Enable Flow Logs for GCP Projects
Enable flow logs for your GCP project
With VPC flow logs, Prisma Cloud helps you visualize flow information for resources deployed in your GCP projects. VPC flow logs on GCP provide flow-level network information of packets going to and from network interfaces that are part of a VPC, including a record of packets flowing to a source port and destination port, the number of distinct peers connecting to an endpoint IP address and port, so that you can monitor your applications from the perspective of your network. On the
Investigatepage, you can view the traffic flow between virtual machines in different service-projects and/or host-projects that are using shared VPC network and firewall rules.
To analyze these logs on Prisma Cloud you must enable VPC flow logs for each VPC subnet and export the logs to a
sinkthat holds a copy of each log entry. Prisma Cloud requires you to export the flow logs to a single Cloud Storage bucket, which functions as the sink destination that holds all VPC flow logs in your environment. When you then configure Prisma Cloud to ingest these logs, the service can analyze this data and provide visibility into your network traffic and detect potential network threats such as crypto mining, data exfiltration, and host compromises.
Prisma Cloud automates VPC flow log compression using the Google Cloud Dataflow service, and saves them to your Storage bucket for ingestion. Consider enabling the Google Cloud Dataflow Service and enabling log compression because transferring raw GCP Flow logs from your storage bucket to Prisma Cloud can add to your data cost. See Flow Log Compression on GCP to make sure that you have the permissions to create and run pipelines for a Cloud Dataflow job.
Enabling flow logs will incur high network egress costs. Palo Alto Networks strongly recommends that you enable Flow Log Compression on GCP to significantly reduce the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
- Enable flow logs for your VPC networks on GCP.To analyze your network traffic, you must enable flow logs for each project you want Prisma Cloud to monitor.
- Log in to GCP console and select your project.
- Select.Navigation menuVPC networkVPC networks
- Select VPC network and clickEDIT.
- SelectFlow logsOnto enable flow logs.
- Set theAggregation Intervalto15 min.
- Set theSample rateto 100%.As a best practice, setting the aggregate interval and the sample rate as recommended above generates alerts faster on Prisma Cloud and reduces network costs you incur.
- Saveyour changes.
- (Required, if you are not using the Terraform template for adding your cloud account) Add additional permissions to the bucket that is collecting VPC flow logs.You must grant the Prisma Cloud service principal permissions to list objects in the storage bucket, and to read object data and metadata stored within the bucket. The permissions required arestorage.objects.listandstorage.objects.get. The Terraform template that Prisma Cloud provides to enable onboarding, includes these permissions in the role namedPrisma Cloud Flow Logs Viewer, and this role is assigned to the service account on the bucket name that you provide theFlow Log Storage Bucketin the onboarding flow. If you want to manually add these permissions, refer to Google Cloud Storage documentation for instructions —https://cloud.google.com/storage/docs/access-control/using-iam-permissions#bucket-add.
- Create a Sink to export flow logs.You must create a sink and specify a Cloud Storage bucket as the export destination for VPC flow logs. You must configure a sink for every project that you want Prisma Cloud to monitor and configure a single Cloud Storage bucket as the sink destination for all projects. When you Add Your GCP Project to Prisma Cloud, you must provide the Cloud Storage bucket from which the service can ingest VPC flow logs. As a cost reduction best practice, set a lifecycle to delete logs from your Cloud Storage bucket.
- Select.Navigation menuLoggingLogs ExplorerOptionsGo back to the legacy logs viewerGo backCreate sinkThe GCP UI includes two options for creating a sink: using the legacy logs viewer, or upgrading to the new logs explorer—Prisma Cloud currently only supports creating a sink through the legacy logs viewer.
- SelectGCE Subnetwork.
- ChangeAll logsto compute.googleapis.com/vpc_flowsand clickOK.
- Enter a name and selectCloud Storageas theSink Service.
- Select an existing Cloud Storage bucket or create a new Cloud Storage bucket as theSink Destination, and clickCreate Sink.
- Add a lifecycle rule to limit the number of days you store flow logs on the Cloud Storage bucket.By default, logs are never deleted. To manage cost, specify the threshold (in number of days) for which you want to store logs.
- Select.Navigation MenuStorageBrowser
- Select theLifecyclelink for the storage bucket you want to modify.
- Add ruleand Select object conditions to setAgeto 30 days and Select Action asDelete.Logs that are stored on your Cloud Storage bucket will be deleted in 30 days.
- SelectContinueandSaveyour changes.
- Add the name of the Cloud Storage bucket you referenced above inFlow Logs Storage Bucketwhen you Add Your GCP Project to Prisma Cloud.
Recommended For You
Recommended videos not found.