GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud Monitoring Should Monitor Dropped Bytes Count For Firewall
More Info:
Ensure Cloud Monitoring monitors dropped bytes count for firewall.
Risk Level
Medium
Address
Security, Performance Efficiency, Reliability
Compliance Standards
CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the “Cloud Monitoring Should Monitor Dropped Bytes Count For Firewall” misconfiguration for GCP using the GCP console:
-
Open the GCP Console and navigate to the Firewall rules page by selecting “Firewall” under the “VPC Network” section in the left-hand menu.
-
Find the firewall rule that you want to monitor and click on its name to open its details page.
-
Click on the “Logs” tab to view the firewall logs.
-
In the logs, look for any entries related to dropped bytes. If you see any such entries, then your firewall is dropping traffic and you need to investigate further to determine whether this is expected behavior or not.
-
To monitor dropped bytes count, you need to create a log-based metric. Click on the “Create Metric” button to create a new metric.
-
Give your metric a name and a description. For example, you can name it “Dropped Bytes Count” and give it a description like “Number of bytes dropped by the firewall”.
-
Under the “Filter” section, enter the following filter expression:
resource.type="gce_subnetwork" log_name="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Ffirewall" protoPayload.rule_details.action="DENY"Replace
[PROJECT_ID]with your actual GCP project ID. -
Set the metric aggregation to “Sum” and the metric unit to “By”.
-
Click on the “Create Metric” button to create the new metric.
-
Now that you have created the metric, you can create a Cloud Monitoring alert based on it. Click on the “Create Alerting Policy” button to create a new alerting policy.
-
Give your alerting policy a name and a description.
-
Under the “Condition” section, select your newly created “Dropped Bytes Count” metric.
-
Set the threshold and duration for the alert. For example, you can set the threshold to “10” and the duration to “5 minutes”.
-
Under the “Notification” section, select the notification channels where you want to receive alerts.
-
Click on the “Save” button to create the new alerting policy.
That’s it! You have now remediated the “Cloud Monitoring Should Monitor Dropped Bytes Count For Firewall” misconfiguration for GCP using the GCP console.
To remediate the misconfiguration of monitoring dropped bytes count for firewall in GCP using GCP CLI, you can follow the below steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to list all the firewalls in your GCP project:
gcloud compute firewall-rules list -
Identify the firewall rule that needs to be remediated.
-
Run the following command to update the firewall rule and enable monitoring of dropped bytes count:
gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --enable-logging --log-config="metadata:INCLUDE_ALL_SCOPES,DROPPED_BYTES"Replace
[FIREWALL_RULE_NAME]with the name of the firewall rule that needs to be updated. -
Verify that the logging is enabled for the firewall rule by running the following command:
gcloud compute firewall-rules describe [FIREWALL_RULE_NAME] --format="value(logConfig.enable)"This command should return
Trueindicating that logging is enabled for the firewall rule.
By following these steps, you can remediate the misconfiguration of monitoring dropped bytes count for firewall in GCP using GCP CLI.
To remediate the misconfiguration of dropped bytes count for firewall in GCP using Python, you can follow the below steps:
-
First, you need to enable the Stackdriver Monitoring API in your GCP project.
-
Then, you need to install the
google-cloud-monitoringlibrary using the following command:pip install google-cloud-monitoring -
Next, you need to create a Python script to monitor the dropped bytes count for firewall. Here is an example script:
from google.cloud import monitoring_v3 client = monitoring_v3.MetricServiceClient() project_name = client.project_path('<your-project-id>') filter_str = 'metric.type="compute.googleapis.com/firewall/dropped_bytes_count"' results = client.list_time_series( project_name, filter_str, interval={ 'end_time': { 'seconds': int(time.time()), }, 'start_time': { 'seconds': int(time.time()) - 3600, }, }, view=monitoring_v3.ListTimeSeriesRequest.TimeSeriesView.FULL) for result in results: print(result) -
Replace
<your-project-id>with your actual GCP project ID. -
Run the script and it will print the dropped bytes count for firewall in the last hour.
-
You can then set up alerts in Stackdriver Monitoring based on this metric to get notified when the dropped bytes count exceeds a certain threshold.
By following these steps, you can remediate the misconfiguration of dropped bytes count for firewall in GCP using Python.