Monitor WAF rules

Platform Admin Duration: 5 min | Persona: Platform Admin

In this section, you will monitor Cloud Armor security policies logs (WAF rules).

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh

Using logging, you can view every request evaluated by a Google Cloud Armor security policy and the outcome or action taken.

In the Google Cloud console, navigate to Network Security > Cloud Armor service. Click on the link displayed by the command below:

echo -e "https://pantheon.corp.google.com/net-security/securitypolicies/details/${SECURITY_POLICY_NAME}?project=${TENANT_PROJECT_ID}"

Select the Logs tab and click on View policy logs. From here, change Last 1 hour by Last 7 days (top left) and enable the Show query toggle (top right):

Cloud Armor logging

In the Query field you could add a new ligne with jsonPayload.enforcedSecurityPolicy.outcome="DENY" for example in order to see all the requests denied by the WAF rules you set up earlier in this workshop.

You could also leverage the gcloud command below to get such insights.

Run this command in Cloud Shell:

filter="resource.type=\"http_load_balancer\" "\
"jsonPayload.enforcedSecurityPolicy.name=\"${SECURITY_POLICY_NAME}\" "\
"jsonPayload.enforcedSecurityPolicy.outcome=\"DENY\""

gcloud logging read --project $TENANT_PROJECT_ID "$filter"