Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused Network Firewall Rules

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

To adhere to cloud security best practices, identify unused network firewall rules in your Google Cloud account. A firewall rule is considered unused when it's not associated with any cloud resources, such as when the firewall rule tag is not found on any existing resources. Consider disabling or deleting unused rules to optimize your resource usage.

Security
Operational
excellence

Disabling network firewall rules can significantly reduce the risk of unauthorized access as these firewall rules can be reassociated at any time with the wrong resources. Removing unused components from your Google Cloud account is considered a best practice and translates to better resource management.

Audit

To identify any unused network firewall rules available in your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, choose Firewall and select Firewall policies.

05 Click inside the Filter box, choose Disabled, and select False to list the active network firewall rules created for the selected project.

06 Click on the name (link) of the firewall rule that you want to examine, listed in the VPC firewall rules section.

07 On the Firewall rule details page, check the Applicable to instances section to identify the cloud resources associated with the selected firewall rule. If the Applicable to instances list is empty and the following message is displayed: No rows to display, the selected network firewall rule is not associated anymore with a cloud resource, therefore, the firewall rule is considered unused and can be disabled or removed from your Google Cloud account.

08 Repeat steps no. 6 and 7 for each firewall rule created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-main-project-123123
cc-data-project-112233

03 Run compute networks list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name of each VPC network created within the selected project: 

gcloud compute networks list
  --project cc-main-project-123123
  --format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the specified project: 

NAME
cc-web-stack-network
cc-project5-vpc-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) with the name of the VPC network that you want to examine as the identifier parameter and custom filtering to list all the network firewall rules (and their status) created for the selected VPC: 

gcloud compute firewall-rules list 
  --filter network=cc-web-stack-network 
  --sort-by priority 
  --format=table"(name,disabled)"

06 The command output should return the name and the state of each firewall rule available for the selected VPC. The firewall rules with DISABLED set to False are active rules: 

NAME: web-stack-allow-ssh
DISABLED: False

NAME: web-stack-allow-http
DISABLED: False

NAME: web-stack-allow-https
DISABLED: False

07 Run compute firewall-rules describe command (Windows/macOS/Linux) with the name of the active firewall rule that you want to examine as the identifier parameter, to describe the target tags defined for the selected rule: 

gcloud compute firewall-rules describe web-stack-allow-ssh 
  --format=table"(targetTags)"

08 The command output should return the requested tagging information: 

TARGET_TAGS: ['ssh-access']

09 Run compute instances list command (Windows/macOS/Linux) with custom query filters to list the name and the network (target) tag available for each Compute Engine instance provisioned for the selected GCP project: 

gcloud compute instances list 
  --project cc-main-project-123123 
  --format="table(name,tags.items)"

10 The command output should return the name and the network tag(s) available for each provisioned instance: 

NAME: cc-prod-vm-instance
ITEMS: ['http-server', 'https-server']

NAME: cc-backend-instance
ITEMS: ['backend-server']

NAME: cc-windows-instance
ITEMS: ['win-server', 'backend-server']

If none of the Compute Engine instances listed by the compute instances list command have the network (target) tag identified in step 8, the selected network firewall rule is not associated with a compute resource, therefore, the firewall rule is considered unused and can be disabled or removed from your Google Cloud account.

11 Repeat steps no. 7 - 10 for each firewall rule defined for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To disable or remove any unused network firewall rules available in your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, choose Firewall and select Firewall policies.

05 To disable the unused network firewall rule, perform the following actions:

  1. Click on the name (link) of the firewall rule that you want to disable and choose EDIT from the top menu.
  2. Choose DISABLE RULE and set the Enforcement to Disabled.
  3. Choose SAVE to apply the changes.

06 To remove the unused firewall rule, select the rule that you want to delete and choose DELETE. In the confirmation box, choose DELETE to remove the selected network firewall rule from your Google Cloud account.

07 Repeat steps no. 5 and 6 for each unused firewall rule created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) to disable the unused network firewall rule specified in the command request. When the firewall rule is disabled, the associated network behaves as if the rule did not exist: 

gcloud compute firewall-rules update web-stack-allow-ssh --disabled

02 The command output should return the full ID of the disabled firewall rule: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/global/firewalls/web-stack-allow-ssh].

03 Run compute firewall-rules delete command (Windows/macOS/Linux) to remove the selected network firewall rule from your Google Cloud account: 

gcloud compute firewall-rules delete web-stack-allow-ssh

04 Type Y and press Enter at the command prompt to confirm the resource removal: 

The following firewalls will be deleted:
- [web-stack-allow-ssh]

Do you want to continue (Y/n)? Y

05 The command output should return the URL of the firewall rule: 

Deleted [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/global/firewalls/web-stack-allow-ssh].

06 Repeat steps no. 1 - 5 for each unused firewall rule defined for the selected GCP project.

07 Repeat steps no. 1 – 6 for each GCP project deployed in your Google Cloud account.

References

Publication date May 6, 2024

Related VPC rules