Common use cases

This document describes how you can use Firewall Insights to review your Virtual Private Cloud (VPC) firewall runtime usage, optimize your firewall rule configurations, and tighten security boundaries.

To learn more about the insights and usage metrics described on this page, see the Firewall Insights overview.

View rules applied to a VM in the last 30 days

Console

Review these rules to help you to avoid misconfigurations and unnecessary shadowed rules:

  1. In the Google Cloud console, go to the Compute Engine VM instances page.

    Go to Compute Engine VM instances

  2. In the Filter VM Instances field, filter instances by entering one of the following key/value pairs to find relevant VMs. You can also click values that appear after entering a key such as Network tags:. For more information, see the documentation for tags and IP addresses.

    Network tags:TAG_NAME

    Replace TAG_NAME with a tag assigned to a VPC network.

    Internal IP:INTERNAL_IP_ADDRESS

    Replace INTERNAL_IP_ADDRESS with an internal IP address for a VM interface.

    External IP:EXTERNAL_IP_ADDRESS

    Replace EXTERNAL_IP_ADDRESS with an external IP address for a VM interface.

  3. In the search results for a VM interface, find a VM and click its more actions menu .

  4. On the menu, select View network details.

  5. On the Network interface details page, complete the following steps:

    1. Under Firewall rules and routes details, enter last hit after:YYYY-MM-DD to filter the firewall rules. This finds firewall rules with recent hits.

    2. For a firewall rule, click the number in the Hit count column to open the firewall log and review traffic details, as in the following example query. To enter a query, click Submit filter.

      jsonPayload.rule_details.reference:("network:network1/firewall:allow-tcp") AND
jsonPayload.instance.project_id:("p6ntest-firewall-intelligence") AND
jsonPayload.instance.zone:("us-central1-c") AND
jsonPayload.instance.vm_name:("instance2")

    3. Add one or more additional Cloud Logging filters to further filter the firewall log detail. For example, the following example query adds an additional filter that filters by source IP address (src_ip). To enter a query, click Submit filter.

      jsonPayload.rule_details.reference:("network:network1/firewall:allow-tcp") AND
jsonPayload.instance.project_id:("p6ntest-firewall-intelligence") AND
jsonPayload.instance.zone:("us-central1-c") AND
jsonPayload.instance.vm_name:("instance2") AND
jsonPayload.connection.src_ip:("10.0.1.2")

Detect sudden increases in the hit count for deny firewall rules

You can configure Cloud Monitoring to detect changes in the hit count of your deny VPC firewall rules. For example, you can choose to be alerted when the hit count of a particular rule increases by a certain percentage. Setting this alert helps you detect possible attacks on your Google Cloud resources.

Console

To set the alert, complete the following steps:

  1. In the console, go to the Monitoring page.

    Go to Monitoring

  2. In the navigation pane, select Alerting.

  3. At the top of the page, click Create policy.

  4. On the Create alerting policy page, click Add condition, and then complete the following steps:

    1. Enter a name for the condition.

    2. In the Find resource type and metric field, enter firewallinsights.googleapis.com/vm/firewall_hit_count (VM Firewall Hit Counts). This metric shows the hit count of firewall rules that are triggered for traffic addressed to a particular VM.

    3. Enter filters. For example:

      • Use instance_id to specify the ID of a VM.
      • Use firewall_name to identify a firewall rule that has Firewall Rules Logging enabled.

    4. Configure the alert conditions. For example, use the following values to trigger an alert when the hit count for the rule that you identified increases by 10% for six hours:

      • Condition triggers if: set to Any time series violates
      • Condition: set to increases by
      • Threshold: set to 10
      • For: set to 6 hours

    5. Click Add.

    6. Click Add Notification Channel, and then add, for example, an email address.

    7. Click Save.

Clean up shadowed firewall rules

For more information about shadowed rules, see the shadowed rules example in the Firewall Insights overview.

Console

To clean up firewall rules that are shadowed by other rules, perform the following steps:

  1. In the console, go to the Firewall page.

    Go to Firewall

  2. In the Filter table field, enter the following query: Insight type: Shadowed by.

  3. For each rule in the search results, click the Name of the rule and view its details page. Review and clean up each rule as needed.

Remove an unused allow rule

Console

To evaluate and remove an unused allow rule, complete the following steps:

  1. In the console, go to the Firewall page.

    Go to Firewall

  2. In the Filter table field, enter the following query: Type:Ingress Last hit before:MM/DD/YYYY.

    Replace MM/DD/YYYY with the date that you want to use. For example, 08/31/2021.

  3. For each rule in the search results, review the information in the Insight column. This column provides a percentage that indicates the likelihood that this rule will be hit in the future. If the percentage is high, you might want to keep this rule. However, if it is low, continue reviewing the information generated by the insight.

  4. Click the insight link to display the Insight Detail panel.

  5. On the Insight Detail panel, review the attributes of this rule and the attributes of any similar rules that are listed.

  6. If the rule has a low probability of being hit in the future, and if that prediction is supported by the hit pattern of similar rules, consider removing the rule. To remove the rule, click its name, which appears at the top of the Insight Detail panel. The Firewall rule details page opens.

  7. Click Delete.

  8. In the confirmation dialog, click Delete.

Remove an unused attribute from an allow rule

Console

To evaluate and remove an unused attribute, complete the following steps:

  1. In the console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Allow rules with unused attributes, click View full list. In response, the console displays the Allow rules with unused attributes page. This page lists all the rules that had unused attributes during the observation period.

  3. Click the text that's displayed in the Insight column. The Insight Details page opens.

  4. Review the details at the top of the page. The summary includes the following details:

    • The name of the insight.
    • The number of unused attributes that this rule has.
    • The time that the insight was last updated.
    • The names of other rules in the project that use similar attributes.
    • The length of the observation period.

  5. Assess whether you could remove the attribute:

    1. Review the Firewall rule with unhit attributes card. Look at the field labeled Attribute with no hit (with future hit prediction). This field provides a percentage that describes the likelihood of whether the attribute will be hit in the future.
    2. Review the Similar firewall rule in the same project card. Review the data displayed about whether this rule's attribute was used.

  6. If the attribute has a low probability of being hit in the future, and if that prediction is supported by the hit pattern of similar rules, consider removing the attribute from the rule. To remove the attribute, click the name of the rule, which appears at the top of the Insight Detail page. The Firewall rule details page opens.

  7. Click Edit, make the needed changes, and then click Save.

Narrow an allow rule's IP address range

Be aware that your project might have firewall rules that allow access from certain IP address blocks for load balancer health checks or for other Google Cloud functionality. These IP addresses might not be hit, but they should not be removed from your firewall rules. For more information about these ranges, see the Compute Engine documentation.

Console

To evaluate and tighten an overly permissive IP address range, complete the following steps:

  1. In the console, go to the Firewall Insights page.

    Go to Firewall Insights

  2. On the card named Allow rules with overly permissive IP address or port ranges, click View full list. In response, the console displays a list of all the rules that had overly permissive ranges during the observation period.

  3. Find any rule in the list, and click the text that's displayed in the Insight column. The Insight Details page opens.

  4. Review the details at the top of the page. The summary includes the following details:

    • The name of the rule.
    • The number of IP address ranges that could be narrowed.
    • The time that the insight was last updated.
    • The length of the observation period.

  5. Assess whether you could narrow the IP address range: Review the Firewall rule with overly permissive IP address or port ranges card. Review the proposed list of new IP address ranges.

  6. If appropriate, consider using the recommendations in the insight to make the IP address range more narrow. Click the name of the rule, which appears at the top of the Insight Detail page. The Firewall rule details page opens.

  7. Click Edit, make the needed changes, and then click Save.

What's next