1

I'm deploying WAF with Cloud Armor and I realized that the rules can be created in a "Preview only" mode and that there are Cloud Armor entries in Cloud Logging.

The problem is that when I create a "Preview only" rule and that rule is matched by some request, I cannot differentiate, in the logs, the requests that matched some specific rule and/or the normal, ordinary requests. They look all pretty much the same.

Are there any logging attributes that only exist (or have specific values) when the request match a specific rule in these cases? Because the only way I found to explicitly check the rules matched by some request is unchecking the "Preview only" flag, and it is not nice for production when testing.

neuro
  • 14,948
  • 3
  • 36
  • 59
deniable_encryption
  • 107
  • 1
  • 7

1 Answers1

7

When you have rules configured in Cloud Armor set to "Preview", Cloud Logging will record what the rule would have done if enabled.

This Cloud Logging filter will show you entries that were denied by Cloud Armor:

resource.type="http_load_balancer"
jsonPayload.statusDetails="denied_by_security_policy"

This Cloud Logging filter will show you entries that would have been denied by Cloud Armor:

resource.type="http_load_balancer"
jsonPayload.previewSecurityPolicy.outcome="DENY"

In Cloud Logging, set the resource.type to "http_load_balancer" and delete the second filter line to see all entries.

Expand one of the entries:

Look for "jsonPayload.enforcedSecurityPolicy". This is the Cloud Armor Policy.

Look for "jsonPayload.previewSecurityPolicy". This provides details on the rule priority which tells you the rule and the outcome if the rule was not in preview.

Example screenshot:

enter image description here

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    Thanks, now I see. You helped me very much, thanks again. – deniable_encryption May 21 '21 at 02:21
  • @deniable_encryption - Cloud Armor is a powerful service that is easy to deploy and configure. – John Hanley May 21 '21 at 02:24
  • Is there any place to see the request bodies? Cloud Logging only shows me path, user-agent, IP, referer and things like that, I would like to see the body. – deniable_encryption May 21 '21 at 02:41
  • 1
    @deniable_encryption - Cloud Logging does not record request bodies. That would require that you add logging code to your application. – John Hanley May 21 '21 at 03:04
  • Thank you very much. So that's it? I have no other way to see the bodies of the requests that Cloud Armor is blocking unless I change my backend's code to explicitly log every request? – deniable_encryption May 23 '21 at 07:07
  • Google Cloud does not log request bodies. If a rule is enabled and `denies`, you will never see request bodies as the request will not make it to the backend. If a rule is in preview, your backend application will need to log request bodies. – John Hanley May 23 '21 at 13:37
  • what a life saver answer! Thank you. – Mamun Sep 03 '22 at 18:45
  • **Update 2023-06-28** - Cloud Armor now supports Verbose Logging [link](https://cloud.google.com/armor/docs/request-logging#verbose-logging) – John Hanley Jun 28 '23 at 07:40