Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Exclude Metadata from Firewall Logging

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Virtual Private Cloud (VPC) firewall logging is not configured to include logging metadata in order to reduce the size of the log files and optimize cloud storage costs.

Cost
optimisation

VPC firewall logging allows you to verify, analyze, and audit the effects of your firewall rules on your cloud resources. By default, metadata is added within the firewall rule log files. You can significantly reduce the log files size and cut down on storage costs by not including this additional data.

Audit

To determine if logging metadata is included within your VPC firewall log files, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall, click inside the Filter table box and perform the following actions:

  1. Set Disabled to False to list all the ingress and egress rules enabled for the resources within the selected project.
  2. Set Logs to On to list the ingress and egress firewall rules with logging enabled.

05 Click on the firewall rule that you want to examine to access the rule logging configuration.

06 On the selected firewall rule page, in the Logs section, click on LOGS DETAILS and check the Include metadata configuration setting, available under Additional fields. If Include metadata configuration setting is enabled, the logging metadata is included in the log files created for the selected Google Cloud VPC network firewall rule.

07 Repeat step no. 5 and 6 for each ingress/egress firewall rule created for the selected project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
PROJECT_ID
cc-main-project-123123
cc-prod-project-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created within the selected project:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud compute networks list
	--project cc-main-project-123123
	--format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the specified project:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
NAME
cc-web-stack-network
cc-internal-vpc-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as identifier parameter and custom filtering to list all the firewall rules (ingress and egress) defined for the selected Virtual Private Cloud (VPC):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud compute firewall-rules list
	--filter network=cc-web-stack-network
	--sort-by priority
	--format=table"(name,disabled,logConfig)"

06 The command output should return the requested information available for the existing VPC firewall rules:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
NAME                   DISABLED  LOG_CONFIG
cc-allow-http-access   False     {'enable': True, 'metadata': 'INCLUDE_ALL_METADATA'}
cc-allow-https-access  False     {'enable': True, 'metadata': 'INCLUDE_ALL_METADATA'}

Check the LOG_CONFIG configuration attribute value for any enabled firewall rules (i.e. DISABLED attribute set to False) returned by the compute firewall-rules list command output. If the LOG_CONFIG attribute value is set to {'enable': True, 'metadata': 'INCLUDE_ALL_METADATA'}, as shown in the example above, the firewall logging is enabled and the logging metadata is included within the VPC network firewall rule log files.

07 Repeat step no. 5 and 6 for each VPC network created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To disable adding logging metadata to your Google Cloud VPC network firewall rule logs, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall to access the list of VPC firewall rules created for the cloud resources running inside the selected project.

05 Click on the name of the firewall rule that you want to reconfigure, then click on the Edit button from the dashboard top menu to access the rule configuration settings.

06 On the selected rule configuration page, in the Logs section, click on LOGS DETAILS and deselect the Include metadata checkbox available under Additional fields. This will significantly reduce the size of the log files generated for the selected firewall rule.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 to disable logging metadata for other VPC network firewall rules created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) using the name of the firewall rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the appropriate rule), to disable adding logging metadata to the log files created for the selected Google Cloud VPC network firewall rule:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
gcloud compute firewall-rules update cc-allow-http-access
	--logging-metadata=exclude-all

02 The command output should return the ID of the reconfigured VPC firewall rule:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Updated [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/global/firewalls/cc-allow-http-access].

03 Repeat step no. 1 and 2 to disable logging metadata for other VPC network firewall rules available in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Related CloudVPC rules