Manage firewall policy rules logging (original) (raw)
This page shows you how to enable and disable logging for hierarchical and network firewall policy rules. For instructions about logging for firewall policy rules, seeEnable and disable firewall policy rules logging. You can also learn how to view generated logs for firewall policy rules. To understand firewall policy rules logging, see Firewall policy rules logging overview.
If you enable logging on a firewall policy rule, you can view insights and recommendations for it from Firewall Insights. For more information, seeFirewall Insightsin the Network Intelligence Center documentation.
Permissions
To modify firewall policy rules or access logs, Identity and Access Management (IAM) principals need one of the following roles.
| Task | Required role |
|---|---|
| Create, delete, or update firewall rules | Projectowner or editor orSecurity Admin role (roles/compute.securityAdmin) |
| View logs | Projectowner, editor or viewer orLogs Viewer role (roles/logging.viewer) For details about Logging IAM roles and permissions, see Predefined roles. |
Enable and disable firewall policy rules logging
When you create a firewall policy rule, you can enable firewall policy rules logging. For more information, see the following:
- Use hierarchical firewall policies and rules
- Use global network firewall policies and rules
- Use regional network firewall policies and rules
When you enable logging, you can specify whether to include metadata fields. If you omit them, you can save on storage costs. To enable or disable firewall policy rules logging for an existing firewall policy rule, see the following sections.
Enable firewall policy rules logging for a hierarchical firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select the name of the organization where you have created your hierarchical firewall policy.
- In the Firewall policies located in this organization section, click the name of your hierarchical firewall policy.
- In the Logs column, determine if firewall policy rules logging isDisabled or Enabled for each firewall policy rule.
- To enable logging for a firewall policy rule, click the rule priority, and then click Edit.
- In the Logs section, select Enabled.
- Click Save.
gcloud
To update organization firewall policy rules, use thegcloud compute firewall-policies rules update command:
gcloud compute firewall-policies rules update PRIORITY
--firewall-policy= FIREWALL_POLICY
--enable-logging
Replace the following:
PRIORITY: the priority of the firewall policy rule to update.FIREWALL_POLICY: the name of the firewall policy into which the rule is updated.
For more information, seeSDK reference documentation.
Terraform
You can use the Terraform resourceto create a firewall policy rule with logging enabled.
resource "google_compute_firewall_policy_rule" "primary" { firewall_policy = google_compute_firewall_policy.POLICY_ID description = "Creates an ingress firewall policy rule with logging enabled" priority = PRIORITY enable_logging = true action = "allow" direction = "INGRESS" disabled = false match { layer4_configs { ip_protocol = "tcp" ports = [8080] } layer4_configs { ip_protocol = "udp" ports = [22] } src_ip_ranges = ["SOURCE_IP_ADDRESS"] } }
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.
API
Enable firewall policy rules logging for an existing hierarchical firewall policy rule.
{ "enableLogging": true, }
Replace the following:
POLICY_ID: the ID of the hierarchical firewall policy where the firewall policy rule is located.PRIORITY: the priority of the firewall policy rule.
For more information, refer to thefirewallPolicies.patchRule method.
Disable firewall policy rules logging for a hierarchical firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select the name of the organization where you have created your hierarchical firewall policy.
- In the Firewall policies located in this organization section, click the name of your hierarchical firewall policy.
- In the Logs column, determine if firewall policy rules logging isDisabled or Enabled for each firewall policy rule.
- To disable logging for a firewall policy rule, click the rule priority, and then click Edit.
- In the Logs section, select Disabled.
- Click Save.
gcloud
To update organization firewall policy rules, use thegcloud compute firewall-policies rules update command:
gcloud compute firewall-policies rules update PRIORITY
--firewall-policy= FIREWALL_POLICY
--no-enable-logging
Replace the following:
PRIORITY: the priority of the firewall policy rule to update.FIREWALL_POLICY: the name of the firewall policy into which the rule is updated.
For more information, seeSDK reference documentation.
API
Disable firewall policy rules logging for an existing hierarchical firewall policy rule
{ "enableLogging": false, }
Replace the following:
POLICY_ID: the ID of the hierarchical firewall policy where the firewall policy rule is located.PRIORITY: the priority of the firewall policy rule.
For more information, refer to thefirewallPolicies.patchRule method.
Enable firewall policy rules logging for a network firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select the name of your project where you have created your network firewall policy.
- In the Network firewall policies section, click the name of the network firewall policy for which you want to enable logging.
- In the Logs column, determine if firewall policy rules logging isDisabled or Enabled for each firewall policy rule.
- To enable logging for a network firewall policy rule, click the rule priority, and then click Edit.
- In the Logs section, select Enabled.
- Click Save.
gcloud
To update network firewall policy rules, use thegcloud compute network-firewall-policies rules update command:
gcloud compute network-firewall-policies rules update PRIORITY
--firewall-policy= FIREWALL_POLICY
--enable-logging
Replace the following:
PRIORITY: the priority of the firewall policy rule to update.FIREWALL_POLICY: the name of the network firewall policy where the firewall policy rule is located.
For more information, see theSDK reference documentation.
Terraform
You can use the Terraform resourceto create a firewall policy rule with logging enabled.
resource "google_compute_firewall_policy_rule" "primary" { firewall_policy = google_compute_firewall_policy.POLICY_ID description = "Creates an ingress firewall policy rule with logging enabled" priority = PRIORITY enable_logging = true action = "allow" direction = "INGRESS" disabled = false match { layer4_configs { ip_protocol = "tcp" ports = [8080] } layer4_configs { ip_protocol = "udp" ports = [22] } src_ip_ranges = ["SOURCE_IP_ADDRESS"] } }
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.
API
Enable firewall policy rules logging for an existing network firewall policy rule.
{ "enableLogging": true, }
Replace the following:
PROJECT_ID: the ID of the project where your network policy is located.POLICY_ID: the ID of the hierarchical firewall policy where the firewall policy rule is located.PRIORITY: the priority of the firewall policy rule.
For more information, refer to thenetworkFirewallPolicies.patchRule method.
Disable firewall policy rules logging for a network firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select the name of your project where you have created your network firewall policy.
- In the Network firewall policies section, click the name of the network firewall policy for which you want to enable logging.
- In the Logs column, determine if firewall policy rules logging isDisabled or Enabled for each firewall policy rule.
- To disable logging for a network firewall policy rule, click the rule priority, and then click Edit.
- In the Logs section, select Disabled.
- Click Save.
gcloud
To update network firewall policy rules, use thegcloud compute network-firewall-policies rules update command:
gcloud compute network-firewall-policies rules update PRIORITY
--firewall-policy= FIREWALL_POLICY
--no-enable-logging
Replace the following:
PRIORITY: the priority of the firewall policy rule to update.FIREWALL_POLICY: the name of the network firewall policy where the firewall policy rule is located.
For more information, see theSDK reference documentation.
API
Disable firewall policy rules logging for an existing hierarchical firewall policy rule
{ "enableLogging": false, }
Replace the following:
POLICY_ID: the ID of the hierarchical firewall policy where the firewall policy rule is located.PRIORITY: the priority of the firewall policy rule.
For more information, refer to thenetworkFirewallPolicies.patchRule method.
View logs
Firewall policy rule logs are created in the project that hosts the network containing the VM instances and firewall rules. WithShared VPC, you create VM instances in service projects, but these instances use a Shared VPC network located in the host project. In such scenarios, the host project stores the firewall policy rule logs.
To view firewall policy rule logs, use the Logs Explorer section of the Google Cloud console. For more information, see View and analyze logs.
The following queries demonstrate how you can search for specific firewall events.
View all firewall logs
To view the firewall policy rule logs, use one of the following options.
Option 1
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Click All resource.
- In the Select resource list, click Subnetwork, and then click Apply.
- Click All log names, and then in the list, select firewall.
- Click Apply.
Option 2
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Paste the following into the query editor field.
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall"
ReplacePROJECT_IDwith your project ID. - If you don't see the query editor field, click the Show query toggle.
- Click Run query.
View logs for specific subnets
To view the firewall policy rule logs for specific subnets, use one of the following options.
Option 1
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Click All resource.
- In the Select resource list, click Subnetwork.
- Select the subnetwork that you want to view logs for, and then click Apply.
- Click All log names, and then in the list, select firewall.
- Click Apply.
Option 2
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Paste the following into the query editor field.
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall"
resource.labels.subnetwork_name="SUBNET_NAME"
Replace the following:PROJECT_ID: the ID of your projectSUBNET_NAME: the name of your subnetwork
- If you don't see the query editor field, click the Show query toggle.
- Click Run query.
View logs in specific VMs
To view the firewall policy rule logs for specific VMs, use one of the following options.
Option 1
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Click All resource.
- In the Select resource list, click VM instance.
- Select the instance that you want to view logs for, and then click Apply.
- Click All log names, and then in the list, select firewall.
- Click Apply.
Option 2
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Paste the following into the query editor field.
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall"
jsonPayload.instance.vm_name="INSTANCE_ID"
Replace the following:PROJECT_ID: the ID of your projectINSTANCE_ID: the ID of the VM that you want to view logs for
- If you don't see the query editor field, click the Show query toggle.
- Click Run query.
View logs for connections from a specific country
To view the firewall policy rule logs for a specific country, do the following:
- In the Google Cloud console, go to the Logs Explorer page.
Go to Logs Explorer - Paste the following into the query editor field.
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall"
jsonPayload.remote_location.country=COUNTRY
Replace the following:PROJECT_ID: the ID of your projectCOUNTRY: the ISO 3166-1alpha-3code of the country that you want to view logs for
- If you don't see the query editor field, click the Show query toggle.
- Click Run query.
Export logs
To export firewall policy rule logs, seeRoute logs to supported destinations. You can use the example queriesto narrow the logs that you export.
Table of interactions
- In the case of VM-to-VM communication, log records might be generated by both VMs, depending on their respective firewall rules.
- The logged connection includes packets flowing both ways if the initial packet was allowed by the firewall.
- For a given VM, incoming connections are matched against firewall rules configured on that VM's and outgoing connections are matched against egress firewall rule configured on that VM.
- An allowed connection that matches a firewall rule with "allow and logging" is logged only once. The log entry is not repeated every 5 seconds even if the connection endures.
- A denied connection matching a firewall rule with "denied and logging" does repeat the log entry every 5 seconds for as long as there are packets observed in that denied connection.
- If you enable logging on a firewall rule that matches an already active TCP or UDP connection, a new log entry isn't generated. A log entry is created only if the connection remains idle for at least 10 minutes and a new packet is sent on the same connection. For continuous traffic with idle periods shorter than 10 minutes, only one log entry is generated for the connection.
This table shows the firewall logging behavior from the perspective of a single VM.
In a scenario in which a VM1 has an ingress rule R1 that matches packets and egress rule R2 that also matches packets, the behavior of firewall logging is as follows:
| VM1 has Ingress Rule R1 (matching packets) | VM1 has Egress Rule R2 (matching packets) | Connection Direction | Action | Log |
|---|---|---|---|---|
| Allow + Log | Allow | Ingress | Allow | One log entry: disposition=allow, rule=R1 |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| Allow | Allow | Ingress | Allow | No logging |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| Deny + Log | N/A | Ingress | Deny | One log entry every 5 seconds: disposition=deny, rule=R1 |
| Deny | N/A | Ingress | Deny | No logging |
| Allow | Allow + Log | Egress | Allow | One log entry: disposition=allow, rule=R2 |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| Allow | Allow | Egress | Allow | No Logging |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| N/A | Deny + Log | Egress | Deny | One log entry every 5 seconds: disposition=deny, rule=R2 |
| N/A | Deny | Egress | Deny | No logging |
Note that ingress and egress are symmetric.
This is the detailed description of the firewall logs semantics:
- Allow + Log (logging is supported for TCP and UDP only)
- Connection initiated in the direction to which the rule applies causes a single log record to be created.
- Reply traffic is allowed due to connection tracking. Reply traffic does not cause any logging to occur, regardless of VPC firewall rules in that direction.
- If the connection expires from the firewall (inactive for 10 minutes or TCP RST received), then another packet in either direction may trigger logging.
- Logging is based on 5-tuples. TCP flags don't affect logging behavior.
- Deny + Log (logging is supported for TCP and UDP only)
- Packets are dropped (no connection is initiated).
- Each packet that corresponds to a unique 5-tuple is logged as a failed connection attempt.
- The same 5-tuple is logged again every 5 seconds if it continues to receive packets.