Files
wehub-resource-sync bb5c75ce05
Component Security Validation / Security Audit (push) Has been cancelled
Deploy to Cloudflare Pages / deploy (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:38:58 +08:00

3.0 KiB

Firewall Rule Logging Analysis Reference

Use firewall logs (compute.googleapis.com/firewall) to verify if traffic is allowed or denied.

🤖 Agent / Gemini CLI Instructions (MCP)

You should use Cloud Logging MCP for exploratory analysis or BigQuery MCP for high-volume trends. Fallback to the CLI if the MCP tools are not available.

  • Exploratory Analysis: Typically involves looking at individual log entries or a small set of logs to understand specific events, debug issues, or investigate anomalies. This often requires filtering and examining the full details of log records.
  • High-Volume Trends: Focuses on aggregating large datasets of logs over time to identify patterns, measure traffic volumes, analyze latency distributions, or find "top talkers." This usually involves SQL queries to summarize data rather than inspecting individual logs.

1. View Logs (Cloud Logging MCP)

Tool: list_log_entries

Filter:

resource.type="gce_subnetwork"
logName="projects/{project_id}/logs/compute.googleapis.com%2Ffirewall"

Filter for denied packets:

text jsonPayload.rule_details.action="DENY"

Tool: execute_sql

SQL Pattern:

SELECT JSON_VALUE(json_payload.rule_details.reference) AS
rule_name, COUNT(*) AS block_count FROM `{project_id}.{dataset_id}._AllLogs`
WHERE log_name LIKE '%firewall%' AND
JSON_VALUE(json_payload.rule_details.action) = 'DENY' GROUP BY 1 ORDER BY
block_count DESC LIMIT 10

3. CLI Fallback

If MCP tools are unavailable, use the following gcloud and bq commands:

View Logs (gcloud)

gcloud logging read 'resource.type="gce_subnetwork" AND logName="projects/{project_id}/logs/compute.googleapis.com%2Ffirewall"' --project {project_id} --limit 10 --format json --quiet

To filter for denied packets:

gcloud logging read 'resource.type="gce_subnetwork" AND logName="projects/{project_id}/logs/compute.googleapis.com%2Ffirewall" AND jsonPayload.rule_details.action="DENY"' --project {project_id} --limit 10 --format json --quiet

Aggregate Trends (bq)

bq query --use_legacy_sql=false --project_id {project_id} '
SELECT
  JSON_VALUE(json_payload.rule_details.reference) AS rule_name,
  COUNT(*) AS block_count
FROM `{project_id}.{dataset_id}._AllLogs`
WHERE
  log_name LIKE "%firewall%"
  AND JSON_VALUE(json_payload.rule_details.action) = "DENY"
GROUP BY 1
ORDER BY block_count DESC
LIMIT 10
'

Key Fields

  • jsonPayload.rule_details.action: ALLOW or DENY.
  • jsonPayload.rule_details.reference: The firewall rule name (for example, default-deny-all).
  • jsonPayload.connection.src_ip / dest_ip: The source and destination of the connection.

Common Use Cases

  • Identify Blocks: Find which DENY rule is causing connection failures.
  • Security Audit: Detect unexpected traffic patterns.