Enable Flow Logs for GCP Organization
Create and configure a sink to export the flow logs for your GCP organization to.
Prisma Cloud uses the traffic data in flow logs for your GCP organization or folder resource hierarchy to detect network threats such as cryptomining, data exfiltration, and host compromises. Before Prisma Cloud can analyze your flow log data, you must create a sink to export the flow logs to a Cloud Storage bucket. To configure a sink for your whole GCP organization or folder, use the gcloud command line tool.
Enabling flow logs will incur high network egress costs. Palo Alto Networks strongly recommends that you enable Flow Log Compression on GCP to significantly reduce the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
- Gather the following information from your GCP account:
- Cloud Storage bucket name
- Organization ID
- Download and install the Google Cloud SDK.During the SDK install, you must log in to your GCP account. This account must have these three permissions enabled at the organization level:
- Billing Account Administrator
- Logging Admin
- Organization Administrator
- Run this command to create a service account needed to configure the sink for your Cloud Storage bucket but replace theBucket-namewith your Cloud Storage bucket name andOrganization IDwith your organization ID.$ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --organization=<organisation-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows"If you are onboarding a GCP folder, you must have the Folder Viewer role and can use the command$ gcloud logging sinks create <sink-name> storage.googleapis.com/<bucket-name> --include-children --folder=<folder-id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows"to create a service account needed to configure the sink for your Cloud Storage bucket.
- Grant the service account permission to access your Cloud Storage bucket.
- Selectand select your Cloud Storage bucket.Navigation menuStorage
- Select.PermissionsAdd members
- Add the service account email address forMembers, selectand selectStorageStorage AdminAdd.
- Add the name of Cloud Storage bucket you created above inFlow Logs Storage Bucketwhen you Add Your GCP Organization to Prisma Cloud.
- (Optional) Enable Flow Log Compression on GCP.Enable flow log compression on Prisma Cloud to automate the compression of flow logs using the Google Cloud Dataflow service. When enabled the compressed logs are stored to the same Storage bucket as your flow logs and mitigates the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
Recommended For You
Recommended videos not found.