View Firewall Insights metrics

Firewall Insights metrics let you analyze how your firewall rules are used. You can view the metrics by using Cloud Monitoring and the Google Cloud console.

The following metrics help you track your firewall usage:

  • Firewall hit count metrics show you the number of times that a firewall rule was used to allow or deny traffic.
  • Firewall last used metrics show you the last time that a particular firewall rule was used to allow or deny traffic.

Note the following aspects about Firewall Insights metrics:

  • The metrics are derived from Firewall Rules Logging.
  • The metrics are available only for rules that have Firewall Rules Logging enabled and are accurate only for the time during which Firewall Rules Logging is enabled.
  • Firewall metrics are generated only for traffic that fits the specifications for Firewall Rules Logging. For example, data is logged and metrics are generated only for TCP and UDP traffic. For a complete list of criteria, see Specifications in the Firewall Rules Logging overview.

You can construct arbitrary queries over Firewall Insights metrics by using the projects.timeSeries.list request method in the Cloud Monitoring version 3 API documentation.

Firewall Insights gathers metrics data for the last time that a firewall rule was applied to allow or deny traffic (timestamp) and for the number of hits on a firewall rule for the retention period.

  • firewallinsights.googleapis.com/subnet/firewall_hit_count
  • firewallinsights.googleapis.com/subnet/firewall_last_used_timestamp
  • firewallinsights.googleapis.com/vm/firewall_hit_count
  • firewallinsights.googleapis.com/vm/firewall_last_used_timestamp

The metric for tracking firewall hit counts is defined per virtual machine (VM) instance and per Virtual Private Cloud (VPC) subnet.

Per-instance (VM) metrics provide hit count and last used timestamp information for the network interface of a VM. Per-subnet metrics provide hit count information for individual firewall rules.

Use the following resources to access Firewall Insights metrics data:

  • View metrics for Firewall Insights on the Google Cloud metrics page.
  • For an overview of metrics, time series, and resources, see the metric model in the Cloud Monitoring version 3 API documentation.
  • For information about how to read these metrics, see Reading metric data.

Required roles and permissions

To get the permission that you need to manage and export insights, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the recommender.computeFirewallInsights.list permission, which is required to manage and export insights.

You might also be able to get this permission with custom roles or other predefined roles.

View firewall hit count metrics

The firewall_hit_count metric tracks the number of times that a firewall rule is used to allow or deny traffic.

For each firewall rule, Cloud Monitoring stores data for the firewall_hit_count metric only if the rule had hits because of TCP or UDP traffic. That is, Cloud Monitoring does not store data about rules that had no hits.

You can view the data derived from this metric on the Firewall policies page in the Google Cloud console.

The data on the Firewall page might not be identical to the firewall_hit_count metric data stored in Cloud Monitoring. Cloud Monitoring doesn't explicitly identify rules with no hits. For example, the Google Cloud console shows a zero hit count even if Cloud Monitoring does not record any hits. You can see this difference for firewall rules that are configured to allow or deny TCP, UDP, ICMP, or any other type of traffic.

This behavior differs from the allow rules with no hits insight. When this insight identifies firewall rules with no hits, it omits firewall rules that are configured to allow traffic other than TCP or UDP, even if those rules also allow TCP or UDP traffic.

View firewall last used metrics

By using the Metrics Explorer in Cloud Monitoring, you can see the last time a particular firewall rule was used to allow or deny traffic by viewing the firewall_last_used_timestamp metric. This metric helps you identify which firewall rules haven't been used recently.

On the Firewall policies page in the Google Cloud console, you can see when you last used a firewall rule in the past six weeks or for whatever duration Firewall Rules Logging has been enabled, whichever is less. If the last hit occurred before the past six weeks or before Firewall Rules Logging was enabled, the last hit time is shown as .

Reporting frequency and retention

The firewall rule hit count metric is exported to Monitoring every minute. Monitoring data retention is six weeks. You can analyze any time interval within the prior six weeks in one-minute intervals.

Filtering and aggregation

For each firewall rule, by aggregating the hit counts for VM instances, you can observe the overall hit counts that accumulate for all the traffic flowing in your VPC network.

For example, see Detect sudden increases in the hit count for deny firewall rules.

Use Monitoring dashboards and alerts

You can use Monitoring dashboards and their associated charts to visualize the data for the Firewall Insights metrics described in the preceding sections.

To monitor these metrics in Monitoring, you can create custom dashboards. You can also add alerts based on these metrics.