monitoring platform-admin security-tips

Monitor WAF rules

Platform Admin Platform Admin Duration: 5 min | Persona: Platform Admin

In this section, you will monitor Cloud Armor security policies logs (WAF rules).

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh

In the Google Cloud console, navigate to Network Security > Cloud Armor service. Click on the link displayed by the command below:

echo -e "https://console.cloud.google.com/net-security/securitypolicies/details/${SECURITY_POLICY_NAME}?project=${TENANT_PROJECT_ID}"

Cloud Armor rules Cloud Armor rules

Using Cloud Logging, you can view every request evaluated by a Google Cloud Armor security policy and the outcome or action taken.

Select the Logs tab and click on View policy logs. From here, change Last 1 hour by Last 7 days (top left) and enable the Show query toggle (top right):

Cloud Armor logging Cloud Armor logging

In the Query field you could add a new line with jsonPayload.enforcedSecurityPolicy.outcome="DENY" for example to see all the denied requests by the WAF rules you set up earlier in this workshop.

You could also leverage the gcloud command below to get such insights.

Run this command in Cloud Shell:

filter="resource.type=\"http_load_balancer\" "\
"jsonPayload.enforcedSecurityPolicy.name=\"${SECURITY_POLICY_NAME}\" "\
"jsonPayload.enforcedSecurityPolicy.outcome=\"DENY\""

gcloud logging read --project $TENANT_PROJECT_ID "$filter"

You can also view the number of allowed and denied requests by Cloud Armor in Monitoring > Metrics Explorer. Click on the link displayed by the command below:

echo -e "https://console.cloud.google.com/monitoring/metrics-explorer?pageState=%7B%22xyChart%22:%7B%22dataSets%22:%5B%7B%22timeSeriesFilter%22:%7B%22filter%22:%22metric.type%3D%5C%22networksecurity.googleapis.com%2Fhttps%2Frequest_count%5C%22%20resource.type%3D%5C%22network_security_policy%5C%22%22,%22minAlignmentPeriod%22:%2260s%22,%22aggregations%22:%5B%7B%22perSeriesAligner%22:%22ALIGN_SUM%22,%22crossSeriesReducer%22:%22REDUCE_NONE%22,%22alignmentPeriod%22:%2260s%22,%22groupByFields%22:%5B%5D%7D,%7B%22crossSeriesReducer%22:%22REDUCE_NONE%22,%22alignmentPeriod%22:%2260s%22,%22groupByFields%22:%5B%5D%7D%5D%7D,%22targetAxis%22:%22Y1%22,%22plotType%22:%22LINE%22%7D%5D,%22options%22:%7B%22mode%22:%22COLOR%22%7D,%22constantLines%22:%5B%5D,%22timeshiftDuration%22:%220s%22,%22y1Axis%22:%7B%22label%22:%22y1Axis%22,%22scale%22:%22LINEAR%22%7D%7D,%22isAutoRefresh%22:true,%22timeSelection%22:%7B%22timeRange%22:%221h%22%7D%7D&project=${TENANT_PROJECT_ID}"

Cloud Armor requests count metric Cloud Armor requests count metric