This page describes how to troubleshoot common issues that you might encounter when using firewall policy rules logging.
Firewall policy rules logging helps you audit, verify, and analyze the effects of your firewall rules. When you enable logging for firewall policy rules, you can view logs to verify that your rules work as intended and to understand how they affect connections. For more information, see Firewall policy rules logging overview.
Can't view logs
If you can't view firewall rule logs in the Logs Explorer section of the Google Cloud console, it might be due to one of the following reasons.
- Insufficient permissions
- Legacy networks not supported
- Incorrect project context
Insufficient permissions
To view firewall rule logs, ask the project owner to grant your
Identity and Access Management principal the
Logs Viewer role (roles/logging.viewer)
on the project. For more information, see
Permissions.
Legacy networks not supported
You cannot use firewall policy rules logging in a legacy network. Only Virtual Private Cloud (VPC) networks are supported.
Incorrect project context
Google Cloud stores firewall rule logs in the project that contains the network. Make sure that you are looking for logs in the correct project.
In Shared VPC, you create virtual machine (VM) instances in service projects, but the VMs use a Shared VPC network in the host project. For Shared VPC, Google Cloud stores the firewall rule logs in the host project. If you use Shared VPC, make sure you have the appropriate permissions to view the firewall logs in the host project.
Log entries missing
If you can't find log entries for your firewall rules in Logs Explorer, check for the following common issues:
Connections don't match the expected firewall rule
Verify that the firewall rule you expect is in the list of applicable firewall rules for an instance.
In the Google Cloud console, go to the VM instances page.
In the VM instances section, click the name of the VM instance.
In the Network interfaces section, click View details under the Network details column.
In the Network configuration analysis section, check the applicable firewall rules. For more information, see View logs.
If you are unsure about the IP addresses, ports, and protocols being used for the connection, you can use VPC Flow Logs to identify the traffic.
To make sure that you create your firewall rules correctly, see VPC firewall rules.
A higher priority rule without logging applies
Firewall rules are evaluated according to their priorities. Only one firewall rule applies to matching traffic. If a higher priority rule matches the traffic but does not have logging enabled, logs are not generated even if a lower-priority rule with logging enabled also matches the traffic.
To troubleshoot this issue, run a connectivity test from source to destination. For more information, see Create and run Connectivity Tests. This will provide you information about the firewall rule used for the connection.
In the Google Cloud console, go to the VM instances page.
In the VM instances section, click the name of the VM instance.
In the Network interfaces section, click View details under the Network details column.
In the Network configuration analysis section, check the applicable firewall rules and identify your custom rules in that list.
Temporarily enable logging for all of those custom firewall rules. With logging enabled, you can identify which rule is matching traffic.
After you identify the rule, disable logging for rules that don't require it. To disable firewall rules logging, see Disable firewall policy rules logging.
Missing metadata for some log entries
If you notice missing metadata for some log entries in Logs Explorer, this might be caused by a delay in configuration propagation.
If you update a firewall rule that has firewall logging enabled, it might take a few minutes before Google Cloud finishes propagating the changes necessary to log traffic that matches the rule's updated components.