Working with common use cases for Firewall Insights

The following sections describe ways that you can use Firewall Insights to review your Virtual Private Cloud (VPC) firewall runtime usage, clean up and optimize your firewall rule configurations, and tighten up security boundaries.

Review the following metrics for Firewall Insights to enable you to diagnose possible security attacks against your Google Cloud resources:

  • Firewall rules that have been applied to your virtual machine (VM) instances in the last 30 days
  • Ingress deny firewall rules with sudden increases in their hit count

To learn more about the insights and usage metrics described on this page, see the Firewall Insights overview.

Viewing rules applied to a VM in the last 30 days

Console

Review these rules to help you to avoid misconfigurations and unnecessary shadowed rules:

  1. In the Google Cloud Console, go to the Compute Engine virtual machine (VM) instances page.

    Go to the Compute Engine VMs page

  2. In the Filter VM Instances field, filter instances by entering one of the following key/value pairs to find relevant VMs. You can also click values that appear after entering a key such as Network tags:. For more information, see the documentation for tags and IP addresses.

    Network tags:TAG_NAME

    Replace TAG_NAME with a tag assigned to a VPC network.

    Internal IP:INTERNAL_IP_ADDRESS

    Replace INTERNAL_IP_ADDRESS with an internal IP address for a VM interface.

    External IP:EXTERNAL_IP_ADDRESS

    Replace EXTERNAL_IP_ADDRESS with an external IP address for a VM interface.

  3. In the search results for a VM interface, find a VM and click its more actions menu .

  4. On the menu, select View network details.

  5. On the Network interface details page, complete the following steps:

    1. Under Firewall rules and routes details, enter last hit after:YYYY-MM-DD to filter the firewall rules. This finds firewall rules with recent hits.

    2. For a firewall rule, click the number in the Hit count column to open the firewall log and review traffic details, as in the following example query. To enter a query, click Submit filter.

      jsonPayload.rule_details.reference:("network:network1/firewall:allow-tcp") AND
jsonPayload.instance.project_id:("p6ntest-firewall-intelligence") AND
jsonPayload.instance.zone:("us-central1-c") AND
jsonPayload.instance.vm_name:("instance2")

    3. Add one or more additional Cloud Logging filters to further filter the firewall log detail. For example, the following example query adds an additional filter that filters by source IP address (src_ip). To enter a query, click Submit filter.

      jsonPayload.rule_details.reference:("network:network1/firewall:allow-tcp") AND
jsonPayload.instance.project_id:("p6ntest-firewall-intelligence") AND
jsonPayload.instance.zone:("us-central1-c") AND
jsonPayload.instance.vm_name:("instance2") AND
jsonPayload.connection.src_ip:("10.0.1.2")

Detecting sudden increases in the hit count for ingress deny firewall rules

You can configure Cloud Monitoring alerts to detect certain behavior changes in the hit count for one or more VPC firewall rules. For example, you can set an alert when the hit count on the ingress deny rule increases by 100%. Setting this alert is helpful for detecting possible security attacks against your Google Cloud resources.

Console

To set an alert, complete the following steps:

  1. In the Cloud Console, select your Google Cloud project and then use the navigation pane to select Monitoring.

    Go to the Cloud Console

    If you have never used Cloud Monitoring, then on your first access of Monitoring in the Google Cloud Console, a Workspace is automatically created and your project is associated with that Workspace. Otherwise, if your project isn't associated with a Workspace, then a dialog appears and you can either create a Workspace or add your project to an existing Workspace. We recommend that you create a Workspace. After you make your selection, click Add.

  2. In the navigation pane, select Alerting.

  3. At the top of the page, click Create policy.

  4. On the Create alerting policy page, perform the following steps:

    1. Name the policy.

    2. Click Add condition, and then enter the metric for VM Firewall Hit Counts (firewallinsights.googleapis.com/vm/firewall_hit_count).

    3. Enter the necessary filters and alert conditions. For steps, see Specifying conditions for alerting policies.

    4. Click Add.

    5. Click Add Notification Channel, and then add, for example, an email address.

    6. Click Save.

Cleaning up shadowed firewall rules

For more information about shadowed rules, see the shadowed rules example in the Firewall Insights overview.

Console

To clean up firewall rules that are shadowed by other rules, perform the following steps:

  1. In the Cloud Console, go to the VPC firewall rules page.

    Go to the VPC firewall rules page

  2. In the Filter table field, enter the following query:

    Insight type: Shadowed by

  3. For each rule in the search results, click the Name of the rule and view its details page. Review and clean up each rule as needed.

Cleaning up unused ingress allow rules

Console

To find ingress rules that have not been hit for the requested number of days, perform the following steps:

  1. In the Cloud Console, go to the VPC firewall rules page.

    Go to the VPC firewall rules page

  2. In the Filter table field, enter the following query:

    Type:Ingress Last hit before:YYYY-MM-DD

    Replace YYYY-MM-DD with the date that you want to use. For example, 2020-03-30.

  3. For each rule in the search results, click the Name of the rule and view its details page. Review and clean up each rule as needed.

What's next