Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule.
You enable Firewall Rules Logging individually for each firewall rule
whose connections you need to log. Firewall Rules Logging is an option
for any firewall rule, regardless of the action (allow or deny) or direction
(ingress or egress) of the rule.
Firewall Rules Logging logs traffic to and from Compute Engine virtual machine (VM) instances. This includes Trusted Cloud by S3NS products built on Compute Engine VMs, such as Google Kubernetes Engine (GKE) clusters and App Engine flexible environment instances.
When you enable logging for a firewall rule, Trusted Cloud by S3NS creates an entry called a connection record each time the rule allows or denies traffic. You can view these records in Cloud Logging, and you can export logs to any destination that Cloud Logging export supports.
Each connection record contains the source and destination IP addresses, the protocol and ports, date and time, and a reference to the firewall rule that applied to the traffic.
Firewall Rules Logging is available for both VPC firewall rules and hierarchical firewall policies.
For information about viewing logs, see Use Firewall Rules Logging.
Specifications
Firewall Rules Logging has the following specifications:
- You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported.
- Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections.
- You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules.
- Log entries are written from the perspective of VMs. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis.
- The number of connections that can be logged in a given interval is based on the machine type.
- Changes to firewall rules can be viewed in VPC audit logs.
Firewall log format
Subject to the specifications, a log entry is created in Cloud Logging for each firewall rule that has logging enabled if that rule applies to traffic to or from a VM instance. Log records are included in the JSON payload field of a Logging LogEntry.
Log records contain base fields, which are the core fields of every log record, and metadata fields that add additional information. You can control whether metadata fields are included. If you omit them, you can save on storage costs.
Some log fields support values that are also fields. These fields can have more
than one piece of data in a given field. For example, the connection field is
of the IpConnection format, which contains the source and destination IP
address and port, plus the protocol, in a single field. These fields are
described in the following tables.
| Field | Description | Field type: Base or optional metadata |
|---|---|---|
| connection | IpConnection 5-Tuple describing the source and destination IP address, source and destination port, and IP protocol of this connection. |
Base |
| disposition | string Indicates whether the connection was ALLOWED or
DENIED. |
Base |
| rule_details | RuleDetails Details of the rule that was applied to this connection. |
|
rule_details.reference field |
Base | |
| Other rule detail fields | Metadata | |
| instance | InstanceDetails VM instance details. In a Shared VPC configuration, project_id corresponds to that of the service project. |
Metadata |
| vpc | VpcDetails VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. |
Metadata |
| remote_instance | InstanceDetails If the remote endpoint of the connection was a VM located in the Compute Engine, this field is populated with VM instance details. |
Metadata |
| remote_vpc | VpcDetails If the remote endpoint of the connection was a VM that is located in a VPC network, this field is populated with the network details. |
Metadata |
| remote_location | GeographicDetails If the remote endpoint of the connection was external to the VPC network, this field is populated with available location metadata. |
Metadata |
IpConnection
| Field | Type | Description |
|---|---|---|
| src_ip | string | Source IP address. If the source is a Compute Engine VM,
src_ip is either the primary internal IP address or an address
in an alias IP range of the VM's network interface. The external IP
address is not shown. Logging shows the IP address of the VM as
the VM sees it on the packet header, the same as if you ran TCP dump on the VM. |
| src_port | integer | Source port |
| dest_ip | string | Destination IP address. If the destination is a Trusted Cloud VM,
dest_ip is either the primary internal IP address or an address
in an alias IP range of the VM's network interface. The external IP
address is not shown even if it was used in making the connection. |
| dest_port | integer | Destination port |
| protocol | integer | IP protocol of the connection |
RuleDetails
| Field | Type | Description |
|---|---|---|
| reference | string | Reference to the firewall rule; format:"network:{network name}/firewall:{firewall_name}" |
| priority | integer | The priority for the firewall rule. |
| action | string | ALLOW or DENY |
| source_range[ ] | string | List of source ranges that the firewall rule applies to. |
| destination_range[ ] | string | List of destination ranges that the firewall rule applies to. |
| ip_port_info[ ] | IpPortDetails | List of IP protocols and applicable port ranges for rules. |
| direction | string | The direction that the firewall rule applies to (ingress or egress). |
| source_tag[ ] | string | List of all the source tags that the firewall rule applies to. |
| target_tag[ ] | string | List of all the target tags that the firewall rule applies to. |
| source_service_account[ ] | string | List of all the source service accounts that the firewall rule applies to. |
| target_service_account[ ] | string | List of all the target service accounts that the firewall rule applies to. |
| source_region_code[ ] | string | List of all the source country codes that the firewall rule applies to. |
| destination_region_code[ ] | string | List of all the destination country codes that the firewall rule applies to. |
| source_fqdn[ ] | string | List of all the source domain names that the firewall rule applies to. |
| destination_fqdn[ ] | string | List of all the destination domain names that the firewall rule applies to. |
| source_address_groups[ ] | string | List of all the source address groups that the firewall rule applies to. |
| destination_address_groups[ ] | string | List of all the destination address groups that the firewall rule applies to. |
IpPortDetails
| Field | Type | Description |
|---|---|---|
| ip_protocol | string | IP protocol that the firewall rule applies to. "ALL" if applies to all protocols. |
| port_range[ ] | string | List of applicable port ranges for rules; for example, 8080-9090. |
InstanceDetails
| Field | Type | Description |
|---|---|---|
| project_id | string | ID of the project containing the VM |
| vm_name | string | Instance name of the VM |
| region | string | Region of the VM |
| zone | string | Zone of the VM |
VpcDetails
| Field | Type | Description |
|---|---|---|
| project_id | string | ID of the project containing the network |
| vpc_name | string | Network on which the VM is operating |
| subnetwork_name | string | Subnet on which the VM is operating |
GeographicDetails
| Field | Type | Description |
|---|---|---|
| continent | string | Continent for external endpoints |
| country | string | Country for external endpoints |
| region | string | Region for external endpoints |
| city | string | City for external endpoints |
What's next
- To set up logging and view logs, see Use Firewall Rules Logging.
- To get insights about how your firewall rules are being used, see Firewall Insights.
- To store, search, analyze, monitor, and alert on log data and events, see Cloud Logging.
- To route log entries, see Configure and manage sinks.