Cloud Armor logs aren't very clear when rule is set as "Preview only"
I'm deploying WAF with Cloud Armor and I realized that the rules can be created in a "Preview only" mode and that there are Cloud Armor entries in Cloud Logging.
The problem is that when I create a "Preview only" rule and that rule is matched by some request, I cannot differentiate, in the logs, the requests that matched some specific rule and/or the normal, ordinary requests. They look all pretty much the same.
Are there any logging attributes that only exist (or have specific values) when the request match a specific rule in these cases? Because the only way I found to explicitly check the rules matched by some request is unchecking the "Preview only" flag, and it is not nice for production when testing.
When you have rules configured in Cloud Armor set to "Preview", Cloud Logging will record what the rule would have done if enabled.
This Cloud Logging filter will show you entries that were denied by Cloud Armor:
resource.type="http_load_balancer"
jsonPayload.statusDetails="denied_by_security_policy"
This Cloud Logging filter will show you entries that would have been denied by Cloud Armor:
resource.type="http_load_balancer"
jsonPayload.previewSecurityPolicy.outcome="DENY"
In Cloud Logging, set the resource.type to "http_load_balancer" and delete the second filter line to see all entries.
Expand one of the entries:
Look for "jsonPayload.enforcedSecurityPolicy". This is the Cloud Armor Policy.
Look for "jsonPayload.previewSecurityPolicy". This provides details on the rule priority which tells you the rule and the outcome if the rule was not in preview.
Example screenshot:
- Generate GCP auth identity-token in JAVA
- Are GCP default firewall-rules a security-concern?
- Permissions error fetching application - Gcloud app deploy
- google cloud pub sub multiple subscriber for the same message with the same subscription
- CloudFlare 400 Error When Calling OpenAI Completions API on CloudRun
- Deploy a container to Cloud Run after pushing to Artifact Registry automaticlly
- Creating a cloudsql instance in the VPC network of my Project
- Google Cloud platform performance: how many users
- Bash Indirect expansion doesn't seem to work in cloud build bash scripts?
- Some scopres missing from Google Gmail API oAuth Consent Flow
- How do I list all the top-level folders in given GCS bucket?
- Trigger Google Cloud Build with Google Cloud Scheduler periodically
- How can I prevent certain HTML tags from being stored to Firestore with firestore.rules?
- Google Cloud Functions - ImportError: cannot import name 'InvalidKeyError' from 'jwt.exceptions'
- GCP - User ... does not have permission to access projects instance
- curl failing in Google Cloud Build when using a secret
- Google Cloud Compute Engine refusing connections despite firewall rule
- How to I return JSON from a Google Cloud Function
- Making Exact Copy of Server Google Cloud
- How to drop multiple tables in Big query using Wildcards TABLE_DATE_RANGE()?
- firebase, linkWithCredential to add new auth provider to an Account
- .NET Core Blazor Server cannot access to Cloud SQL in Cloud Run
- Google Compute Engine and ADC Application Default Credentials
- Is there a way to connect cloud firestore to realtime database using Cloud functions?
- Pyspark on GCP Dataproc - Partial reading of data for gzip encoded Cloud Storage files
- How to use GitHub immutable values (IDs) in Attribute Conditions?
- Cannot find the id using Firebase Firestore Database - Android kotlin
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Realtime database `onValueWritten` event does not trigger in emulator
- Error 400: invalid_scope with Postman and Google OAuth2