This page describes some common Firewall Insights tasks for reviewing and optimizing your Virtual Private Cloud (VPC) firewall usage. Perform these tasks to optimize your firewall rule configurations and tighten security boundaries.
For example, you're a network administrator or a network security engineer that supports several large Shared VPC networks with many projects and applications. You want to review and optimize a large volume of firewall rules accumulated over time to ensure that they are consistent with the expected state of your network. You can use the following tasks to review and optimize your firewall rules.
Required roles and permissions
To get the permissions that you need to use Firewall Insights, ask your administrator to grant you the following IAM roles on your project:
- Firewall Recommender Admin role
(
roles/recommender.firewallAdmin) - Firewall Recommender Viewer role
(
roles/recommender.firewallViewer)
For more information about granting roles, see Manage access to projects, folders, and organizations .
These predefined roles contain the permissions required to use Firewall Insights. To see the exact permissions that are required, expand the Required permissionssection:
Required permissions
The following permissions are required to use Firewall Insights:
-
recommender.computeFirewallInsights.list -
recommender.computeFirewallInsights.update
You might also be able to get these permissions with custom roles or other predefined roles .
View rules applied to a VM in the last 30 days
To review rules that help you avoid misconfigurations and unnecessary shadowed rules, do the following:
Console
-
In the Google Cloud console, go to the Compute Engine VM instancespage.
-
In the Filterfield, filter the instances by entering one of the following key-value pairs to find relevant VMs.
Network tags: TAG_NAMEReplace
TAG_NAMEwith a tag assigned to a VPC network.Internal IP: INTERNAL_IP_ADDRESSReplace
INTERNAL_IP_ADDRESSwith an internal IP address for a VM interface.External IP: EXTERNAL_IP_ADDRESSReplace
EXTERNAL_IP_ADDRESSwith an external IP address for a VM interface. -
In the search results for a VM interface, select a VM and click the more actions menu.
-
On the menu, select View network details.
-
On the Network interface detailspage, complete the following steps:
- In the Firewall and routes detailssection, click Firewallsand then Filter.
-
Enter
last hit after: YYYY-MM-DDto filter the firewall rules. This filter expression finds firewall rules with recent hits. -
For a firewall rule, click the number in the Hit countcolumn to open the firewall log and review traffic details, as in the following example query. To enter a query, click Submit filter.
jso n Payload.rule_de ta ils.re feren ce : ( "network:network1/firewall:allow-tcp" ) AND jso n Payload.i nstan ce.projec t _id : ( "p6ntest-firewall-intelligence" ) AND jso n Payload.i nstan ce.zo ne : ( "us-central1-c" ) AND jso n Payload.i nstan ce.vm_ na me : ( "instance2" ) -
Add one or more additional Cloud Logging filters to further filter the firewall log detail. For example, the following example query adds an additional filter that filters by source IP address (
src_ip). To enter a query, click Submit filter.jso n Payload.rule_de ta ils.re feren ce : ( "network:network1/firewall:allow-tcp" ) AND jso n Payload.i nstan ce.projec t _id : ( "p6ntest-firewall-intelligence" ) AND jso n Payload.i nstan ce.zo ne : ( "us-central1-c" ) AND jso n Payload.i nstan ce.vm_ na me : ( "instance2" ) AND jso n Payload.co nne c t io n .src_ip : ( "10.0.1.2" )
Detect sudden increases in the hit count for deny
firewall rules
You can configure Cloud Monitoring to detect changes
in the hit count of your VPC deny
firewall rules.
For example, you can choose to be alerted when the hit count of a particular
rule increases by a certain percentage. Setting this alert
helps you detect possible attacks on your Google Cloud
resources.
To set an alert, do the following:
Console
-
In the Google Cloud console, go to the Monitoringpage.
-
In the navigation pane, click Alertingand then Create policy.
-
On the Create alerting policypage, click Add alert condition. A new condition is added.
-
Expand the New conditionsection and select Configure trigger. The Configure alert triggerpage opens.
-
Configure the alert conditions. For example, use the following values to trigger an alert when the hit count for the rule that you identified increases by 10% for six hours:
- Condition types:Set to
Threshold. - Alert trigger:Set to
Any time series violates. - Threshold position:Set to
Above threshold. - Threshold value:Set to
10.
- Condition types:Set to
-
In the Advanced optionssection, enter a name for the condition and click Next.
-
On the Multi-condition triggerpage, specify the condition and click Next.
-
On the Configure notificationspage, select Notification channelsand then Manage notification channels.
-
In the Notification channelswindow, add the new notification channel—for example, an email address, and click Save.
-
In the Notification channelslist, select the added notifications and then click OK.
-
In the Name the alert policysection, enter the name and click Next. The alert condition is added.
Clean up shadowed firewall rules
To clean up firewall rules that are shadowed by other rules, do the following:
Console
-
In the Google Cloud console, go to the Firewall policiespage.
-
In the VPC firewall rulessection, click Filterand then select Insight type > Shadowed rules.
-
For each rule in the search results, click the Nameof the rule and view its details page. Review and clean up each rule as needed.
For more information about shadowed rules, see Examples of shadowed rules .
Remove an unused allow
rule
To evaluate and remove an unused allow
rule, do the following:
Console
-
In the Google Cloud console, go to the Firewall policiespage.
-
In the VPC firewall rulessection, click Filter, and then select Type > Ingress > last hit before MM/DD/YYYY .
Replace
MM/DD/YYYYwith the date that you want to use. For example,08/31/2021. -
For each rule in the search results, review the information in the Insightscolumn. This column provides a percentage that indicates the likelihood that this rule will be hit in the future. If the percentage is high, you might want to keep this rule. However, if it is low, continue reviewing the information generated by the insight.
-
Click the insight link to display the Insight detailspane.
-
In the Insight detailspane, review the attributes of this rule and the attributes of any similar rules that are listed.
-
If the rule has a low probability of being hit in the future, and if that prediction is supported by the hit pattern of similar rules, consider removing the rule. To remove the rule, click Rule name. The Firewall rule detailspage opens.
-
Click Delete.
-
In the confirmation dialog, click Delete.
Remove an unused attribute from an allow
rule
To evaluate and remove an unused attribute, do the following:
Console
-
In the Google Cloud console, go to the Firewall Insightspage.
-
On the card named Allow rules with unused attributes, click View full list. In response, the Google Cloud console displays the Allow rules with unused attributespage. This page lists all the rules that had unused attributes during the observation period.
-
Click the text that's displayed in the Insightcolumn. The Insight Detailspage opens.
-
Review the details at the top of the page. The summary includes the following details:
- The name of the insight.
- The number of unused attributes that this rule has.
- The time that the insight was last updated.
- The names of other rules in the project that use similar attributes.
- The length of the observation period.
-
Assess whether you could remove the attribute:
- Review the Firewall rule with unhit attributescard. Look at the field labeled Attribute with no hit (with future hit prediction). This field provides a percentage that describes the likelihood of whether the attribute will be hit in the future.
- Review the Similar firewall rule in the same projectcard. Review the data displayed about whether this rule's attribute was used.
-
If the attribute has a low probability of being hit in the future, and if that prediction is supported by the hit pattern of similar rules, consider removing the attribute from the rule. To remove the attribute, click the name of the rule, which appears at the top of the Insight Detailpage. The Firewall rule detailspage opens.
-
Click Edit, make the needed changes, and then click Save.
Narrow an allow
rule's IP address range
Be aware that your project might have firewall rules that allow access from certain IP address blocks for load balancer health checks or for other Google Cloud functionality. These IP addresses might not be hit, but they should not be removed from your firewall rules. For more information about these ranges, see the Compute Engine documentation .
To evaluate and tighten an overly permissive IP address range, do the following:
Console
-
In the Google Cloud console, go to the Firewall Insightspage.
-
On the card named Allow rules with overly permissive IP address or port ranges, click View full list. In response, the Google Cloud console displays a list of all the rules that had overly permissive ranges during the observation period.
-
Find any rule in the list, and click the text that's displayed in the Insightcolumn. The Insight Detailspage opens.
-
Review the details at the top of the page. The summary includes the following details:
- The name of the rule.
- The number of IP address ranges that could be narrowed.
- The time that the insight was last updated.
- The length of the observation period.
-
Assess whether you could narrow the IP address range: Review the Firewall rule with overly permissive IP address or port rangescard. Review the proposed list of new IP address ranges.
-
If appropriate, consider using the recommendations in the insight to make the IP address range more narrow. Click the name of the rule, which appears at the top of the Insight Detailpage. The Firewall rule detailspage opens.
-
Click Edit, make the needed changes, and then click Save.
