Firewall Insights metrics let you analyze how your firewall rules are used. You can view the metrics by using Cloud Monitoring and the Google Cloud console.
The following metrics help you track your firewall usage:
- Firewall hit count metrics show you the number of times that a firewall rule was used to allow or deny traffic.
- Firewall last used metrics show you the last time that a particular firewall rule was used to allow or deny traffic.
Note the following aspects about Firewall Insights metrics:
- The metrics are derived from Firewall Rules Logging.
- The metrics are available only for rules that have Firewall Rules Logging enabled and are accurate only for the time during which Firewall Rules Logging is enabled.
- Firewall metrics are generated only for traffic that fits the specifications for Firewall Rules Logging. For example, data is logged and metrics are generated only for TCP and UDP traffic. For a complete list of criteria, see Specifications in the Firewall Rules Logging overview.
You can construct arbitrary queries over Firewall Insights metrics by
using the projects.timeSeries.list request method
in the Cloud Monitoring version 3 API documentation.
Firewall Insights gathers metrics data for the last time that a firewall rule was applied to allow or deny traffic (timestamp) and for the number of hits on a firewall rule for the retention period.
firewallinsights.googleapis.com/subnet/firewall_hit_countfirewallinsights.googleapis.com/subnet/firewall_last_used_timestampfirewallinsights.googleapis.com/vm/firewall_hit_countfirewallinsights.googleapis.com/vm/firewall_last_used_timestamp
The metric for tracking firewall hit counts is defined per virtual machine (VM) instance and per Virtual Private Cloud (VPC) subnet.
Per-instance (VM) metrics provide hit count and last used timestamp information for the network interface of a VM. Per-subnet metrics provide hit count information for individual firewall rules.
Use the following resources to access Firewall Insights metrics data:
- View metrics for Firewall Insights on the Google Cloud metrics page.
- For an overview of metrics, time series, and resources, see the metric model in the Cloud Monitoring version 3 API documentation.
- For information about how to read these metrics, see Reading metric data.
Required roles and permissions
To get the permission that you need to manage and export insights, ask your administrator to grant you the following IAM roles on your project:
-
Firewall Recommender Admin (
roles/recommender.firewallAdmin) -
Firewall Recommender Viewer (
roles/recommender.firewallViewer)
For more information about granting roles, see Manage access.
This predefined role contains the
recommender.computeFirewallInsights.list permission, which is
required to manage and export insights.
You might also be able to get this permission with custom roles or other predefined roles.
View firewall hit count metrics
The firewall_hit_count metric tracks the number of times that a firewall rule
is used to allow or deny traffic.
For each firewall rule, Cloud Monitoring stores data for the
firewall_hit_count metric only if the rule had hits because of TCP or UDP
traffic. That is, Cloud Monitoring does not store data about rules
that had no hits.
You can view the data derived from this metric on the Firewall policies page in the Google Cloud console.
The data on the Firewall page might not be identical to the firewall_hit_count
metric data stored in Cloud Monitoring. Cloud Monitoring doesn't explicitly
identify rules with no hits. For example, the Google Cloud console shows a zero
hit count even if Cloud Monitoring does not record any hits. You can see this
difference for firewall rules that are configured to allow or deny TCP, UDP,
ICMP, or any other type of traffic.
This behavior differs from the
allow rules with no hits insight.
When this insight identifies firewall rules with no hits, it omits firewall rules
that are configured to allow traffic other than TCP or UDP, even if those rules
also allow TCP or UDP traffic.
View firewall last used metrics
By using the Metrics Explorer in Cloud Monitoring, you can see the
last time a particular firewall rule was used to allow or
deny traffic by viewing the firewall_last_used_timestamp metric. This metric
helps you identify which firewall rules haven't been used recently.
On the Firewall policies
page in the Google Cloud console, you can see when you last used a firewall
rule in the past six weeks or for whatever duration
Firewall Rules Logging has been enabled, whichever is less. If the last
hit occurred before the past six weeks or before Firewall Rules Logging
was enabled, the last hit time is shown as —.
Reporting frequency and retention
The firewall rule hit count metric is exported to Monitoring
every minute. Monitoring data retention is six weeks. You can analyze any time
interval within the prior six weeks in one-minute intervals.
Filtering and aggregation
For each firewall rule, by aggregating the hit counts for VM instances, you can observe the overall hit counts that accumulate for all the traffic flowing in your VPC network.
For example, see
Detect sudden increases in the hit count for deny firewall rules.
Use Monitoring dashboards and alerts
You can use Monitoring dashboards and their associated charts to visualize the data for the Firewall Insights metrics described in the preceding sections.
To monitor these metrics in Monitoring, you can create custom dashboards. You can also add alerts based on these metrics.