Stay organized with collections Save and categorize content based on your preferences.
Firewall Rules Logging allows you to audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Logging is also useful if you need to determine how many connections are affected by a given firewall rule.
This page shows you how to enable and disable logging for Virtual Private Cloud firewall rules. For instructions about logging for firewall policy rules, see Use hierarchical firewall policies and rules.
This page also shows you how to view generated logs. For more information about what is logged, examples of logging, and log formats, see Firewall Rules Logging.
If you enable logging on a firewall rule, you can view insights and recommendations for it from Firewall Insights. For more information, see Firewall Insights in the Network Intelligence Center documentation.
PermissionsTo modify firewall rules or access logs, IAM principals need one of the following roles.
Enable and disable Firewall Rules LoggingWhen you create a firewall rule, you can choose to turn on firewall rules logging. For more information, see Create firewall rules.
To enable or disable Firewall Rules Logging for an existing firewall rule, follow these directions. When you enable logging, you can control whether metadata fields are included. If you omit them, you can save on storage costs.
Enable Firewall Rules Logging ConsoleIn the Google Cloud console, go to the Firewall policies page.
In the Logs column, determine if firewall logging is on or off for each firewall rule.
To enable logging for one or more firewall rules, select the checkbox next to each rule that you want to update.
In the VPC firewall rules action bar, click Configure logs.
In the Configure logs dialog, select On.
To omit the metadata fields, expand Show logs details, and then clear the Include metadata checkbox.
Click Save configuration.
gcloud compute firewall-rules update RULE_NAME \
--enable-logging \
--logging-metadata=LOGGING_METADATA
Replace the following:
RULE_NAME: the name of the firewall rule.LOGGING_METADATA: whether Firewall Rules Logging includes metadata fields in firewall rule logs. You can configure this field only if logging is enabled. The value must be exclude-all or include-all. By default, metadata fields are included.For more information, see the SDK reference documentation.
TerraformYou can use the Terraform resource to create a firewall rule with logging enabled.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
APIEnable Firewall Rules Logging for an existing firewall rule.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/RULE_NAME
{
"name": "RULE_NAME,
"logConfig": {
"enable": true,
"metadata": LOGGING_METADATA
}
}
Replace the placeholders with valid values:
PROJECT_ID: the ID of the project where the firewall rule is located.RULE_NAME: the name of the firewall rule.LOGGING_METADATA: whether Firewall Rules Logging includes metadata fields in firewall rule logs. You can configure this field only if logging is enabled. The value must be exclude-all or include-all. By default, metadata fields are included.For more information, refer to the firewalls.patch method.
In the Google Cloud console, go to the Firewall policies page.
In the Logs column, determine if firewall logging is on or off for each firewall rule.
To disable logging for one or more firewall rules, select the checkbox next to each rule that you want to update.
In the VPC firewall rules action bar, click Configure logs.
In the Configure logs dialog, select Off, and then click Save configuration.
gcloud compute firewall-rules update RULE_NAME \
--no-enable-logging
Replace RULE_NAME with the name of the firewall rule.
Disable Firewall Rules Logging for an existing firewall rule.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/RULE_NAME
{
"name": "RULE_NAME,
"logConfig": {
"enable": false
}
}
Replace the following:
PROJECT_ID: the ID of the project where the firewall rule is located.RULE_NAME: the name of the firewall rule.For more information, refer to the firewalls.patch method.
Firewall rule logs are created in the project that hosts the network containing the VM instances and firewall rules. With Shared VPC, VM instances are created in service projects, but they use a Shared VPC Network located in the host project. Firewall rules logs are stored in that host project.
To view firewall rule logs, use the Logs Explorer section of the Google Cloud console.
The following queries demonstrate how you can search for specific firewall events.
View all firewall logsIn the Google Cloud console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click Subnetwork, and then click Apply.
Click Log name, and then in the list, select firewall.
Click Apply.
Alternatively:
In the Google Cloud console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace PROJECT_ID with your project ID.
resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall"
Click Run query.
In the Google Cloud console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click Subnetwork.
Select the subnetwork that you want to view logs for, and then click Apply.
Click Log name, and then in the list, select firewall.
Click Apply.
Alternatively:
In the Google Cloud console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace PROJECT_ID with your project ID and SUBNET_NAME with your subnetwork.
resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall" resource.labels.subnetwork_name="SUBNET_NAME"
Click Run query.
In the Google Cloud console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click VM instance.
Select the instance that you want to view logs for, and then click Apply.
Click Log name, and then in the list, select firewall.
Click Apply.
Alternatively:
In the Google Cloud console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace PROJECT_ID with your project ID and INSTANCE_ID with the ID of the VM that you want to view logs for.
resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall" jsonPayload.instance.vm_name="INSTANCE_ID"
Click Run query.
In the Google Cloud console, go to the Logs Explorer page.
Click Query.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field on the Query pane. Replace PROJECT_ID with your project ID and COUNTRY with the ISO 3166-1alpha-3 code.
resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Ffirewall" jsonPayload.remote_location.country=COUNTRY
To export firewall rule logs, see Configure and manage sinks.
You can use the example queries to narrow the logs that you export.
Table of interactionsThis table shows the firewall logging behavior from the perspective of a single VM.
In a scenario in which a VM1 has an ingress rule R1 that matches packets and egress rule R2 that also matches packets, the behavior of firewall logging is as follows:
VM1 has Ingress Rule R1 (matching packets) VM1 has Egress Rule R2 (matching packets) Connection Direction Action Log Allow + Log Allow Ingress Allow One log entry:Note that ingress and egress are symmetric.
This is the detailed description of the firewall logs semantics:
Allow + Log (logging is supported for TCP and UDP)
Deny + Log (logging is supported for TCP and UDP)
If you cannot view firewall rule logs in the Logs Explorer section of the Google Cloud console, check the following:
Possible cause: Insufficient permissions
Ask the project owner to make sure your IAM principal at least has the Logs Viewer role for the project. Refer to permissions for more information.Possible cause:
Legacy networks not supported
You cannot use Firewall Rules Logging in a legacy network. Only VPC networks are supported.Possible cause:
Make sure you're looking in the correct project
Because firewall rule logs are stored with the project that contains the network, it's important to make sure you're looking for logs in the correct project. With Shared VPC, VM instances are created in service projects, but they use a Shared VPC network located in the host project. For Shared VPC scenarios, firewall rule logs are stored in that host project.Log entries missingIf Shared VPC is involved, you'll need appropriate permissions for the host project in order to view firewall rule logs. Even though the VM instances themselves are located in service projects, firewall rule logs for them are located in the host project.
Possible cause: Connections might not match the firewall rule you expect
Verify that the firewall rule you expect is in the list of applicable firewall rules for an instance. Use the Google Cloud console to view details for the relevant instance, then click the View details button in the Network interfaces section on its VM instance details page. Inspect applicable firewall rules in the Firewall and routes details section of the VM's Network interface details page.To make sure that you create your firewall rules correctly, review VPC firewall rules.
You can use tcpdump on the VM to determine if connections it sends or receives have addresses, ports, and protocols that would match the firewall you expect.
Possible cause: A higher priority rule with Firewall Rules Logging disabled might apply
Firewall rules are evaluated according to their priorities. From the perspective of a VM instance, only one firewall rule applies to the traffic.Missing metadata for some log entriesA rule that you think would be the highest priority applicable rule might not actually be the highest priority applicable rule. A higher priority rule that does not have logging enabled might apply instead.
To troubleshoot, you can temporarily enable logging for all possible firewall rules applicable to a VM. Use the Google Cloud console to view details for the relevant VM, then click the View details button in the Network interfaces section on its VM instance details page. Inspect applicable firewall rules in the Firewall and routes details section of the VM's Network interface details page, and identify your custom rules in that list. Temporarily enable logging for all of those custom firewall rules.
With logging enabled, you can identify the applicable rule. Once identified, be sure to disable logging for all rules that don't actually need it.
Possible cause: Configuration propagation delay
If you update a firewall rule that has firewall logging enabled, it might take a few minutes before Google Cloud finishes propagating the changes necessary to log traffic that matches the rule's updated components.What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Firewall Rules Logging allows for auditing, verifying, and analyzing the effects of firewall rules, including determining if traffic denial rules are functioning correctly and quantifying the impact of specific rules."],["You can enable or disable logging for existing Virtual Private Cloud (VPC) firewall rules, and choose whether or not to include metadata fields to potentially save on storage costs when enabling it."],["IAM principals need specific roles, such as Project Owner, Editor, Security Admin, or Logs Viewer, to modify firewall rules or access logs, and for Shared VPC scenarios, permissions in the host project are necessary to view logs."],["Firewall logs can be viewed in the Logs Explorer section of the Google Cloud console by filtering for specific subnets, VM instances, or even connections from specific countries using appropriate queries."],["Troubleshooting steps are provided for issues such as insufficient permissions, the use of legacy networks, looking in the wrong project for logs, higher priority rules with logging disabled, or configuration propagation delay."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4