RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://cloud.google.com/firewall/docs/firewall-rules-logging below:

Firewall Rules Logging | Cloud NGFW

Skip to main content Firewall Rules Logging

Stay organized with collections Save and categorize content based on your preferences.

Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule.

You enable Firewall Rules Logging individually for each firewall rule whose connections you need to log. Firewall Rules Logging is an option for any firewall rule, regardless of the action (allow or deny) or direction (ingress or egress) of the rule.

Firewall Rules Logging logs traffic to and from Compute Engine virtual machine (VM) instances. This includes Google Cloud products built on Compute Engine VMs, such as Google Kubernetes Engine (GKE) clusters and App Engine flexible environment instances.

When you enable logging for a firewall rule, Google Cloud creates an entry called a connection record each time the rule allows or denies traffic. You can view these records in Cloud Logging, and you can export logs to any destination that Cloud Logging export supports.

Each connection record contains the source and destination IP addresses, the protocol and ports, date and time, and a reference to the firewall rule that applied to the traffic.

Firewall Rules Logging is available for both VPC firewall rules and hierarchical firewall policies.

For information about viewing logs, see Use Firewall Rules Logging.

Specifications

Firewall Rules Logging has the following specifications:

You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported.
Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. If you want to also log other protocols, consider using Packet Mirroring.
You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules.
Log entries are written from the perspective of VMs. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis.
The number of connections that can be logged in a given interval is based on the machine type.
Changes to firewall rules can be viewed in VPC audit logs.

Logging examples

A log entry is generated each time that a firewall rule with logging enabled applies to traffic. A given packet flow can generate more than one log entry in total. However, from the perspective of a given VM, at most only one log entry can be generated if the firewall rule that applies to it has logging enabled.

The following examples demonstrate how firewall logs work.

Egress deny example

In this example:

Traffic between VM instances in the example-net VPC network in the example-proj project is considered.
The two VM instances are:
- VM1 in zone us-west1-a with IP address 10.10.0.99 in the west-subnet (us-west1 region).
- VM2 in zone us-east1-b with IP address 10.20.0.99 in the east-subnet (us-east1 region).
Rule A: An egress deny firewall rule has a target of all instances in the network, a destination of 10.20.0.99 (VM2), and applies to TCP port 80.
- Logging is enabled for this rule.
Rule B: An ingress allow firewall rule has a target of all instances in the network, a source of 10.10.0.99 (VM1), and applies to TCP port 80.
- Logging is also enabled for this rule.

The following gcloud commands can be used to create the firewall rules:

Rule A: egress deny rule for TCP 80, applicable to all instances, destination 10.20.0.99:

gcloud compute firewall-rules create rule-a \
    --network example-net \
    --action deny \
    --direction EGRESS \
    --rules tcp:80 \
    --destination-ranges 10.20.0.99/32 \
    --priority 10 \
    --enable-logging

Rule B: ingress allow rule for TCP 80, applicable to all instances, source 10.10.0.99:

gcloud compute firewall-rules create rule-b \
    --network example-net \
    --action allow \
    --direction INGRESS \
    --rules tcp:80 \
    --source-ranges 10.10.0.99/32 \
    --priority 10 \
    --enable-logging

VM1 to VM2 connection (click to enlarge).

Suppose VM1 attempts to connect to VM2 on TCP port 80. The following firewall rules are logged:

A log entry for rule A from the perspective of VM1 is generated as VM1 attempts to connect to 10.20.0.99 (VM2).
Because rule A actually blocks the traffic, rule B is never considered, so there is no log entry for rule B from the perspective of VM2.

The firewall log record is generated in the following example.

Field Values connection src_ip=10.10.0.99
src_port=[EPHEMERAL_PORT]
dest_ip=10.20.0.99
dest_port=80
protocol=6 disposition DENIED rule_details reference = "network:example-net/firewall:rule-a"
priority = 10
action = DENY
destination_range = 10.20.0.99/32
ip_port_info = tcp:80
direction = egress instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet remote_instance project_id="example-proj"
instance_name=VM2
region=us-east1
zone=us-east1-b remote_vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=east-subnet remote_location No information. This field is only used if the destination is outside your VPC network. Egress allow, ingress allow example

In this example:

Traffic between VM instances in the example-net VPC network in the example-proj project is considered.
The two VM instances are:
- VM1 in zone us-west1-a with IP address 10.10.0.99 in the west-subnet (us-west1 region).
- VM2 in zone us-east1-b with IP address 10.20.0.99 in the east-subnet (us-east1 region).
Rule A: An egress allow firewall rule has a target of all instances in the network, a destination of 10.20.0.99 (VM2), and applies to TCP port 80.
- Logging is enabled for this rule.
Rule B: An ingress allow firewall rule has a target of all instances in the network, a source of 10.10.0.99 (VM1), and applies to TCP port 80.
- Logging is also enabled for this rule.

The following gcloud commands can be used to create the two firewall rules:

Rule A: egress allow rule for TCP 80, applicable to all instances, destination 10.20.0.99 (VM2):

gcloud compute firewall-rules create rule-a \
    --network example-net \
    --action allow \
    --direction EGRESS \
    --rules tcp:80 \
    --destination-ranges 10.20.0.99/32 \
    --priority 10 \
    --enable-logging

Rule B: ingress allow rule for TCP 80, applicable to all instances, source 10.10.0.99 (VM1):

gcloud compute firewall-rules create rule-b \
    --network example-net \
    --action allow \
    --direction INGRESS \
    --rules tcp:80 \
    --source-ranges 10.10.0.99/32 \
    --priority 10 \
    --enable-logging

VM1 to VM2 connection (click to enlarge).

Suppose VM1 attempts to connect to VM2 on TCP port 80. The following firewall rules are logged:

A log entry for rule A from the perspective of VM1 is generated as VM1 connects to 10.20.0.99 (VM2).
A log entry for rule B from the perspective of VM2 is generated as VM2 allows incoming connections from 10.10.0.99 (VM1).

The firewall log record reported by VM1 is generated in the following example.

Field Values connection src_ip=10.10.0.99
src_port=[EPHEMERAL_PORT]
dest_ip=10.20.0.99
dest_port=80
protocol=6 disposition ALLOWED rule_details reference = "network:example-net/firewall:rule-a"
priority = 10
action = ALLOW
destination_range = 10.20.0.99/32
ip_port_info = tcp:80
direction = egress instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet remote_instance project_id="example-proj"
instance_name=VM2
region=us-east1
zone=us-east1-b remote_vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=east-subnet remote_location No information. This field is only used if the destination is outside your VPC network.

The firewall log record reported by VM2 is generated in the following example.

Field Values connection src_ip=10.10.0.99
src_port=[EPHEMERAL_PORT]
dest_ip=10.20.0.99
dest_port=80
protocol=6 disposition ALLOWED rule_details reference = "network:example-net/firewall:rule-b"
priority = 10
action = ALLOW
source_range = 10.10.0.99/32
ip_port_info = tcp:80
direction = ingress instance project_id="example-proj"
instance_name=VM2
region=us-east1
zone=us-east1-b vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=east-subnet remote_instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a remote_vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet remote_location No information. This field is only used if the destination is outside your VPC network. Internet ingress example

In this example:

Traffic from a system outside the example-net VPC network to a VM instance in that network is considered. The network is in the example-proj project.
The system on the internet has IP address 203.0.113.114.
VM1 in zone us-west1-a has IP address 10.10.0.99 in the west-subnet (us-west1 region).
Rule C: An ingress allow firewall rule has a target of all instances in the network, a source of any IP address (0.0.0.0/0), and applies to TCP port 80.
- Logging is enabled for this rule.
Rule D: An egress deny firewall rule has a target of all instances in the network, a destination of any IP address (0.0.0.0/0), and applies to all protocols.
- Logging is also enabled for this rule.

The following gcloud commands can be used to create the firewall rules:

Rule C: ingress allow rule for TCP 80, applicable to all instances, any source:

gcloud compute firewall-rules create rule-c \
    --network example-net \
    --action allow \
    --direction INGRESS \
    --rules tcp:80 \
    --source-ranges 0.0.0.0/0 \
    --priority 10 \
    --enable-logging

Rule D: egress deny rule for all protocols, applicable to all instances, any destination:

gcloud compute firewall-rules create rule-d \
    --network example-net \
    --action deny \
    --direction EGRESS \
    --rules all \
    --destination-ranges 0.0.0.0/0 \
    --priority 10 \
    --enable-logging

Internet to VM connection (click to enlarge).

Suppose the system with IP address 203.0.113.114 attempts to connect to VM1 on TCP port 80. The following happens:

A log entry for rule C from the perspective of VM1 is generated as VM1 accepts traffic from 203.0.113.114.
Despite rule D, VM1 is allowed to reply to the incoming request because Google Cloud firewall rules are stateful. If the incoming request is allowed, established responses cannot be blocked by any kind of egress rule.
Because rule D does not apply, it is never considered, so there is no log entry for rule D.

The firewall log record is generated in the following example.

Field Values connection src_ip=203.0.113.114
src_port=[EPHEMERAL_PORT]
dest_ip=10.10.0.99
dest_port=80
protocol=6 disposition ALLOWED rule_details reference = "network:my-vpc/firewall:rule-c"
priority = 10
action = ALLOW
source_range = 0.0.0.0/0
ip_port_info = tcp:80
direction = ingress instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet remote_location continent
country
region
city Firewall log format

Subject to the specifications, a log entry is created in Cloud Logging for each firewall rule that has logging enabled if that rule applies to traffic to or from a VM instance. Log records are included in the JSON payload field of a Logging LogEntry.

Log records contain base fields, which are the core fields of every log record, and metadata fields that add additional information. You can control whether metadata fields are included. If you omit them, you can save on storage costs.

Some log fields support values that are also fields. These fields can have more than one piece of data in a given field. For example, the connection field is of the IpConnection format, which contains the source and destination IP address and port, plus the protocol, in a single field. These fields are described in the following tables.

Field Description Field type: Base or optional metadata connection IpConnection
5-Tuple describing the source and destination IP address, source and destination port, and IP protocol of this connection. Base disposition string
Indicates whether the connection was ALLOWED or DENIED. Base rule_details RuleDetails
Details of the rule that was applied to this connection. rule_details.reference field Base Other rule detail fields Metadata instance InstanceDetails
VM instance details. In a Shared VPC configuration, project_id corresponds to that of the service project. Metadata vpc VpcDetails
VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. Metadata remote_instance InstanceDetails
If the remote endpoint of the connection was a VM located in the Compute Engine, this field is populated with VM instance details. Metadata remote_vpc VpcDetails
If the remote endpoint of the connection was a VM that is located in a VPC network, this field is populated with the network details. Metadata remote_location GeographicDetails
If the remote endpoint of the connection was external to the VPC network, this field is populated with available location metadata. Metadata IpConnection Field Type Description src_ip string Source IP address. If the source is a Compute Engine VM, src_ip is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown. Logging shows the IP address of the VM as the VM sees it on the packet header, the same as if you ran TCP dump on the VM. src_port integer Source port dest_ip string Destination IP address. If the destination is a Google Cloud VM, dest_ip is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown even if it was used in making the connection. dest_port integer Destination port protocol integer IP protocol of the connection RuleDetails Field Type Description reference string Reference to the firewall rule; format:
"network:{network name}/firewall:{firewall_name}" priority integer The priority for the firewall rule. action string ALLOW or DENY source_range[ ] string List of source ranges that the firewall rule applies to. destination_range[ ] string List of destination ranges that the firewall rule applies to. ip_port_info[ ] IpPortDetails List of IP protocols and applicable port ranges for rules. direction string The direction that the firewall rule applies to (ingress or egress). source_tag[ ] string List of all the source tags that the firewall rule applies to. target_tag[ ] string List of all the target tags that the firewall rule applies to. source_service_account[ ] string List of all the source service accounts that the firewall rule applies to. target_service_account[ ] string List of all the target service accounts that the firewall rule applies to. source_region_code[ ] string List of all the source country codes that the firewall rule applies to. destination_region_code[ ] string List of all the destination country codes that the firewall rule applies to. source_fqdn[ ] string List of all the source domain names that the firewall rule applies to. destination_fqdn[ ] string List of all the destination domain names that the firewall rule applies to. source_threat_intelligence[ ] string List of all the source Google Threat Intelligence list names that the firewall rule applies to. destination_threat_intelligence[ ] string List of all the destination Google Threat Intelligence list names that the firewall rule applies to. source_address_groups[ ] string List of all the source address groups that the firewall rule applies to. destination_address_groups[ ] string List of all the destination address groups that the firewall rule applies to. IpPortDetails Field Type Description ip_protocol string IP protocol that the firewall rule applies to. "ALL" if applies to all protocols. port_range[ ] string List of applicable port ranges for rules; for example, 8080-9090. InstanceDetails Field Type Description project_id string ID of the project containing the VM vm_name string Instance name of the VM region string Region of the VM zone string Zone of the VM VpcDetails Field Type Description project_id string ID of the project containing the network vpc_name string Network on which the VM is operating subnetwork_name string Subnet on which the VM is operating GeographicDetails Field Type Description continent string Continent for external endpoints country string Country for external endpoints region string Region for external endpoints city string City for external endpoints What's next

To set up logging and view logs, see Use Firewall Rules Logging.
To get insights about how your firewall rules are being used, see Firewall Insights.
To store, search, analyze, monitor, and alert on log data and events, see Cloud Logging.
To route log entries, see Configure and manage sinks.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["Firewall Rules Logging allows you to audit, verify, and analyze the effects of your firewall rules, such as determining if a rule designed to deny traffic is working correctly."],["Logging can be enabled individually for any firewall rule, regardless of whether it allows or denies traffic, or its direction (ingress or egress), and it applies to connections to and from Compute Engine VM instances."],["Each time a rule with logging enabled allows or denies traffic, a connection record is generated, containing details like source and destination IP addresses, protocol, ports, date and time, and the applicable firewall rule."],["Firewall Rules Logging only records TCP and UDP connections within Virtual Private Cloud (VPC) networks, excluding legacy networks, and does not apply to the implied deny ingress and implied allow egress rules."],["The number of connections that can be logged within a specific time frame depends on the machine type, and log entries are generated on a best-effort basis from the perspective of the virtual machines."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4