More Info:

IP forwarding should be disabled on all instances. This ensures that the instance sends and receives packets with matching destination or source IPs.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

SOC2, CISGCP, CBP, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the IP forwarding misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP console and select the project where the misconfiguration needs to be remediated.
  2. In the left navigation pane, select “Compute Engine” and then select “VM instances”.
  3. Select the VM instance where IP forwarding needs to be disabled.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Network interfaces” section and select the network interface where IP forwarding needs to be disabled.
  6. In the “Network interface details” section, uncheck the “Enable IP forwarding” checkbox.
  7. Click on the “Save” button at the bottom of the page to save the changes.
  8. Repeat steps 3-7 for any other VM instances where IP forwarding needs to be disabled.
Once you have completed these steps, IP forwarding will be disabled for the selected VM instances, and the misconfiguration will be remediated.

To remediate the IP forwarding misconfiguration for GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and select the project where the misconfiguration exists.
  2. Open the Cloud Shell by clicking on the icon in the top right corner of the console.
  3. In the Cloud Shell, run the following command to disable IP forwarding for all instances in the default network: 
gcloud compute networks subnets update default --no-enable-alias-ip-range --no-enable-ip-forwarding
  1. If you have custom networks or subnets, run the following command to disable IP forwarding for those:
gcloud compute networks subnets update [SUBNET_NAME] --no-enable-alias-ip-range --no-enable-ip-forwarding
Replace [SUBNET_NAME] with the name of the subnet where you want to disable IP forwarding.
  1. Verify that IP forwarding is disabled by running the following command:
gcloud compute networks subnets describe [SUBNET_NAME] --format="value(enableIpForwarding)"
This command should return “False” if IP forwarding is disabled.
  1. Repeat steps 4 and 5 for all other custom subnets in your project.
By following these steps, you can remediate the IP forwarding misconfiguration in GCP using GCP CLI.
To remediate the IP Forwarding misconfiguration in GCP using Python, you can use the following steps:
  1. Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
  1. Set up the credentials:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)
  1. Get the current status of IP Forwarding:
project = 'your-project-id'
zone = 'your-zone'
instance = 'your-instance-name'

response = service.instances().get(project=project, zone=zone, instance=instance).execute()
ip_forwarding = response['canIpForward']
  1. If IP Forwarding is enabled, disable it:
if ip_forwarding:
    response = service.instances().setIamPolicy(
        project=project,
        zone=zone,
        resource=instance,
        body={
            "canIpForward": False
        }
    ).execute()
    print(f"IP Forwarding has been disabled for {instance}.")
else:
    print(f"IP Forwarding is already disabled for {instance}.")
  1. Verify that IP Forwarding has been disabled by checking the current status again:
response = service.instances().get(project=project, zone=zone, instance=instance).execute()
ip_forwarding = response['canIpForward']

if not ip_forwarding:
    print(f"IP Forwarding has been successfully disabled for {instance}.")
else:
    print(f"Failed to disable IP Forwarding for {instance}.")
Note: Make sure to replace the project, zone, and instance variables with your own values.

Additional Reading: