Firewall policy rules logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Logging is also useful if you need to determine how many connections are affected by a given firewall rule.
Learn how to enable and disable firewall policy rules logging for Virtual Private Cloud (VPC) firewall rules. For instructions about logging for firewall policy rules, see Use hierarchical firewall policies and rules.
You can also learn how to view generated logs. For more information about what is logged, examples of logging, and log formats, see firewall policy rules logging overview.
If you enable logging on a firewall rule, you can view insights and recommendations for it from Firewall Insights. For more information, see Firewall Insights in the Network Intelligence Center documentation.
Permissions
To modify firewall rules or access logs, IAM principals need one of the following roles.
| Task | Required role |
|---|---|
| Create, delete, or update firewall rules | Project
owner or editor
or
Security Admin role (roles/compute.securityAdmin)
|
| View logs | Project
owner, editor or viewer
or
Logs Viewer role (roles/logging.viewer)
For details about Logging IAM roles and permissions, see Logging Access Control Guide. |
Enable and disable firewall policy rules logging
When you create a firewall rule, you can enable logging for that firewall rule. For more information, see Create firewall rules.
To enable or disable firewall policy rules logging for an existing firewall rule, follow these directions. When you enable logging, you can control whether metadata fields are included. If you omit them, you can save on storage costs.
Enable firewall policy rules logging
Console
In the Cloud de Confiance console, go to the Firewall policies page.
In the Logs column, determine if firewall logging is on or off for each firewall rule.
To enable logging for one or more firewall rules, select the checkbox next to each rule that you want to update.
In the VPC firewall rules action bar, click Configure logs.
In the Configure logs dialog, select On.
To omit the metadata fields, expand Show logs details, and then clear the Include metadata checkbox.
Click Save configuration.
gcloud
gcloud compute firewall-rules update RULE_NAME \
--enable-logging \
--logging-metadata=LOGGING_METADATA
Replace the following:
RULE_NAME: the name of the firewall rule.LOGGING_METADATA: whether firewall policy rules logging includes metadata fields in firewall rule logs. You can configure this field only if logging is enabled. The value must beexclude-allorinclude-all. By default, metadata fields are included.
For more information, see the SDK reference documentation.
Terraform
You can use the Terraform resource to create a firewall rule with logging enabled.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
API
Enable firewall policy rules logging for an existing firewall rule.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/RULE_NAME
{
"name": "RULE_NAME",
"logConfig": {
"enable": true,
"metadata": "LOGGING_METADATA"
}
}
Replace the placeholders with valid values:
PROJECT_ID: the ID of the project where the firewall rule is located.RULE_NAME: the name of the firewall rule.LOGGING_METADATA: whether firewall policy rules logging includes metadata fields in firewall rule logs. You can configure this field only if logging is enabled. The value must beexclude-allorinclude-all. By default, metadata fields are included.
For more information, refer to the
firewalls.patch method.
Disable firewall policy rules logging
Console
In the Cloud de Confiance console, go to the Firewall policies page.
In the Logs column, determine if firewall logging is on or off for each firewall rule.
To disable logging for one or more firewall rules, select the checkbox next to each rule that you want to update.
In the VPC firewall rules action bar, click Configure logs.
In the Configure logs dialog, select Off, and then click Save configuration.
gcloud
gcloud compute firewall-rules update RULE_NAME \
--no-enable-logging
Replace RULE_NAME with the name of the firewall
rule.
API
Disable firewall policy rules logging for an existing firewall rule.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/RULE_NAME
{
"name": "RULE_NAME",
"logConfig": {
"enable": false
}
}
Replace the following:
PROJECT_ID: the ID of the project where the firewall rule is located.RULE_NAME: the name of the firewall rule.
For more information, refer to the
firewalls.patch method.
View logs
Firewall rule logs are created in the project that hosts the network containing the VM instances and firewall rules. With Shared VPC, VM instances are created in service projects, but they use a Shared VPC network located in the host project. Firewall rules logs are stored in that host project.
To view firewall rule logs, use the Logs Explorer section of the Cloud de Confiance console.
The following queries demonstrate how you can search for specific firewall events.
View all firewall logs
To view the firewall logs, do either option 1 or option 2.
Option 1
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click Subnetwork, and then click Apply.
Click Log name, and then in the list, select firewall.
Click Apply.
Option 2
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace
PROJECT_IDwith your project ID.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall"
Click Run query.
View logs for specific subnets
To view the firewall logs for specific subnets, do either option 1 or option 2.
Option 1
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click Subnetwork.
Select the subnetwork that you want to view logs for, and then click Apply.
Click Log name, and then in the list, select firewall.
Click Apply.
Option 2
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace
PROJECT_IDwith your project ID andSUBNET_NAMEwith your subnetwork.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall" resource.labels.subnetwork_name="SUBNET_NAME"
Click Run query.
View logs for specific VMs
To view the firewall logs for specific VMs, do either option 1 or option 2.
Option 1
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click VM instance.
Select the instance that you want to view logs for, and then click Apply.
Click Log name, and then in the list, select firewall.
Click Apply.
Option 2
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace
PROJECT_IDwith your project ID andINSTANCE_IDwith the ID of the VM that you want to view logs for.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall" jsonPayload.instance.vm_name="INSTANCE_ID"
Click Run query.
View logs for connections from a specific country
To view the firewall logs for a specific country, do the following:
In the Cloud de Confiance console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace
PROJECT_IDwith your project ID andCOUNTRYwith the ISO 3166-1alpha-3 code.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall" jsonPayload.remote_location.country=COUNTRY
Export logs
To export firewall rule logs, see Configure and manage sinks.
You can use the example queries to narrow the logs that you export.
Table of interactions
- In the case of VM-to-VM communication, log records might be generated by both VMs, depending on their respective firewall rules.
- The logged connection includes packets flowing both ways if the initial packet was allowed by the firewall.
- For a given VM, incoming connections are matched against firewall rules configured on that VMs and outgoing connections are matched against egress firewall rule configured on that VM.
- An allowed connection that matches a firewall rule with "allow and logging" is logged only once. The log entry is not repeated every 5 sec even if the connection endures.
- A denied connection matching a firewall rule with "denied and logging" does repeat the log entry every 5 seconds for as long as there are packets observed in that denied connection.
- If you enable logging on a firewall rule that matches an already active TCP or UDP connection, a new log entry isn't generated. A log entry is created only if the connection remains idle for at least 10 minutes and a new packet is sent on the same connection. For continuous traffic with idle periods shorter than 10 minutes, only one log entry is generated for the connection.
This table shows the firewall logging behavior from the perspective of a single VM.
In a scenario in which a VM1 has an ingress rule R1 that matches packets and egress rule R2 that also matches packets, the behavior of firewall logging is as follows:
| VM1 has Ingress Rule R1 (matching packets) | VM1 has Egress Rule R2 (matching packets) | Connection Direction | Action | Log |
|---|---|---|---|---|
| Allow + Log | Allow | Ingress | Allow | One log entry: disposition=allow, rule=R1 |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| Allow | Allow | Ingress | Allow | No logging |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| Deny + Log | N/A | Ingress | Deny | One log entry every 5 seconds: disposition=deny, rule=R1 |
| Deny | N/A | Ingress | Deny | No logging |
| Allow | Allow + Log | Egress | Allow | One log entry: disposition=allow, rule=R2 |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| Allow | Allow | Egress | Allow | No logging |
| Deny | ||||
| Allow + Log | ||||
| Deny + Log | ||||
| N/A | Deny + Log | Egress | Deny | One log entry every 5 seconds: disposition=deny, rule=R2 |
| N/A | Deny | Egress | Deny | No logging |
Note that ingress and egress are symmetric.
The following is a detailed description of the firewall logs semantics:
Allow + Log (logging is supported for TCP and UDP)
- Connection initiated in the direction to which the rule applies causes a single log record to be created.
- Reply traffic is allowed due to connection tracking. Reply traffic does not cause any logging to occur, regardless of firewall rules in that direction.
- If the connection expires from the firewall (inactive for 10 minutes or TCP RST received), then another packet in either direction may trigger logging.
- Logging is based on 5-tuples. TCP flags don't affect logging behavior.
Deny + Log (logging is supported for TCP and UDP)
- Packets are dropped (no connection is initiated).
- Each packet that corresponds to a unique 5-tuple is logged as a failed connection attempt.
- The same 5-tuple is logged again every 5 seconds if it continues to receive packets.