1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Google Cloud Platform (GCP) Account
    7. Enable Flow Logs for GCP Organization

    Enable Flow Logs for GCP Organization

    Create and configure a sink to export the flow logs for your GCP organization.
    Prisma Cloud uses the traffic data in flow logs for your GCP organization or folder resource hierarchy to detect network threats such as cryptomining, data exfiltration, and host compromises. Before Prisma Cloud can analyze your flow log data, you must create a sink to export the flow logs to a Cloud Storage bucket. To configure a sink for your whole GCP organization or folder, use the gcloud command line tool.
    Enabling flow logs will incur high network egress costs. Palo Alto Networks strongly recommends that you enable Flow Log Compression on GCP to significantly reduce the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
    1. Gather the following information from your GCP account:
      • Cloud Storage bucket name
      • Organization ID
    2. Download and install the Google Cloud SDK.
      During the SDK install, you must log in to your GCP account. This account must have these three permissions enabled at the organization level:
      • Billing Account Administrator
      • Logging Administrator
      • Organization Administrator
    3. Run this command to create a service account needed to configure the sink for your Cloud Storage bucket but replace the
      Bucket-name
       with your Cloud Storage bucket name and
      Organization ID
       with your organization ID.
      $ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --organization=<organization-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows""
      If you are onboarding a GCP folder, you must have the Folder Viewer role and can use the command
      $ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --folder=<folder-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows""
       to create a service account needed to configure the sink for your Cloud Storage bucket.
    4. Grant the service account permission to access your Cloud Storage bucket.
      1. Select
        Navigation menu
        Storage
         and select your Cloud Storage bucket.
      2. Select
        Permissions
        Add members
        .
      3. Add the service account email address for
        Members
        , select
        Storage
        Storage Admin
         and select
        Add
        .
    5. Add the name of Cloud Storage bucket you created above in
      Flow Logs Storage Bucket
       when you Add Your GCP Organization to Prisma Cloud.
    6. (
      Optional
      ) Enable Flow Log Compression on GCP.
      Enable flow log compression on Prisma Cloud to automate the compression of flow logs using the Google Cloud Dataflow service. When enabled, the compressed logs are stored to the same Storage bucket as your flow logs and mitigates the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo