds you to enable the API if it detects no insights.

Shadowed rule analysis happens once per day, so you might have to wait up to 24 hours to see results.

Console

  1. In the Google Cloud Console, go to Firewall Insights.

    Go to the Firewall Insights

  2. Click Configuration.

  3. Click Enablement.

  4. Click the selector so that it says Enabled.

  5. Click Done.

Enabling Firewall Rules Logging

To see insights and usage metrics for firewall rules, you must enable Firewall Rules Logging for one or more firewall rules. For more information, see the Firewall Rules Logging overview.

Managing permissions

For a list of roles and permissions needed to view and manage insights and usage data, see Access control.

Using the Network Intelligence Center

The Network Intelligence Center landing page in the Cloud Console for Firewall Insights shows three types of insights cards:

  • Shadowed firewall rules
  • Allow firewall rules with no hits in the specified observation period, which by default is the last six weeks
  • Deny firewall rules with hit counts in the specified observation period, which by default is the last 24 hours

Each card includes a summary snapshot example. A filter search bar above the cards enables you to filter insights for a specific VPC network.

The following sections describe how to view these insights.

Viewing shadowed firewall rules

To learn about shadowed firewall rules, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. In the Insight column for each rule, click each shadowed rule to view insight details. This detail shows the shadowed rule and one or more shadowing rules so that you can understand why the shadowed rule is redundant. For more information, see the shadowed rule example in the Firewall Insights overview. To mark insights, see the following sections.

Marking an insight as dismissed

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. If a shadowed rule isn't meaningful, you can dismiss it by clicking Dismiss at the top of the page.

  5. After you dismiss an insight, the Cloud Console no longer displays the insight to you or to any user unless you restore it. To restore an insight, see the next section.

Restoring a dismissed insight

If you dismissed an insight that you later think is relevant, you or a user can restore it and make it visible in the Cloud Console by following these steps.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. To restore dismissed insights, click Dismiss History at the top of the page. This action takes you to the Dismissed insights page.

  5. On the Dismissed insights page, to restore an insight, select the checkbox for one or more insights, and then click Restore at the top of the page.

Viewing allow rules with no hit in the observation period

To learn how to accurately gather data for the whole observation period, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Allow rules with no hit, click View full list.

  3. A details page opens that includes all allow rules that haven't been used in the last six weeks.

  4. For each firewall rule, to the right of the Logs column, click View audit logs to see when firewall logging was enabled or disabled for each firewall rule.

  5. To view its configuration and usage details, click the name of a firewall rule.

Viewing deny rules with hits in the observation period

To learn how to accurately gather data for the whole observation period, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Deny rules with hits, click View full list.

  3. A details page opens that includes all firewall deny rules with hits in the specified observation period, which is the last 24 hours by default.

  4. To review the packets dropped by a firewall, click Hit count to go to a Cloud Logging page for details.

Using the Recommendation Hub

The Recommendation Hub is a feature of the Recommender product that provides usage recommendations for Google Cloud products and services. For more information, see the Recommendation Hub documentation.

The Cloud Console for the Recommendation Hub shows the following insights for firewall rules:

  • Shadowed firewall rules

The Recommendation Hub shows these recommendations along with recommendations for other products, such as Identity and Access Management (IAM) and VM Rightsizing.

Viewing shadowed firewall rules

To learn about shadowed firewall rules, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub.

  2. On the card named Simplify firewall configuration, click View all.

  3. A page listing all shadowed rules appears.

  4. You can click the insight to understand why it has been generated. The insight detail shows the shadowed firewall and one or more shadowing firewall rules so that you can understand why the shadowed rule is redundant. For more information, see the shadowed rule example in the Firewall Insights overview.

Marking an insight as dismissed

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub.

    1. On the card named Simplify firewall configuration, click View all.
    2. A details page opens that includes all shadowed rules.
    3. If a shadowed rule insight isn't meaningful, you can dismiss it: click the insight, then click Dismiss insight in the panel.
    4. After you dismiss insights, the Cloud Console no longer displays the insight to you or to any user unless you restore it. To restore an insight, see the next section.

Restoring a dismissed insight

If you have dismissed an insight that you later think is relevant, you or a user can restore it and make it visible in the Cloud Console by following these steps.

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub.

  2. At the top of the page, click History.

  3. Click the Dismissed tab, which shows dismissed recommendations and insights for the project.

  4. Select the option next to the insight you would like to dismiss.

  5. Click Restore.

Using the Firewall rules details page

For more information about this page, see Listing firewall rules for a VPC network.

Listing insights for a project

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. For each firewall rule, view the name of available insights in the Insights column.

  3. You can click the name of an insight to view its detail. The following sections describe how to view and interpret the detail for each type of insight.

Viewing allow rules with no hit in the last 24 months

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. In the Last hit column, review the last time that a given firewall rule was used in the last 24 months.

Viewing the usage history chart for a rule

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. Click on a firewall rule name.

  3. In the Hit count monitoring section of the page, view the resulting chart that shows the firewall hit count for a given time period. You can select tabs for different time periods above the chart.

Viewing deny rules with hits for an observation period

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. In the Hit count column, view the number of unique connections used for a given firewall rule in the last 24 months (default)

Using the VM network interface details page

View firewall usage on the Network interface details page for a VM.

For more information about this page, see Listing firewall rules for a network interface of a VM instance.

Viewing rules with hits in the last 24 months

Console

  1. In the Cloud Console, go to the Compute Engine VM instances page.

    Go to the Compute Engine VM instances page

  2. Choose a VM, and on the far right of the page, click its more actions menu .

  3. On the menu, select View network details.

  4. In the Firewall and routes details section, click the Firewall Rules tab.

  5. In the Hit count column, view the hit counts for allow and deny traffic in the last 24 months for all firewall rules associated with a specific network interface.

Working with insights using gcloud commands or the API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

Listing insights

gcloud

  • To list insights for a project, enter the following command:

    gcloud beta recommender insights list --project=PROJECT_ID \
    --location=global --insight-type=google.compute.firewall.Insight \
    --filter=EXPRESSION --limit=LIMIT \
    --page-size=PAGE_SIZE --sort-by=SORT_BY \
    --format=json
    

    Replace PROJECT_ID with the project ID that you want to list insights for.

    location always uses the location named global. insight-type always uses the insight type named google.compute.firewall.Insight. Unless you format the output in JSON, the command output is tabular.

    The following fields are optional:

    • EXPRESSION. Apply this Boolean filter to each resource that you want to list. If the expression evaluates as True, that item is listed. For more details and examples of filter expressions, run $ gcloud topic filters or see the gcloud topic documentation.
    • LIMIT. Use to specify the maximum number of resources to list. The default number of resources listed is unlimited.
    • PAGE_SIZE. Use to specify the maximum number of resources to list per page. The default page size is determined by the service; otherwise, there is no paging. Paging might be applied before or after FILTER and LIMIT.
    • SORT_BY. Use to specify a list of comma-separated field key names to sort by for a resource. The default order is ascending. To specify a descending order, prefix a field with ~ (a tilde).

API

To get all of the insights for a Google Cloud project, make a GET request to the projects.locations.insightTypes.insights method.

GET https://recommender.googleapis.com/v1/{parent=projects/*/locations/global/insightTypes/*}/insights

The following example shows a sample response for this command.

insights {
"name": "projects/{project_number}/locations/global/insightTypes/google.compute.firewall.Insight/insights/{insight-id}"
"description": "Firewall projects/{project_id}/global/firewalls/{shadowed_firewall_name} is shadowed by   projects/{project_id}/global/firewalls/{shadowing_firewall_name}."
"content": {
  "shadowingFirewalls": [
    "//compute.googleapis.com/projects/{project_id}/global/firewalls/shadowing_firewall_name1}"
  ]
},
"lastRefreshTime": "2020-04-01T19:16:43Z",
"observationPeriod": "0s",
"stateInfo" {
 "state": "ACTIVE"
}
"category": "SECURITY"
"targetResources":[
 "//compute.googleapis.com/projects/{project_id}/global/firewalls/{shadowed_firewall_name}"
 ],
"insightSubtype": "SHADOWED_RULE"
}

Describing insights

Use this command to list details for an insight.

gcloud

gcloud beta recommender insights describe INSIGHT_NAME \
  --project=PROJECT_NAME --location=global \
  --insight-type=google.compute.firewall.Insight

Replace the following with values for your network:

  • INSIGHT_NAME: the name of the insight to describe
  • PROJECT_NAME: the name of the project that you want to list insights for

location always uses the location named global. insight-type always uses the insight type named google.compute.firewall.Insight.

API

To get details for an insight, make a GET request to the projects.locations.insightTypes.insights method.

GET
https://recommender.googleapis.com/v1/{name=projects/*/locations/global/insightTypes/*/insights/*}
{
 "name": projects/PROJECT_ID/locations/LOCATION/insightTypes/INSIGHT_TYPE_ID/insights/INSIGHT_ID,
{

Replace the following with values for your network:

  • PROJECT_ID: the project ID
  • LOCATION: always use the location named global
  • INSIGHT_TYPE_ID: always use a value of google.compute.firewall.Insight
  • INSIGHT_ID: the insight ID for the insight

What's next

  • To review your VPC firewall runtime usage, clean up and optimize your firewall rule configurations, and tighten up security boundaries, see Working with common use cases.