Predefined rules for firewall policies (original) (raw)

When you create a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy, Cloud NGFW adds predefined rules to the policy. The predefined rules that Cloud NGFW adds to the policy depend on how you create the policy.

Types of predefined rules

If you create a firewall policy using the Google Cloud console, Cloud NGFW adds the following rules to the new policy:

1. Goto-next rules for private IPv4 ranges
2. Predefined Google Threat Intelligence deny rules
3. Predefined geolocation deny rules
4. Lowest possible priority goto-next rules

If you create a firewall policy using the Google Cloud CLI or the API, Cloud NGFW adds only the lowest possible priority goto-next rulesto the policy.

All predefined rules in a new firewall policy purposefully use low priorities (large priority numbers) so you can override them by creating ingress or egress rules with higher priorities. Except for the lowest possible priority goto-next rules, you can also customizethe predefined rules.

Goto-next rules for private IPv4 ranges

• An egress rule with destination IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, priority 1000, and goto_next action.
• An ingress rule with source IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, priority 1001, and goto_next action.

Predefined Google Threat Intelligence deny rules

• An ingress rule with source Google Threat Intelligence list iplist-tor-exit-nodes, priority 1002, and deny action.
• An ingress rule with source Google Threat Intelligence list iplist-known-malicious-ips, priority 1003, and deny action.
• An egress rule with destination Google Threat Intelligence list iplist-known-malicious-ips, priority 1004, and deny action.

To learn more about Google Threat Intelligence, see Google Threat Intelligence for firewall policy rules.

Predefined geolocation deny rules

• An ingress rule with source matching geolocations CU,IR, KP, SY, XC, and XD, priority 1005, and deny action.

To learn more about geolocations, see Geolocation objects.

Lowest possible priority goto-next rules

You cannot modify or delete the following rules:

• An egress rule with destination IPv6 range ::/0, priority 2147483644, and goto_nextaction.
• An ingress rule with source IPv6 range ::/0, priority 2147483645, and goto_nextaction.
• An egress rule with destination IPv4 range 0.0.0.0/0, priority 2147483646, and goto_nextaction.
• An ingress rule with source IPv4 range 0.0.0.0/0, priority 2147483647, and goto_nextaction.

What's next

• Modify predefined rules. For more information, read about updating a global network firewall policy rule, updating a regional network firewall policy rule, and updating a hierarchical firewall policy rule.
• Add your own rules. For more information, see Create a global network firewall policy, Create a regional network firewall policy, and Create a firewall policy.