How To

GCP firewall rule logging

Automatically enable GCP Firewall Logging for one or more firewall rules.

Bob Tordella
5 min. read - May 03, 2021
Automatically enable GCP Firewall Logging for one or more firewall rules.

Firewall Rule Logging in Google Cloud (GCP) allows for audit, verification, and analysis of the configuration of firewall rules. With logging enabled it’s possible to determine if a firewall rule is functioning as intended, and how many connections are affected by any given rule.

Each log record contains the source and destination IP addresses, the protocol and ports used, the date and time, and a reference to the firewall rule that applied to the traffic. This information can assist in identifying potential operational and security risks in your environment.

This post looks at how Turbot Guardrails can automate the task of enabling GCP Firewall Rule logging on a single rule or across all rules in many GCP projects.

Traditional Workflow

The GCP console or APIs can be used to enable and disable firewall rule logging. When you enable this feature, the GCP Firewall service makes the logs available in Logs Explorer and in Firewall Insights. While it is simple to configure for a few firewall rules, ensuring that this logging is always enabled for all rules across dozens (or hundreds) of GCP projects would require development of automation scripts.

Get it done with Turbot Guardrails

In Turbot Guardrails, GCP Firewall Logging guardrails are readily available to control your cloud resource configurations. We can enable this automation by setting the GCP > Network > Firewall > Logging policy with just a few clicks in the Turbot Guardrails GUI:

Set a policy to take corrective action for enabling firewall rule logging.

Setting the configuration via the Turbot Guardrails Terraform Provider is just as easy:

Terraform template to set the GCP > Network > Firewall > Logging policy.

After setting this policy, Turbot Guardrails will identify all firewall rules that are not enabled for firewall rule logging, and then handle their remediation (i.e. enable the logging configuration).

If you are not yet ready to enforce remediation, you can still assess what rules do not have logging enabled by setting the value to Check: Enabled at the Turbot level.

Turning on firewall logging can generate a large number of logs which can increase GCP Stackdriver costs. To prevent costs from running out of control, use Turbot Guardrails time-based policy expiration feature to automatically reset the configuration after a given time period has elapsed, or when you no longer need logging enabled.

Make it happen!

See for yourself how easy it is to manage your logging configuration across your GCP firewalls. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!