[Turbot On] GCP Firewall Rule Logging

Automatically enable GCP Firewall Logging for one or more firewall rules.

Firewall Rule Logging in Google Cloud (GCP) allows for audit, verification, and analysis of the configuration of firewall rules. With logging enabled it’s possible to determine if a firewall rule is functioning as intended, and how many connections are affected by any given rule.

Each log record record contains the source and destination IP addresses, the protocol and ports used, the date and time, and a reference to the firewall rule that applied to the traffic.  This information can assist in identifying potential operational and security risks in your environment.

This week we will look at how Turbot can automate the task of enabling GCP Firewall Rule logging on a single rule or across all rules in many GCP projects.

Traditional Workflow

The GCP console or APIs can be used to enable and disable firewall rule logging. When you enable this feature, the GCP Firewall service makes the logs available in Logs Explorer and in Firewall Insights. While it is simple to configure for a few firewall rules, ensuring that this logging is always enabled for all rules across dozens (or hundreds) of GCP projects would require development of automation scripts.

Get it done with Turbot

In Turbot, GCP Firewall Logging guardrails are readily available to control your cloud resource configurations.  We can enable this automation by setting the `GCP > Network > Firewall > Logging` policy with just a few clicks in the Turbot GUI:

Setting the configuration via Turbot’s Terraform provider is just as easy:

After setting this policy, Turbot will identify all firewall rules that are not enabled for firewall rule logging, and then handle their remediation (i.e. enable the logging configuration).

If you are not yet ready to enforce remediation, you can still assess what rules do not have logging enabled by setting the value to `Check: Enabled` at the Turbot level. 

Turning on firewall logging can generate a large number of logs which can increase GCP Stackdriver costs.  To prevent costs from running out of control, use Turbot’s time-based policy expiration feature to automatically reset the configuration after a given time period has elapsed, or when you no longer need logging enabled.

Make it happen

See for yourself how easy it is to manage your logging configuration across your GCP firewalls. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!