Evaluation order for firewall policies and rules

Each regular Virtual Private Cloud (VPC) network has a network firewall policy enforcement order that determines the order in which Cloud NGFW evaluates firewall policy rules.

Network firewall policy enforcement order

A VPC network can use one of these network firewall policy enforcement orders:

  • AFTER_CLASSIC_FIREWALL (default): Cloud NGFW evaluates firewall policies and rules in the following order:

    1. Hierarchical firewall policies
    2. Regional system firewall policies
    3. VPC firewall rules
    4. Global network firewall policies
    5. Regional network firewall policies
    6. Implied firewall rules

  • BEFORE_CLASSIC_FIREWALL: Cloud NGFW evaluates firewall policies and rules in the following order:

    1. Hierarchical firewall policies
    2. Regional system firewall policies
    3. Global network firewall policies
    4. Regional network firewall policies
    5. VPC firewall rules
    6. Implied firewall rules

To change the network firewall policy enforcement order, do any one of the following:

  • Use the networks.patch method and set the networkFirewallPolicyEnforcementOrder attribute of the VPC network.

  • Use the gcloud compute networks update command with the --network-firewall-policy-enforcement-order flag.

    For example:

    gcloud compute networks update VPC_NETWORK_NAME \
    --network-firewall-policy-enforcement-order=ENFORCEMENT_ORDER

Firewall rule evaluation process

This section describes the order in which Cloud NGFW evaluates rules that apply to target resources in regular VPC networks.

Each firewall rule is either an ingress rule or an egress rule, based on the direction of traffic:

  • Ingress rules apply to packets for a new connection that a target resource receives. Supported target resources for ingress rules are as follows:

    • Network interfaces of virtual machine (VM) instances.

    • Managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers (Preview).

  • Egress rules apply to packets for a new connection that a target VM network interface sends.

Cloud NGFW always evaluates rules in hierarchical firewall policies and regional system firewall policies before it evaluates any other firewall rules. You control the order in which Cloud NGFW evaluates other firewall rules by choosing a network firewall policy enforcement order. The network firewall policy enforcement order can be either AFTER_CLASSIC_FIREWALL or BEFORE_CLASSIC_FIREWALL.

AFTER_CLASSIC_FIREWALL network firewall policy enforcement order

When the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL, Cloud NGFW evaluates rules in global and regional network firewall policies after evaluating VPC firewall rules. This is the default evaluation order.

In a regular VPC network that uses the AFTER_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order is the following:

  1. Hierarchical firewall policies.

    Cloud NGFW evaluates hierarchical firewall policies in the following order:

    1. The hierarchical firewall policy associated with the organization that contains the target resource.
    2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.

    When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to one of the following:
      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

    • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
    • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

  2. Regional system firewall policies.

    When evaluating regional system firewall policy rules, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional system firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to
      • A regional system firewall policy with the next highest association priority, if it exists.
      • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

    If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

    • A regional system firewall policy with the next highest association priority, if it exists.
    • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

  3. VPC firewall rules.

    When evaluating VPC firewall rules, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.

    If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.

    If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

  4. Global network firewall policy.

    When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.

    If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

  5. Regional network firewall policies.

    Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.

    When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to the next step in the evaluation order.

    If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the next step in the evaluation order.

  6. Last step— implied action.

    Cloud NGFW applies an implied action if firewall rule evaluation has continued through every previous step by following explicit or implicit goto_next actions. The implied action depends on the direction of the traffic:

    • For the ingress traffic, the implied action also depends on the target resource:

      • If the target resource is a network interface of a VM instance, the implied ingress action is deny.

      • If the target resource is a forwarding rule of an internal Application Load Balancer or internal proxy Network Load Balancer, the implied ingress is allow.

    • For the egress traffic, the implied action is allow.

AFTER_CLASSIC_FIREWALL diagram

The following diagram illustrates the AFTER_CLASSIC_FIREWALL network firewall policy enforcement order:

Firewall rule resolution flow.
Figure 1. Firewall rule resolution flow if the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL (click to enlarge).

BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order

When the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL, Cloud NGFW evaluates rules in global and regional network firewall policies before evaluating VPC firewall rules.

In a regular VPC network that uses the BEFORE_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order is the following:

  1. Hierarchical firewall policies.

    Cloud NGFW evaluates hierarchical firewall policies in the following order:

    1. The hierarchical firewall policy associated with the organization that contains the target resource.
    2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.

    When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to one of the following:
      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

    • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
    • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

  2. Regional system firewall policies.

    When evaluating regional system firewall policy rules, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional system firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to
      • A regional system firewall policy with the next highest association priority, if it exists.
      • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

    If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

    • A regional system firewall policy with the next highest association priority, if it exists.
    • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

  3. Global network firewall policy.

    When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.

    If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

  4. Regional network firewall policies.

    Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.

    When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to the next step in the evaluation order.

    If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the next step in the evaluation order.

  5. VPC firewall rules.

    When evaluating VPC firewall rules, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.

    If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.

    If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

  6. Last step— implied action.

    Cloud NGFW applies an implied action if firewall rule evaluation has continued through every previous step by following explicit or implicit goto_next actions. The implied action depends on the direction of the traffic:

    • For the ingress traffic, the implied action also depends on the target resource:

      • If the target resource is a network interface of a VM instance, the implied ingress action is deny.

      • If the target resource is a forwarding rule of an internal Application Load Balancer or internal proxy Network Load Balancer, the implied ingress is allow.

    • For the egress traffic, the implied action is allow.

BEFORE_CLASSIC_FIREWALL diagram

The following diagram illustrates the BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order:

Firewall rule resolution flow.
Figure 2. Firewall rule resolution flow if the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL (click to enlarge).

Effective firewall rules

Hierarchical firewall policy rules, VPC firewall rules, and global and regional network firewall policy rules control connections. You might find it helpful to see all the firewall rules that affect an individual network or VM interface.

Network effective firewall rules

You can view all firewall rules applied to a VPC network. The list includes all of the following kinds of rules:

  • Rules inherited from hierarchical firewall policies
  • VPC firewall rules
  • Rules applied from the global and regional network firewall policies

Instance effective firewall rules

You can view all firewall rules applied to a VM's network interface. The list includes all of the following kinds of rules:

  • Rules inherited from hierarchical firewall policies
  • Rules applied from the interface's VPC firewall
  • Rules applied from the global and regional network firewall policies

The rules are ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown. Rules in other policies aren't shown.

To view the effective firewall policy rules within a region, see Get effective regional firewall policies for a network.

What's next