Enable Flow Logs for GCP Projects

Enable flow logs for your GCP project
With VPC flow logs, Prisma Cloud helps you visualize flow information for resources deployed in your GCP projects. VPC flow logs on GCP provide flow-level network information of packets going to and from network interfaces that are part of a VPC, including a record of packets flowing to a source port and destination port, the number of distinct peers connecting to an endpoint IP address and port, so that you can monitor your applications from the perspective of your network. On the
Investigate
page, you can view the traffic flow between virtual machines in different service-projects and/or host-projects that are using shared VPC network and firewall rules.
VPC flow logs are supported on VPC networks only, and are not available for legacy networks on GCP.
To analyze these logs on Prisma Cloud you must enable VPC flow logs for each VPC subnet and export the logs to a
sink
that holds a copy of each log entry. Prisma Cloud requires you to export the flow logs to a single Cloud Storage bucket, which functions as the sink destination that holds all VPC flow logs in your environment. When you then configure Prisma Cloud to ingest these logs, the service can analyze this data and provide visibility into your network traffic and detect potential network threats such as crypto mining, data exfiltration, and host compromises.
Prisma Cloud automates VPC flow log compression using the Google Cloud Dataflow service, and saves them to your Storage bucket for ingestion. Consider enabling the Google Cloud Dataflow Service and enabling log compression because transferring raw GCP Flow logs from your storage bucket to Prisma Cloud can add to your data cost. See Flow Log Compression on GCP to make sure that you have the permissions to create and run pipelines for a Cloud Dataflow job.
Enabling flow logs will incur high network egress costs. Palo Alto Networks strongly recommends that you enable Flow Log Compression on GCP to significantly reduce the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure.
  1. Enable flow logs for your VPC networks on GCP.
    To analyze your network traffic, you must enable flow logs for each project you want Prisma Cloud to monitor.
    1. Log in to GCP console and select your project.
    2. Select
      Navigation menu
      VPC network
      VPC networks
      .
      gcp-flow-logs-vpc-network.png
    3. Select VPC network and click
      EDIT
      .
    4. Select
      Flow logs
      On
      to enable flow logs.
      gcp-enable-flow-logs.png
    5. Set the
      Aggregation Interval
      to
      15 min
      .
    6. Set the
      Sample rate
      to 100%.
      As a best practice, setting the aggregate interval and the sample rate as recommended above generates alerts faster on Prisma Cloud and reduces network costs you incur.
    7. Save
      your changes.
  2. (
    Required, if you are not using the Terraform template for adding your cloud account
    ) Add additional permissions to the bucket that is collecting VPC flow logs.
    You must grant the Prisma Cloud service principal permissions to list objects in the storage bucket, and to read object data and metadata stored within the bucket. The permissions required are
    storage.objects.list
    and
    storage.objects.get
    . The Terraform template that Prisma Cloud provides to enable onboarding, includes these permissions in the role named
    Prisma Cloud Flow Logs Viewer
    , and this role is assigned to the service account on the bucket name that you provide the
    Flow Log Storage Bucket
    in the onboarding flow. If you want to manually add these permissions, refer to Google Cloud Storage documentation for instructions —https://cloud.google.com/storage/docs/access-control/using-iam-permissions#bucket-add.
  3. Create a Sink to export flow logs.
    You must create a sink and specify a Cloud Storage bucket as the export destination for VPC flow logs. You must configure a sink for every project that you want Prisma Cloud to monitor and configure a single Cloud Storage bucket as the sink destination for all projects. When you Add Your GCP Project to Prisma Cloud, you must provide the Cloud Storage bucket from which the service can ingest VPC flow logs. As a cost reduction best practice, set a lifecycle to delete logs from your Cloud Storage bucket.
    1. Select
      Navigation menu
      Logging
      Logs Viewer
      Create Sink
      gcp-flow-logs-stackdriver-logging.png
    2. Select
      GCE Subnetwork
      .
    3. Change
      All logs
      to c
      ompute.googleapis.com/vpc_flows
      and click
      OK
      .
      gcp-export-flow-logs.png
    4. Enter a name and select
      Cloud Storage
      as the
      Sink Service
      .
    5. Select an existing Cloud Storage bucket or create a new Cloud Storage bucket as the
      Sink Destination
      , and click
      Create Sink
      .
    6. Add a lifecycle rule to limit the number of days you store flow logs on the Cloud Storage bucket.
      By default, logs are never deleted. To manage cost, specify the threshold (in number of days) for which you want to store logs.
      1. Select
        Navigation Menu
        Storage
        Browser
        .
      2. Select the
        Lifecycle
        link for the storage bucket you want to modify.
        gcp-storage-bucket-lifecycle1.png
      3. Add rule
        and Select object conditions to set
        Age
        to 30 days and Select Action as
        Delete
        .
        Logs that are stored on your Cloud Storage bucket will be deleted in 30 days.
      4. Select
        Continue
        and
        Save
        your changes.
  4. Add the name of the Cloud Storage bucket you referenced above in
    Flow Logs Storage Bucket
    when you Add Your GCP Project to Prisma Cloud.

Recommended For You