Firewall Insights overview

Firewall Insights helps you understand and optimize your firewall rules. It provides insights, recommendations, and metrics about how your firewall rules are being used. Firewall Insights also uses machine learning to predict future firewall rules usage.

Firewall Insights lets you make better decisions during firewall rule optimization. For example, Firewall Insights identifies rules that it classifies as overly permissive. You can use this information to make your firewall configuration stricter.

For firewall policies, you can get insights into firewall rules that are associated with a firewall policy.

Insights

You can use insights to analyze your firewall rule configuration and help simplify your firewall rules. Insights help you identify firewall rules that overlap existing rules, rules with no hits, and unused firewall rule attributes such as IP address and port ranges. You can get the following insights:

  • Shadowed firewall rule insights, which are derived from data about how you have configured your firewall rules. A shadowed rule shares attributes—such as IP address ranges—with other rules of higher or equal priority.
  • Overly permissive rule insights, including each of the following:
    • Allow rules with no hits
    • Allow rules that are obsolete based on adaptive analysis
    • Allow rules with unused attributes
    • Allow rules with overly permissive IP addresses or port ranges
  • Deny rule insights with no hits during the observation period.

With these insights, you can perform the following tasks:

  • Identify firewall misconfigurations for firewall rules containing IPv4 or IPv6 address ranges.
  • Optimize firewall rules and tighten security boundaries by identifying overly permissive allow rules and reviewing predictions about their future usage.

Firewall Insights uses Recommender. For more information, see Insights.

Metrics

Firewall Insights lets you analyze how your firewall rules are used. These metrics are available by using both Cloud Monitoring and the Google Cloud console.

Metrics are derived from Firewall Rules Logging. They are available only for firewall rules with Firewall Rules Logging enabled. Also, firewall metrics are generated only for traffic that fits the specifications for Firewall Rules Logging. For example, data is logged and metrics are generated only for TCP and UDP traffic. For a complete list of criteria, see Specifications in the Firewall Rules Logging overview.

With Firewall Insights metrics, you can perform the following tasks:

  • Verify that firewall rules are used in an intended way.
  • Over specified periods, verify that firewall rules allow or block their intended connections.
  • Perform live debugging of connections that are inadvertently dropped because of firewall rules.
  • Discover malicious attempts to access your network, in part by getting alerts about significant changes in the hit counts of firewall rules.

Metrics are produced by Cloud Monitoring. For more information, see Metrics, time series, and resources.

Where you can view metrics and insights

You can view Firewall Insights metrics and insights in the following Google Cloud console locations:

The Firewall Insights landing page in the Google Cloud console provides cards for all the insights. You can also view the insights by using the Recommender API or the Google Cloud CLI. You can view Firewall Insights metrics by using Cloud Monitoring and the Google Cloud console.

What's next