Enable Flow Logs for GCP Organization

Create and configure a sink to export the flow logs for your GCP organization to.
Prisma Cloud uses the traffic data in flow logs for your GCP organization or folder resource hierarchy to detect network threats such as cryptomining, data exfiltration, and host compromises. Before Prisma Cloud can analyze your flow log data, you must create a sink to export the flow logs to a Cloud Storage bucket. To configure a sink for your whole GCP organization or folder, use the gcloud command line tool.
Enabling flow logs will incur high network egress costs. Palo Alto Networks strongly recommends that you enable Flow Log Compression on GCP to significantly reduce the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
  1. Gather the following information from your GCP account:
    • Cloud Storage bucket name
    • Organization ID
  2. Download and install the Google Cloud SDK.
    During the SDK install, you must log in to your GCP account. This account must have these three permissions enabled at the organization level:
    • Billing Account Administrator
    • Logging Admin
    • Organization Administrator
  3. Run this command to create a service account needed to configure the sink for your Cloud Storage bucket but replace the
    Bucket-name
    with your Cloud Storage bucket name and
    Organization ID
    with your organization ID.
    $ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --organization=<organisation-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows"
    gcp-gcloud-cli-organization-sink.png
    If you are onboarding a GCP folder, you must have the Folder Viewer role and can use the command
    $ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --folder=<folder-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows"
    to create a service account needed to configure the sink for your Cloud Storage bucket.
  4. Grant the service account permission to access your Cloud Storage bucket.
    1. Select
      Navigation menu
      Storage
      and select your Cloud Storage bucket.
    2. Select
      Permissions
      Add members
      .
    3. Add the service account email address for
      Members
      , select
      Storage
      Storage Admin
      and select
      Add
      .
      gcp-organization-storage-account-access.png
  5. Add the name of Cloud Storage bucket you created above in
    Flow Logs Storage Bucket
    when you Add Your GCP Organization to Prisma Cloud.
  6. (
    Optional
    ) Enable Flow Log Compression on GCP.
    Enable flow log compression on Prisma Cloud to automate the compression of flow logs using the Google Cloud Dataflow service. When enabled the compressed logs are stored to the same Storage bucket as your flow logs and mitigates the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.

Recommended For You