- Cloud NGFW
Contact Us Start free
- Home
- Cloud NGFW
- Documentation
- Guides
Firewall Rules Logging lets you audit, verify, and analyze theeffects of your firewall rules. For example, you can determine if a firewallrule designed to deny traffic is functioning as intended.Firewall Rules Logging is also useful if you need to determine howmany connections are affected by a given firewall rule.
You enable Firewall Rules Logging individually for each firewall rulewhose connections you need to log. Firewall Rules Logging is an optionfor any firewall rule, regardless of the action (allow or deny) or direction(ingress or egress) of the rule.
Firewall Rules Logging logs traffic to and from Compute Enginevirtual machine (VM) instances. This includesGoogle Cloud products built on Compute EngineVMs, such as Google Kubernetes Engine (GKE)clusters andApp Engine flexible environment instances.
When you enable logging for a firewall rule, Google Cloud creates an entrycalled a connection record each time the rule allows or denies traffic. Youcan view these records in Cloud Logging, and you can export logsto any destination that Cloud Logging export supports.
Each connection record contains the source and destination IP addresses, theprotocol and ports, date and time, and a reference to the firewall rule thatapplied to the traffic.
Firewall Rules Logging is available for both VPCfirewall rules and hierarchical firewall policies.
For information about viewing logs, see UseFirewall Rules Logging.
Specifications
Firewall Rules Logging has the following specifications:
- You can only enable Firewall Rules Logging for rules in aVirtual Private Cloud (VPC) network.Legacy networks are not supported.
- Firewall Rules Logging only records TCP and UDP connections. Although you cancreate a firewall rule applicable to otherprotocols, you cannot log their connections.If you want to also log other protocols, consider usingPacket Mirroring.
- You cannot enable Firewall Rules Logging for theimplied deny ingress and implied allow egress rules.
- Log entries are written from the perspective of VMs. Log entriesare only created if a firewall rule has logging enabled and if the ruleapplies to traffic sent to or from the VM. Entries are created according tothe connection logging limits on a best effort basis.
- The number of connections that can be logged in a giveninterval is based on the machine type.
- Changes to firewall rules can be viewed inVPC audit logs.
Logging examples
A log entry is generated each time that a firewall rule with logging enabled appliesto traffic. A given packet flow can generate more than one log entry in total.However, from the perspective of a given VM, at most only one log entry can begenerated if the firewall rule that applies to it has logging enabled.
The following examples demonstrate how firewall logs work.
Egress deny example
In this example:
- Traffic between VM instances in the
example-netVPC network in theexample-projproject is considered. - The two VM instances are:
- VM1 in zone
us-west1-awith IP address10.10.0.99in thewest-subnet(us-west1region). - VM2 in zone
us-east1-bwith IP address10.20.0.99in theeast-subnet(us-east1region).
- VM1 in zone
- Rule A: An egress deny firewall rule has a target of all instances in thenetwork, a destination of
10.20.0.99(VM2), and applies to TCP port 80.- Logging is enabled for this rule.
- Rule B: An ingress allow firewall rule has a target of all instances in thenetwork, a source of
10.10.0.99(VM1), and applies to TCP port 80.- Logging is also enabled for this rule.
The following gcloud commands can be used to create the firewall rules:
Rule A: egress deny rule for TCP 80, applicable to all instances,destination
10.20.0.99:gcloud compute firewall-rules create rule-a \ --network example-net \ --action deny \ --direction egress \ --rules tcp:80 \ --destination-ranges 10.20.0.99/32 \ --priority 10 \ --enable-logging
Rule B: ingress allow rule for TCP 80, applicable to all instances,source
10.10.0.99:gcloud compute firewall-rules create rule-b \ --network example-net \ --action allow \ --direction ingress \ --rules tcp:80 \ --source-ranges 10.10.0.99/32 \ --priority 10 \ --enable-logging
Suppose VM1 attempts to connect to VM2 on TCP port 80. The following firewallrules are logged:
- A log entry for rule A from the perspective of VM1 is generated as VM1attempts to connect to
10.20.0.99(VM2). - Because rule A actually blocks the traffic, rule B is never considered, sothere is no log entry for rule B from the perspective of VM2.
The firewall log record is generated in the following example.
| Field | Values |
|---|---|
| connection | src_ip=10.10.0.99 src_port=[EPHEMERAL_PORT] dest_ip=10.20.0.99 dest_port=80 protocol=6 |
| disposition | DENIED |
| rule_details | reference = "network:example-net/firewall:rule-a" priority = 10 action = DENY destination_range = 10.20.0.99/32 ip_port_info = tcp:80 direction = egress |
| instance | project_id="example-proj" instance_name=VM1 region=us-west1 zone=us-west1-a |
| vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=west-subnet |
| remote_instance | project_id="example-proj" instance_name=VM2 region=us-east1 zone=us-east1-b |
| remote_vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=east-subnet |
| remote_location | No information. This field is only used if the destination is outside your VPC network. |
Egress allow, ingress allow example
In this example:
- Traffic between VM instances in the
example-netVPC network in theexample-projproject is considered. - The two VM instances are:
- VM1 in zone
us-west1-awith IP address10.10.0.99in thewest-subnet(us-west1region). - VM2 in zone
us-east1-bwith IP address10.20.0.99in theeast-subnet(us-east1region).
- VM1 in zone
- Rule A: An egress allow firewall rule has a target of all instances in thenetwork, a destination of
10.20.0.99(VM2), and applies to TCP port 80.- Logging is enabled for this rule.
- Rule B: An ingress allow firewall rule has a target of all instances in thenetwork, a source of
10.10.0.99(VM1), and applies to TCP port 80.- Logging is also enabled for this rule.
The following gcloud commands can be used to create the two firewall rules:
Rule A: egress allow rule for TCP 80, applicable to all instances,destination
10.20.0.99(VM2):gcloud compute firewall-rules create rule-a \ --network example-net \ --action allow \ --direction egress \ --rules tcp:80 \ --destination-ranges 10.20.0.99/32 \ --priority 10 \ --enable-logging
Rule B: ingress allow rule for TCP 80, applicable to all instances,source
10.10.0.99(VM1):gcloud compute firewall-rules create rule-b \ --network example-net \ --action allow \ --direction ingress \ --rules tcp:80 \ --source-ranges 10.10.0.99/32 \ --priority 10 \ --enable-logging
Suppose VM1 attempts to connect to VM2 on TCP port 80. The following firewallrules are logged:
- A log entry for rule A from the perspective of VM1 is generated as VM1connects to
10.20.0.99(VM2). - A log entry for rule B from the perspective of VM2 is generated as VM2 allowsincoming connections from
10.10.0.99(VM1).
The firewall log record reported by VM1 is generated in the following example.
| Field | Values |
|---|---|
| connection | src_ip=10.10.0.99 src_port=[EPHEMERAL_PORT] dest_ip=10.20.0.99 dest_port=80 protocol=6 |
| disposition | ALLOWED |
| rule_details | reference = "network:example-net/firewall:rule-a" priority = 10 action = ALLOW destination_range = 10.20.0.99/32 ip_port_info = tcp:80 direction = egress |
| instance | project_id="example-proj" instance_name=VM1 region=us-west1 zone=us-west1-a |
| vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=west-subnet |
| remote_instance | project_id="example-proj" instance_name=VM2 region=us-east1 zone=us-east1-b |
| remote_vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=east-subnet |
| remote_location | No information. This field is only used if the destination is outside your VPC network. |
The firewall log record reported by VM2 is generated in the following example.
| Field | Values |
|---|---|
| connection | src_ip=10.10.0.99 src_port=[EPHEMERAL_PORT] dest_ip=10.20.0.99 dest_port=80 protocol=6 |
| disposition | ALLOWED |
| rule_details | reference = "network:example-net/firewall:rule-b" priority = 10 action = ALLOW source_range = 10.10.0.99/32 ip_port_info = tcp:80 direction = ingress |
| instance | project_id="example-proj" instance_name=VM2 region=us-east1 zone=us-east1-b |
| vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=east-subnet |
| remote_instance | project_id="example-proj" instance_name=VM1 region=us-west1 zone=us-west1-a |
| remote_vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=west-subnet |
| remote_location | No information. This field is only used if the destination is outside your VPC network. |
Internet ingress example
In this example:
- Traffic from a system outside the
example-netVPC network to a VMinstance in that network is considered. The network is in theexample-projproject. - The system on the internet has IP address
203.0.113.114. - VM1 in zone
us-west1-ahas IP address10.10.0.99in thewest-subnet(us-west1region). - Rule C: An ingress allow firewall rule has a target of all instances in thenetwork, a source of any IP address (
0.0.0.0/0), and applies to TCP port 80.- Logging is enabled for this rule.
- Rule D: An egress deny firewall rule has a target of all instances in thenetwork, a destination of any IP address (
0.0.0.0/0), and applies to allprotocols.- Logging is also enabled for this rule.
The following gcloud commands can be used to create the firewall rules:
Rule C: ingress allow rule for TCP 80, applicable to all instances,any source:
gcloud compute firewall-rules create rule-c \ --network example-net \ --action allow \ --direction ingress \ --rules tcp:80 \ --source-ranges 0.0.0.0/0 \ --priority 10 \ --enable-logging
Rule D: egress deny rule for all protocols, applicable to all instances,any destination:
gcloud compute firewall-rules create rule-d \ --network example-net \ --action deny \ --direction egress \ --rules all \ --destination-ranges 0.0.0.0/0 \ --priority 10 \ --enable-logging
Suppose the system with IP address 203.0.113.114 attempts to connect to VM1on TCP port 80. The following happens:
- A log entry for rule C from the perspective of VM1 is generated as VM1 acceptstraffic from
203.0.113.114. - Despite rule D, VM1 is allowed to reply to the incoming request becauseGoogle Cloud firewall rules are stateful. If the incoming request isallowed, established responses cannot be blocked by any kind of egress rule.
- Because rule D does not apply, it is never considered, sothere is no log entry for rule D.
The firewall log record is generated in the following example.
| Field | Values |
|---|---|
| connection | src_ip=203.0.113.114 src_port=[EPHEMERAL_PORT] dest_ip=10.10.0.99 dest_port=80 protocol=6 |
| disposition | ALLOWED |
| rule_details | reference = "network:my-vpc/firewall:rule-c" priority = 10 action = ALLOW source_range = 0.0.0.0/0 ip_port_info = tcp:80 direction = ingress |
| instance | project_id="example-proj" instance_name=VM1 region=us-west1 zone=us-west1-a |
| vpc | project_id="example-proj" vpc_name=example-net subnetwork_name=west-subnet |
| remote_location | continent country region city |
Firewall log format
Subject to the specifications,a log entry is created in Cloud Logging for each firewall rule that haslogging enabled if that rule applies to traffic to or from a VM instance. Logrecords are included in the JSON payload field of a LoggingLogEntry.
Log records contain base fields, which are the core fields of every log record,and metadata fields that add additional information. You can control whethermetadata fields are included. If you omit them, you can save on storage costs.
Some log fields support values that are also fields. These fields can have morethan one piece of data in a given field. For example, the connection field isof the IpConnection format, which contains the source and destination IPaddress and port, plus the protocol, in a single field. These fields aredescribed in the following tables.
| Field | Description | Field type: Base or optional metadata |
|---|---|---|
| connection | IpConnection 5-Tuple describing the source and destination IP address, source and destination port, and IP protocol of this connection. | Base |
| disposition | string Indicates whether the connection was ALLOWED or DENIED. | Base |
| rule_details | RuleDetails Details of the rule that was applied to this connection. | |
rule_details.reference field | Base | |
| Other rule detail fields | Metadata | |
| instance | InstanceDetails VM instance details. In a Shared VPC configuration, project_id corresponds to that of the service project. | Metadata |
| vpc | VpcDetails VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. | Metadata |
| remote_instance | InstanceDetails If the remote endpoint of the connection was a VM located in the Compute Engine, this field is populated with VM instance details. | Metadata |
| remote_vpc | VpcDetails If the remote endpoint of the connection was a VM that is located in a VPC network, this field is populated with the network details. | Metadata |
| remote_location | GeographicDetails If the remote endpoint of the connection was external to the VPC network, this field is populated with available location metadata. | Metadata |
IpConnection
| Field | Type | Description |
|---|---|---|
| src_ip | string | Source IP address. If the source is a Compute Engine VM, src_ip is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown. Logging shows the IP address of the VM as the VM sees it on the packet header, the same as if you ran TCP dump on the VM. |
| src_port | integer | Source port |
| dest_ip | string | Destination IP address. If the destination is a Google Cloud VM, dest_ip is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown even if it was used in making the connection. |
| dest_port | integer | Destination port |
| protocol | integer | IP protocol of the connection |
RuleDetails
| Field | Type | Description |
|---|---|---|
| reference | string | Reference to the firewall rule; format:"network:{network name}/firewall:{firewall_name}" |
| priority | integer | The priority for the firewall rule. |
| action | string | ALLOW or DENY |
| source_range[] | string | List of source ranges that the firewall rule applies to. |
| destination_range[] | string | List of destination ranges that the firewall rule applies to. |
| ip_port_info[] | IpPortDetails | List of IP protocols and applicable port ranges for rules. |
| direction | string | The direction that the firewall rule applies to (ingress or egress). |
| source_tag[] | string | List of all the source tags that the firewall rule applies to. |
| target_tag[] | string | List of all the target tags that the firewall rule applies to. |
| source_service_account[] | string | List of all the source service accounts that the firewall rule applies to. |
| target_service_account[] | string | List of all the target service accounts that the firewall rule applies to. |
| source_region_code[] | string | List of all the source country codes that the firewall rule applies to. |
| destination_region_code[] | string | List of all the destination country codes that the firewall rule applies to. |
| source_fqdn[] | string | List of all the source domain names that the firewall rule applies to. |
| destination_fqdn[] | string | List of all the destination domain names that the firewall rule applies to. |
| source_threat_intelligence[] | string | List of all the source Threat Intelligence list names that the firewall rule applies to. |
| destination_threat_intelligence[] | string | List of all the destination Threat Intelligence list names that the firewall rule applies to. |
| source_address_groups[] | string | List of all the source address groups that the firewall rule applies to. |
| destination_address_groups[] | string | List of all the destination address groups that the firewall rule applies to. |
IpPortDetails
| Field | Type | Description |
|---|---|---|
| ip_protocol | string | IP protocol that the firewall rule applies to. "ALL" if applies to all protocols. |
| port_range[] | string | List of applicable port ranges for rules; for example, 8080-9090. |
InstanceDetails
| Field | Type | Description |
|---|---|---|
| project_id | string | ID of the project containing the VM |
| vm_name | string | Instance name of the VM |
| region | string | Region of the VM |
| zone | string | Zone of the VM |
VpcDetails
| Field | Type | Description |
|---|---|---|
| project_id | string | ID of the project containing the network |
| vpc_name | string | Network on which the VM is operating |
| subnetwork_name | string | Subnet on which the VM is operating |
GeographicDetails
| Field | Type | Description |
|---|---|---|
| continent | string | Continent for external endpoints |
| country | string | Country for external endpoints |
| region | string | Region for external endpoints |
| city | string | City for external endpoints |
What's next
- To set up logging and view logs, see Use Firewall Rules Logging.
- To get insights about how your firewall rules are being used,see Firewall Insights.
- To store, search, analyze, monitor, and alert on log data and events, see Cloud Logging.
- To route log entries, see Configure and manage sinks.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-10 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]
