Enable Virtual Private Cloud firewall rule logging for each firewall rule whose connections you need to log, regardless of the action (allow or deny) or direction (inbound or outbound) of the rule. Once the VPC firewall rule logging is enabled, Google Cloud creates a connection record each time the rule allows or denies traffic. You can use Google Cloud Logging to view these records and export the log files to any destination supported by the service. Each connection record contains the source and destination IP addresses, the protocol and port(s) used, the connection date and time, and a reference to the firewall rule that managed the traffic.
Firewall rule logging allows you to verify, analyze, and audit the effects of your VPC firewall rules on your cloud resources. For example, you can determine if a firewall rule designed to deny network traffic is functioning as intended. This type of logging is also useful if you need to determine how many connections are affected by a given VPC firewall rule.
Audit
To determine if logging is enabled for your VPC network firewall rules, perform the following operations:
Remediation / Resolution
To enable rule logging for your Google Cloud VPC network firewall rules, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- VPC firewall rules overview
- Using firewall rules
- Firewall Rules Logging overview
- Using Firewall Rules Logging
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute networks list
- gcloud compute firewall-rules list
- gcloud beta compute firewall-rules update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Logging for VPC Firewall Rules
Risk Level: Medium