Evaluation order for firewall policies and rules (original) (raw)

Skip to main content

• Technology areas

  • Overview
  • Guides
  • Reference
  • Resources

• Cross-product tools

• Console

• Discover

• Product overview

• Cloud NGFW tiers

• Get started

• Use a network firewall policy to allow ingress traffic

• Use a hierarchical firewall policy to allow egress traffic

• Key terms

• Create firewall policies for VPC networks

• Pre-defined rules

• Create firewall policies for RDMA networks

• Organize

• Optimize

• Set up application layer inspection

• Application layer inspection overview

• Configure VPC firewall rules

• VPC firewall rules overview

• Use VPC firewall rules

• Monitor

• Audit logging information

• Migrate

• Control access

• Manage VPC firewall rule resources by using custom constraints

• Manage firewall policy resources by using custom constraints

• Troubleshoot

• Application layer inspection

• Firewall policies for RoCE network profiles

• Firewall policy rules logs

Evaluation order for firewall policies and rules

Each regular Virtual Private Cloud (VPC) network has a network firewall policy enforcement order that determines the order in which Cloud NGFW evaluates firewall policy rules.

Network firewall policy enforcement order

A VPC network can use one of these network firewall policy enforcement orders:

• AFTER_CLASSIC_FIREWALL (default): Cloud NGFW evaluates firewall policies and rules in the following order:
  1. Hierarchical firewall policies
  2. Regional system firewall policies
  3. VPC firewall rules
  4. Global network firewall policies
  5. Regional network firewall policies
  6. Implied actions
• BEFORE_CLASSIC_FIREWALL: Cloud NGFW evaluates firewall policies and rules in the following order:
  1. Hierarchical firewall policies
  2. Regional system firewall policies
  3. Global network firewall policies
  4. Regional network firewall policies
  5. VPC firewall rules
  6. Implied actions

To change the network firewall policy enforcement order, do any one of the following:

• Use the networks.patchmethod and set thenetworkFirewallPolicyEnforcementOrder attribute of the VPC network.
• Use the gcloud compute networks updatecommand with the--network-firewall-policy-enforcement-order flag.
  For example:
  gcloud compute networks update VPC_NETWORK_NAME \
  --network-firewall-policy-enforcement-order=ENFORCEMENT_ORDER

Firewall rule evaluation process

This section describes the order in which Cloud NGFW evaluates rules that apply to target resources in regular VPC networks.

Each firewall rule is either an ingress rule or an egress rule, based on the direction of traffic:

• Ingress rulesapply to packets for a new connection that a target resource receives. Supported target resources for ingress rules are as follows:
  • Network interfaces of virtual machine (VM) instances.
  • Managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers (Preview).
• Egress rulesapply to packets for a new connection that a target VM network interface sends.

Cloud NGFW always evaluates rules in hierarchical firewall policies and regional system firewall policies before it evaluates any other firewall rules. You control the order in which Cloud NGFW evaluates other firewall rules by choosing a network firewall policy enforcement order. The network firewall policy enforcement order can be either AFTER_CLASSIC_FIREWALLor BEFORE_CLASSIC_FIREWALL.

AFTER_CLASSIC_FIREWALL network firewall policy enforcement order

When the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL, Cloud NGFW evaluates rules in global and regional network firewall policies after evaluating VPC firewall rules. This is the default evaluation order.

In a regular VPC network that uses the AFTER_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order is the following:

1. Hierarchical firewall policies.
   Cloud NGFW evaluates hierarchical firewall policies in the following order:
   1. The hierarchical firewall policy associated with the organization that contains the target resource.
   2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.
      When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:
   3. Disregard all rules whose targets don't match the target resource.
   4. Disregard all rules that don't match the packet's direction.
   5. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
• goto_next: the rule evaluation continues to one of the following:
  * A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
  * The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

• A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
• The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

1. Regional system firewall policies.
   When evaluating regional system firewall policy rules, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a regional system firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• goto_next: the rule evaluation continues to
  * A regional system firewall policy with the next highest association priority, if it exists.
  * The next step in the evaluation order, if all regional system firewall policies have been evaluated.

If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

• A regional system firewall policy with the next highest association priority, if it exists.
• The next step in the evaluation order, if all regional system firewall policies have been evaluated.

1. VPC firewall rules.
   When evaluating VPC firewall rules, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

When one or two VPC firewall rules match traffic, the firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
  If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.
  If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

1. Global network firewall policy.
   When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a global network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
• goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.
  If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

1. Regional network firewall policies.
   Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.
   When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a regional network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• goto_next: the rule evaluation continues to the next step in the evaluation order.
  If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the next step in the evaluation order.

1. Last step— implied action.
   Cloud NGFW applies an implied action if firewall rule evaluation has continued through every previous step by following explicit or implicitgoto_next actions. The implied action depends on the direction of the traffic:
   • For ingress traffic, the implied action also depends on the target resource:
     * If the target resource is a network interface of a VM instance, the implied ingress action is deny.
     * If the target resource is a forwarding rule of an internal Application Load Balancer or internal proxy Network Load Balancer, the implied ingress action is allow.
   • For egress traffic, the implied action is allow.

AFTER_CLASSIC_FIREWALL diagram

The following diagram illustrates the AFTER_CLASSIC_FIREWALL network firewall policy enforcement order:

Figure 1. Firewall rule resolution flow if the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL (click to enlarge).

BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order

When the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL, Cloud NGFW evaluates rules in global and regional network firewall policies before evaluating VPC firewall rules.

In a regular VPC network that uses the BEFORE_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order is the following:

1. Hierarchical firewall policies.
   Cloud NGFW evaluates hierarchical firewall policies in the following order:
   1. The hierarchical firewall policy associated with the organization that contains the target resource.
   2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.
      When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:
   3. Disregard all rules whose targets don't match the target resource.
   4. Disregard all rules that don't match the packet's direction.
   5. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
• goto_next: the rule evaluation continues to one of the following:
  * A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
  * The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

• A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
• The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

1. Regional system firewall policies.
   When evaluating regional system firewall policy rules, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a regional system firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• goto_next: the rule evaluation continues to
  * A regional system firewall policy with the next highest association priority, if it exists.
  * The next step in the evaluation order, if all regional system firewall policies have been evaluated.

If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

• A regional system firewall policy with the next highest association priority, if it exists.
• The next step in the evaluation order, if all regional system firewall policies have been evaluated.

1. Global network firewall policy.
   When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a global network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
• goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.
  If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

1. Regional network firewall policies.
   Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.
   When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

In a regional network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
• goto_next: the rule evaluation continues to the next step in the evaluation order.
  If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the next step in the evaluation order.

1. VPC firewall rules.
   When evaluating VPC firewall rules, Cloud NGFW performs the following steps:
   1. Disregard all rules whose targets don't match the target resource.
   2. Disregard all rules that don't match the packet's direction.
   3. Evaluate the remaining rules from the highest to the lowest priority.
      Evaluation stops when either one of the following conditions is met:
      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

When one or two VPC firewall rules match traffic, the firewall rule'saction on match can be one of the following:

• allow: the rule allows the traffic, and all rule evaluation stops.
• deny: the rule denies the traffic, and all rule evaluation stops.
  If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.
  If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

1. Last step— implied action.
   Cloud NGFW applies an implied action if firewall rule evaluation has continued through every previous step by following explicit or implicitgoto_next actions. The implied action depends on the direction of the traffic:
   • For ingress traffic, the implied action also depends on the target resource:
     * If the target resource is a network interface of a VM instance, the implied ingress action is deny.
     * If the target resource is a forwarding rule of an internal Application Load Balancer or internal proxy Network Load Balancer, the implied ingress action is allow.
   • For egress traffic, the implied action is allow.

BEFORE_CLASSIC_FIREWALL diagram

The following diagram illustrates the BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order:

Figure 2. Firewall rule resolution flow if the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL (click to enlarge).

Effective firewall rules

Hierarchical firewall policy rules, VPC firewall rules, and global and regional network firewall policy rules control connections. You might find it helpful to see all the firewall rules that affect an individual network or VM interface.

Network effective firewall rules

You can view all firewall rules applied to a VPC network. The list includes all of the following kinds of rules:

• Rules inherited from hierarchical firewall policies
• VPC firewall rules
• Rules applied from the global and regional network firewall policies

Instance effective firewall rules

You can view all firewall rules applied to a VM's network interface. The list includes all of the following kinds of rules:

• Rules inherited from hierarchical firewall policies
• Rules applied from the interface's VPC firewall
• Rules applied from the global and regional network firewall policies

The rules are ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown. Rules in other policies aren't shown.

To view the effective firewall policy rules within a region, seeGet effective regional firewall policies for a network.

What's next

• To create and modify hierarchical firewall policies and rules, see Use hierarchical firewall policies and rules.
• To see examples of hierarchical firewall policy implementations, seeHierarchical firewall policy examples.
• To create and modify global network firewall policies and rules, see Use global network firewall policies and rules.
• To create and modify regional network firewall policies and rules, see Use regional network firewall policies and rules.
• To create and modify VPC firewall rules, see Use VPC firewall rules.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-15 UTC.