Using Firewall Insights

This page describes how to view insights or usage metrics for Firewall Insights, which supports access to this information from the following consoles, pages, or tools:

  • The Network Intelligence Center console
  • The Recommendation Hub
  • The Firewall rules details page for Virtual Private Cloud (VPC)
  • The Network interface details page for a Compute Engine virtual machine (VM) instance
  • The gcloud Recommender commands or the API

For an overview of Firewall Insights and their states, see the Firewall Insights overview.

For a list of firewall usage metrics, see Viewing metrics.

Before you begin

Set up the following items in Google Cloud before you use Firewall Insights:

  1. In the Google Cloud Console, go to the Project selector page.

    Go to the Project selector page

  2. Select or create a Google Cloud project.

  3. Make sure that billing is enabled for your Cloud project.

  4. Enable the Firewall Insights API as described in the next section.

Enabling the Firewall Insights API

To use Firewall Insights, you must enable the Firewall Insights API.

When you use Firewall Insights in the Cloud Console, the Cloud Console reminds you to enable the API if it detects no insights. Alternatively, you can enable the API from the API Library by performing the following steps.

Console

  1. In the Google Cloud Console, go to the API Library.

    Go to the API Library

  2. In the Search bar, enter Firewall Insights and then click the API name.

  3. On the Firewall Insights API page, click Enable.

For more information about the API, see Insights in the Recommender documentation.

Enabling Firewall Rules Logging

To see insights and usage metrics for firewall rules, you must enable Firewall Rules Logging for one or more firewall rules. For more information, see the Firewall Rules Logging overview.

Managing permissions

For a list of roles and permissions needed to view and manage insights and usage data, see Access control.

Using the Network Intelligence Center

The Network Intelligence Center landing page in the Cloud Console for Firewall Insights shows three types of insights cards:

  • Shadowed firewall rules
  • Allow firewall rules with no hits in the last six weeks
  • Deny firewall rules with hit counts in the last 24 hours

Each card includes a summary snapshot example. A filter search bar above the cards enables you to filter insights for a specific VPC network.

The following sections describe how to view these insights.

Viewing shadowed firewall rules

To learn about shadowed firewall rules, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. In the Insight column for each rule, click each shadowed rule to view insight details. This detail shows the shadowed rule and one or more shadowing rules so that you can understand why the shadowed rule is redundant. For more information, see the shadowed rule example in the Firewall Insights overview. To mark insights, see the following sections.

Marking an insight as DISMISSED

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. If a shadowed rule isn't meaningful, you can dismiss it by clicking Dismiss at the top of the page.

  5. After you dismiss an insight, the Cloud Console no longer displays the insight to you or to any user unless you restore it. To restore an insight, see the next section.

Restoring a dismissed insight

If you dismissed an insight that you later think is relevant, you or a user can restore it and make it visible in the Cloud Console by following these steps.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. To restore dismissed insights, click Dismiss History at the top of the page. This action takes you to the Dismissed insights page.

  5. On the Dismissed insights page, to restore an insight, select the checkbox for one or more insights, and then click Restore at the top of the page.

Viewing allow rules with no hit in the last six weeks

To learn how to accurately gather data for the last six weeks, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Allow rules with no hit, click View full list.

  3. A details page opens that includes all allow rules that haven't been used in the last six weeks.

  4. For each firewall rule, to the right of the Logs column, click View audit logs to see when firewall logging was enabled or disabled for each firewall rule.

  5. To view its configuration and usage details, click the name of a firewall rule.

Viewing deny rules with hits in the last 24 hours

To learn how to accurately gather data for the last 24 hours, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Firewall Insights page.

    Go to the Firewall Insights page

  2. On the card named Deny rules with hits, click View full list.

  3. A details page opens that includes all firewall deny rules with hits in the last 24 hours.

  4. To review the packets dropped by a firewall, click Hit count to go to a Cloud Logging page for details.

Using the Recommendation Hub

The Recommendation Hub is a feature of the Recommender product that provides usage recommendations for Google Cloud products and services. For more information, see the Recommendation Hub documentation.

The Cloud Console for the Recommendation Hub shows the following insights for firewall rules:

  • Shadowed firewall rules
  • Unused firewall rules in the last six weeks

The Recommendation Hub shows these recommendations along with recommendations for other products, such as Identity and Access Management (IAM) and VM Rightsizing.

Viewing shadowed firewall rules

To learn about shadowed firewall rules, see the Firewall Insights overview.

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub.

  2. On the card named Firewall rules configuration issues, click View all.

  3. A page listing all shadowed rules appears.

  4. You can click the insight to understand why it has been generated. The insight detail shows the shadowed firewall and one or more shadowing firewall rules so that you can understand why the shadowed rule is redundant. For more information, see the shadowed rule example in the Firewall Insights overview.

Viewing allow rules with no hit in the last six weeks

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub

  2. On the card named Overly permissive firewall rules, click View all.

  3. A details page opens that includes all allow rules that haven't been used in the last six weeks.

  4. For each firewall rule, to the right of the Logs column, you can click View audit logs. This enables you to see when firewall logging was enabled or disabled for each firewall rule.

  5. Click the Name of a firewall rule.

  6. A details page opens for the firewall rule where you can inspect the firewall configuration and usage details. To mark insights, see the following sections.

Marking an insight as DISMISSED

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. If one or more shadowed rules aren't meaningful, you can dismiss them by selecting the checkbox to the left of a rule. When you have selected all of the rules that you want to dismiss, click Dismiss in the center of the page.

  5. After you dismiss insights, the Cloud Console no longer displays the insight to you or to any user unless you restore it. To restore an insight, see the next section.

Restoring a dismissed insight

If you have dismissed an insight that you later think is relevant, you or a user can restore it and make it visible in the Cloud Console by following these steps.

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub

  2. On the card named Shadowed rules, click View full list.

  3. A details page opens that includes all shadowed rules.

  4. To restore dismissed insights, click History at the top of the page. This action takes you to the Dismissed insights page.

  5. On the Dismissed insights page, to restore an insight, select the checkbox for one or more insights, and then click Restore at the top of the page.

Using the Firewall rules details page

For more information about this page, see Listing firewall rules for a VPC network.

Listing insights for a project

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. For each firewall rule, view the name of available insights in the Insights column.

  3. You can click the name of an insight to view its detail. The following sections describe how to view and interpret the detail for each type of insight.

Viewing allow rules with no hit in the last six weeks

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. In the Last hit column, review the last time that a given firewall rule was used in the last six weeks.

Viewing the usage history chart for a rule

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. Select the checkbox for a firewall name.

  3. View the resulting chart that shows the firewall hit count for a given time period. You can select tabs for different time periods above the chart.

Viewing deny rules with hits in the last six weeks

Console

  1. In the Cloud Console, go to the Firewall rules page.

    Go to the Firewall rules page

  2. In the Hit count column, observe the number of unique connections used for a given firewall rule in the last six weeks (default).

Using the VM network interface details page

View firewall usage on the Network interface details page for a VM.

For more information about this page, see Listing firewall rules for a network interface of a VM instance.

Viewing rules with hits in the last six weeks

Console

  1. In the Cloud Console, go to the Compute Engine VM instances page.

    Go to the Compute Engine VM instances page

  2. Choose a VM, and on the far right of the page, click its more actions menu .

  3. On the menu, select View network details.

  4. On the Network interface details page, observe the hit counts for allow and deny traffic in the last six weeks for all firewall rules associated with a specific network interface.

Working with insights using gcloud commands or the API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

Listing insights

gcloud

  • To list insights for a project, enter the following command:

    gcloud beta recommender insights list --project=PROJECT_ID \
    --location=global --insight-type=google.compute.firewall.Insight \
    --filter=EXPRESSION --limit=LIMIT \
    --page-size=PAGE_SIZE --sort-by=SORT_BY \
    --format=json
    

    Replace PROJECT_ID with the project ID that you want to list insights for.

    location always uses the location named global. insight-type always uses the insight type named google.compute.firewall.Insight. Unless you format the output in JSON, the command output is tabular.

    The following fields are optional:

    • EXPRESSION. Apply this Boolean filter to each resource that you want to list. If the expression evaluates as True, that item is listed. For more details and examples of filter expressions, run $ gcloud topic filters or see the gcloud topic documentation.
    • LIMIT. Use to specify the maximum number of resources to list. The default number of resources listed is unlimited.
    • PAGE_SIZE. Use to specify the maximum number of resources to list per page. The default page size is determined by the service; otherwise, there is no paging. Paging might be applied before or after FILTER and LIMIT.
    • SORT_BY. Use to specify a list of comma-separated field key names to sort by for a resource. The default order is ascending. To specify a descending order, prefix a field with ~ (a tilde).

API

To get all of the insights for a Google Cloud project, make a GET request to the projects.locations.insightTypes.insights method.

GET https://recommender.googleapis.com/beta/{parent=projects/*/locations/global/insightTypes/*}/insights

The following example shows a sample response for this command.

insights {
"name": "projects/{project_number}/locations/global/insightTypes/google.compute.firewall.Insight/insights/{insight-id}"
"description": "Firewall projects/{project_id}/global/firewalls/{shadowed_firewall_name} is shadowed by   projects/{project_id}/global/firewalls/{shadowing_firewall_name}."
"content": {
  "shadowingFirewalls": [
    "//compute.googleapis.com/projects/{project_id}/global/firewalls/shadowing_firewall_name1}"
  ]
},
"lastRefreshTime": "2020-04-01T19:16:43Z",
"observationPeriod": "0s",
"stateInfo" {
 "state": "ACTIVE"
}
"category": "SECURITY"
"targetResources":[
 "//compute.googleapis.com/projects/{project_id}/global/firewalls/{shadowed_firewall_name}"
 ],
"insightSubtype": "SHADOWED_RULE"
}

Describing insights

Use this command to list details for an insight.

gcloud

gcloud beta recommender insights describe INSIGHT_NAME \
  --project=PROJECT_NAME --location=global \
  --insight-type=google.compute.firewall.Insight

Replace the following with values for your network:

  • INSIGHT_NAME: the name of the insight to describe
  • PROJECT_NAME: the name of the project that you want to list insights for

location always uses the location named global. insight-type always uses the insight type named google.compute.firewall.Insight.

API

To get details for an insight, make a GET request to the projects.locations.insightTypes.insights method.

GET
https://recommender.googleapis.com/v1beta1/{name=projects/*/locations/global/insightTypes/*/insights/*}
{
 "name": projects/PROJECT_ID/locations/LOCATION/insightTypes/INSIGHT_TYPE_ID/insights/INSIGHT_ID,
{

Replace the following with values for your network:

  • PROJECT_ID: the project ID
  • LOCATION: always use the location named global
  • INSIGHT_TYPE_ID: always use a value of google.compute.firewall.Insight
  • INSIGHT_ID: the insight ID for the insight

What's next

  • To review your VPC firewall runtime usage, clean up and optimize your firewall rule configurations, and tighten up security boundaries, see Working with common use cases.