Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Logging for VPC Firewall Rules

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Enable Virtual Private Cloud firewall rule logging for each firewall rule whose connections you need to log, regardless of the action (allow or deny) or direction (inbound or outbound) of the rule. Once the VPC firewall rule logging is enabled, Google Cloud creates a connection record each time the rule allows or denies traffic. You can use Google Cloud Logging to view these records and export the log files to any destination supported by the service. Each connection record contains the source and destination IP addresses, the protocol and port(s) used, the connection date and time, and a reference to the firewall rule that managed the traffic.

Security

Firewall rule logging allows you to verify, analyze, and audit the effects of your VPC firewall rules on your cloud resources. For example, you can determine if a firewall rule designed to deny network traffic is functioning as intended. This type of logging is also useful if you need to determine how many connections are affected by a given VPC firewall rule.

Audit

To determine if logging is enabled for your VPC network firewall rules, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall, click inside the Filter table box, set Disabled to False to list all the ingress and egress rules enabled for the resources within the selected project.

05 Choose the firewall rule that you want to examine and check the rule logging configuration status available in the Logs column. If the configurations status is set to Off, the rule logging is not enabled for the selected Google Cloud VPC network firewall rule.

06 Repeat step no. 5 for each ingress/egress firewall rule created for the selected project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-main-project-123123
cc-data-project-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created within the selected project: 

gcloud compute networks list
  --project cc-main-project-123123
  --format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the specified project: 

NAME
cc-web-stack-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as identifier parameter and custom filtering to list all the firewall rules (ingress and egress) defined for the selected Virtual Private Cloud (VPC): 

gcloud compute firewall-rules list
  --filter network=cc-web-stack-network
  --sort-by priority
  --format=table"(name,disabled,direction,logConfig)"

06 The command output should return the requested information available for the existing VPC firewall rules: 

NAME                    DISABLED  DIRECTION  LOG_CONFIG
cc-allow-egress-access  False     EGRESS     {'enable': False}
cc-allow-mysql-access   False     INGRESS    {'enable': False}
cc-allow-ssh-access     False     INGRESS    {'enable': False}

Check the LOG_CONFIG configuration attribute value for any enabled firewall rules (i.e. DISABLED attribute set to False) returned by the compute firewall-rules list command output. If the LOG_CONFIG attribute value is set to {'enable': False}, as shown in the example above, the rule logging is not enabled for the selected Google Cloud VPC network firewall rule.

07 Repeat step no. 5 and 6 for each VPC network created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable rule logging for your Google Cloud VPC network firewall rules, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall to access the list of VPC firewall rules created for the cloud resources running inside the selected project.

05 Click on the name of the firewall rule that you want to reconfigure, then click on the Edit button from the dashboard top menu to access the rule configuration settings.

06 On the selected rule configuration page, under Logs, select On to enable rule logging for the selected VPC network firewall rule.

07 (Optional) Click on the LOGS DETAILS link and choose whether or not to include metadata in the generated log files.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 to enable logging for other VPC network firewall rules created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) using the name of the firewall rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the appropriate rule), to enable rule logging for the selected Google Cloud VPC network firewall rule: 

gcloud beta compute firewall-rules update cc-allow-ssh-access
  --enable-logging

02 The command output should return the ID of the reconfigured VPC firewall rule: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/global/firewalls/cc-allow-ssh-access].

03 If required, repeat step no. 1 and 2 to enable rule logging for other VPC network firewall rules available in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 4, 2021

Related CloudVPC rules