View and understand Firewall Insights

Firewall Insights helps you understand the usage patterns of your firewall rules. You can use these insights to support decisions about removing or modifying firewall rules to simplify and secure your firewall configuration.

You can view the following insights on the Google Cloud console Firewall Insights page and in several other places in the Google Cloud console:

  • Shadowed firewall rules: help you identify firewall rules that overlap with existing rules.
  • Overly permissive rules: help you identify allow rules with no hits, unused attributes, or overly permissive IP address or port ranges.
  • Deny rules: give you details about deny rules that had hits during the configured observation period.

Insights for overly permissive rules and deny rules are generated based on data collected for the duration when Firewall Rules Logging is enabled.

On the Firewall Insights page in the Google Cloud console, each card that displays the insights includes a list of all the rules in your project that meet the insight criteria.

If you want to limit the results to one VPC network, use the filter bar at the top of the page to select a network.

For more information, see Where you can view metrics and insights.

The following sections describe how to view each insight.

Required roles and permissions

To get the permission that you need to view insights, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, see Manage access.

This predefined role contains the recommender.computeFirewallInsights.list permission, which is required to view insights.

You might also be able to get this permission with custom roles or other predefined roles.

View shadowed firewall rules

To learn about this insight, see Shadowed rules.

Console

  1. In the Google Cloud console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Shadowed rules, click View full list. In response, the Google Cloud console displays the Shadowed rules page, which lists all the VPC networks.

    For each VPC network in your project, you can see the insights for hierarchical firewall policies, global network firewall policies, and VPC firewall rules, along with the priority of the rule. The Insight column for each rule provides a summary of why the rule was identified as a shadowed rule.

  3. Optional: Use filtering to narrow the results in the list based on rule name, priority, and policy name.

  4. To view more details about the shadowed rule and the rules that shadow it, click the insight.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View allow rules with no hits

To learn about this insight, see Allow rules with no hits.

Console

  1. In the Google Cloud console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Allow rules with no hit, click View full list. In response, the Google Cloud console displays the Allow rules with no hits page. This page lists all the VPC networks that had rules with no hits during the observation period.

    The Insight column for each rule shows whether the firewall rule had no hits during the observation period. The Future hit prediction column shows a prediction of future usage based on firewall rules in the same organization.

  3. Optional: Use filtering to narrow the results in the list based on rule name, priority, and policy name.

  4. For any rule in the list, do any of the following as appropriate:

    • To view the Firewall rule details page for the rule, click the name of the rule.
    • To view logging for the rule, click View audit log.
    • To see details about the prediction, click the link in the Insight column. In response, the Insight details panel is displayed. This panel describes the main attributes of the rule. It also describes other rules in the project that have similar attributes.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View allow rules that are unused based on trend analysis

You can view allow rules that are unused based on trend analysis by using the Google Cloud CLI and the Recommender API.

To learn about this insight, see Allow rules that are unused based on trend analysis.

gcloud

To list allow rules that are unused based on trend analysis, use the following command:

gcloud recommender insights list \
    --project=PROJECT_ID \
    --location=global \
    --insight-type=google.compute.firewall.Insight \
    --filter="insightSubtype:DEACTIVATED_RULE"

Replace PROJECT_ID with the ID of the Google Cloud project that you want to retrieve the insights from.

API

  • To list all insights for a project, use the recommender.insightTypes.insights method:

    GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/insightTypes google.compute.firewall.Insight/insights
    
  • To get information about a specific INSIGHT_ID based on trend analysis, use the recommender.insightTypes.insights method:

    GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/insightTypes google.compute.firewall.Insight/insights/INSIGHT_ID
    

    Replace the following:

    • PROJECT_ID: the ID of the Google Cloud project that you want to retrieve the insights from
    • INSIGHT_ID: the insight ID for which you want to see the insights based on trend analysis

View allow rules with unused attributes

To learn about this insight, see Allow rules with unused attributes.

Console

  1. In the Google Cloud console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Allow rules with unused attributes, click View full list. In response, the Google Cloud console displays the Allow rules with unused attributes page. This page lists all the VPC networks that have rules that had unused attributes during the observation period.

    The Insight column for each rule shows the number of unused attributes during the observation period.

  3. Optional: Use filtering to narrow the results in the list based on rule name, priority, and policy name.

  4. For any VPC network in the list, do any of the following as appropriate:

    • To view the Firewall rule details page for the rule, click the name of the rule.
    • To view logging for the rule, click View audit log.
    • To see details about the prediction, click the prediction link. In response, the Insight details panel is displayed. This panel describes the main attributes of the rule. It also describes other rules in the project that have similar attributes.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View allow rules with overly permissive IP address or port ranges

To learn about this insight, see Allow rules with overly permissive IP address or port ranges.

Be aware that your project might have firewall rules that allow access from certain IP address blocks for load balancer health checks or for other Google Cloud functionality. These IP addresses might not be hit, but they should not be removed from your firewall rules. For more information about these ranges, see the Compute Engine documentation.

Console

  1. In the Google Cloud console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Allow rules with overly permissive IP address or port ranges, click View full list. In response, the Google Cloud console displays a list of all the rules that had overly permissive ranges during the observation period.

  3. For any rule in the list, do any of the following as appropriate:

    • To view the Firewall rule details page for any rule, click the name of the rule.
    • To view logging for the rule, click View audit log.
    • To see suggestions about how to narrow the range, click the link in the Insight column. In response, the Insight details panel is displayed. This panel describes the main attributes of the rule. It suggests more narrowly defined IP address or port ranges that you could use.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View deny rules with hits

To learn about this insight, see Deny rules with hits.

Console

  1. In the Google Cloud console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Deny rules with hits, click View full list. In response, the Google Cloud console displays the Deny rules with hits page. This page lists all the VPC networks that have deny rules that had hits during the observation period.

  3. To review the packets dropped by a firewall, click Hit count.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View insights on the VM network interface details page

View firewall usage on the Network interface details page for a VM.

For more information about this page, see List firewall rules for a network interface of a VM instance.

View rules with hits in the last 24 months

Console

  1. In the Google Cloud console, go to the Compute Engine VM instances page.

    Go to Compute Engine VM instances

  2. Choose a VM, and on the far right of the page, click its more actions menu .

  3. On the menu, select View network details.

  4. In the Firewall and routes details section, click the Firewall Rules tab.

  5. In the Hit count column, view the hit counts for allow and deny traffic in the last 24 months for all firewall rules associated with a specific network interface.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View insights on the Firewall page

For more information about the Firewall page, see List firewall rules for a VPC network.

List insights for a project

Console

  1. In the Google Cloud console, go to the Firewall page.

    Go to Firewall

  2. For each firewall rule, view the name of available insights in the Insights column.

  3. You can click the name of an insight to view its details.

The following sections describe how to view and interpret the details for each type of insight.

View allow rules with no hits in the last 24 months

Console

  1. In the Google Cloud console, go to the Firewall page.

    Go to Firewall

  2. In the Last hit column, review the last time that a given firewall rule was used in the last 24 months.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View the usage history chart for a rule

Console

  1. In the Google Cloud console, go to the Firewall page.

    Go to Firewall

  2. Click a firewall rule name.

  3. In the Hit count monitoring section of the page, view the resulting chart that shows the firewall hit count for a given time period. You can select a time interval for the hit count monitoring chart.

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

View deny rules with hits for an observation period

Console

  1. In the Google Cloud console, go to the Firewall page.

    Go to Firewall

  2. In the Hit count column, view the number of unique connections used for a given firewall rule in the last 24 months (default).

gcloud and API

Firewall Insights uses Recommender commands. Recommender is a Google Cloud service that provides usage recommendations for Google Cloud products and services.

What's next