### Cloud Armor Mitigation Started Log Entry Example Source: https://docs.cloud.google.com/armor/docs/advanced-network-ddos?hl=zh-TW This is an example log entry format for a 'MITIGATION_STARTED' event in Cloud Armor. It includes details about the alert ID, mitigation type, target VIP, total volume, and classified attack details. ```json @type: "type.googleapis.com/google.cloud.networksecurity.cloudarmor.logging.v1.CloudArmorMitigationAlert" alertId: "11275630857957031521" mitigation_type: "MITIGATION_STARTED" target_vip: "XXX.XXX.XXX.XXX" total_volume: { pps: 1400000 bps: 140000000 } started: { total_attack_volume: { pps: 1100000 bps: 110000000 } classified_attack: { attack_type: "NTP-udp" attack_volume: { pps: 500000 bps: 50000000 } } classified_attack: { attack_type: "CHARGEN-udp" attack_volume: { pps: 600000 bps: 60000000 } } attack_sources: { top_source_asns: { asn: "ABCDEF" volume: { pps: 20000 bps: 2000000 } } top_source_asns: { asn: "UVWXYZ" volume: { pps: 20000 bps: 2000000 } } top_source_geos: { region_code: "XX" volume: { pps: 20000 bps: 2000000 } } top_source_geos: { region_code: "XY" volume: { pps: 20000 bps: 2000000 } } top_source_ips: { region_code: "xx.xx.xx.xx" volume: { pps: 20000 bps: 2000000 } } top_source_ips: { region_code: "yy.yy.yy.yy" volume: { pps: 20000 bps: 2000000 } } } } ``` -------------------------------- ### Example Output of Preconfigured Expression Sets Source: https://docs.cloud.google.com/armor/docs/configure-security-policies This example shows the format of the output when listing preconfigured expression sets. It includes expression set names, rule IDs, and sensitivity levels. ```text EXPRESSION_SET expression-set-1 RULE_ID SENSITIVITY expression-set-1-id-1 sensitivity-value-1 expression-set-1-id-2 sensitivity-value-2 expression-set-2 alias-1 RULE_ID SENSITIVITY expression-set-2-id-1 sensitivity-value-1 expression-set-2-id-2 sensitivity-value-2 ``` ```text EXPRESSION_SET sqli-canary RULE_ID SENSITIVITY owasp-crs-v042200-id942120-sqli 2 … xss-canary RULE_ID SENSITIVITY owasp-crs-v042200-id941110-xss 1 owasp-crs-v042200-id941120-xss 2 … sourceiplist-fastly sourceiplist-cloudflare sourceiplist-imperva ``` -------------------------------- ### Example: Describe a Specific Rule Source: https://docs.cloud.google.com/armor/docs/configure-security-policies?hl=zh-CN An example of describing a rule with priority 1000 in the security policy 'my-policy'. ```bash gcloud compute security-policies rules describe 1000 \ --security-policy my-policy ``` -------------------------------- ### Example Log Entry for False Positive Source: https://docs.cloud.google.com/armor/docs/troubleshooting This log entry shows an example of a request that matched a preconfigured WAF rule, indicated by `preconfiguredExprIds`. Review fields like `requestUrl` and `cookie` to identify the cause of the false positive. ```yaml httpRequest: remoteIp: 104.133.0.95 requestMethod: GET requestSize: '801' requestUrl: http://74.125.67.38/foo?document.cookie=1010" responseSize: '246' serverIp: 10.132.0.4 status: 200 userAgent: curl/7.35.0 insertId: ajvis5ev4i60 internalId: projectNumber: '895280006100' jsonPayload: '@type': type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry enforcedSecurityPolicy: configuredAction: ACCEPT name: POLICY_NAME outcome: ACCEPT priority: 2147483647 preconfiguredExprIds: [ 'owasp-crs-v042200-id941180-xss' ] statusDetails: response_sent_by_backend logName: projects/mydev-staging/logs/requests resource: labels: backend_service_name: BACKEND_SERVICE forwarding_rule_name: mydev-forwarding-rule project_id: mydev-staging target_proxy_name: mydev-target-http-proxy url_map_name: mydev-url-map zone: global type: http_load_balancer severity: INFO timestamp: '2017-04-18T18:57:05.845960288Z' ``` -------------------------------- ### Cloud Armor Verbose Log Entry Example Source: https://docs.cloud.google.com/armor/docs/verbose-logging This is an example of a log entry in Logs Explorer when verbose logging is enabled and a WAF rule is triggered. It shows detailed information about the match. ```json enforcedSecurityPolicy: { name: "user-staging-sec-policy" priority: 100 configuredAction: "DENY" outcome: "DENY inspectedBodySize: 65536 preconfiguredExprIds: [ 0: "owasp-crs-v042200-id942140-sqli" ] matchedFieldType: "ARG_VALUES" matchedFieldName: "sql_table" matchedFieldValue: "pg_catalog" matchedFieldLength: 18 matchedOffset: 4 matchedLength: 10 } ``` -------------------------------- ### Cloud Armor security policy rule example Source: https://docs.cloud.google.com/armor/docs/troubleshooting This is an example of a security policy's rules, showing different actions (allow, deny) and match conditions based on expressions or source IP ranges, along with their priorities. ```yaml --- … name: POLICY_NAME rules: -action: allow description: allow fastly ip addresses kind: compute#securityPolicyRule match: expr: expression: evaluatePreconfiguredExpr('sourceiplist-fastly') preview: false priority: 100 -action: deny(403) description: Default rule, higher priority overrides it kind: compute#securityPolicyRule match: config: srcIpRanges: -'*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 -action: deny(404) description: deny altostrat referer kind: compute#securityPolicyRule match: expr: expression: request.headers['Referer'].contains('altostrat') preview: false priority: 50 … ``` -------------------------------- ### Example Request Triggering WAF Rule Source: https://docs.cloud.google.com/armor/docs/verbose-logging This is an example of a client request that might trigger a SQL injection WAF rule when verbose logging is enabled. ```bash curl http://IP_ADDR/?sql_table=abc%20pg_catalog%20xyz ``` -------------------------------- ### Example global address group identifier Source: https://docs.cloud.google.com/armor/docs/address-groups-overview An example of a unique identifier for a global address group named 'example-address-group' within the 'myproject' project. ```text projects/myproject/locations/global/addressGroups/example-address-group ``` -------------------------------- ### Create a rule to redirect traffic for reCAPTCHA manual challenge Source: https://docs.cloud.google.com/armor/docs/configure-bot-management This example creates a rule that redirects traffic targeting `/login.html` for a reCAPTCHA manual challenge. ```bash gcloud compute security-policies rules create 1000 \ --security-policy SECURITY_POLICY \ --expression "request.path.matches(\"/login.html\")" \ --action redirect \ --redirect-type google-recaptcha ``` -------------------------------- ### Rule Status and Attack Size Example Source: https://docs.cloud.google.com/armor/docs/adaptive-protection-overview This snippet shows the structure for rule status and attack size. Use `ruleStatus` to determine why a rule might not have been generated. `attackSize` is measured in queries per second (QPS). ```yaml ruleStatus: RULE_GENERATED attackSize: 5000 ``` -------------------------------- ### Example Adaptive Protection Auto-Deploy Rule Condition Source: https://docs.cloud.google.com/armor/docs/adaptive-protection-overview Use this match condition within an auto-deployed rule to target specific granular traffic units based on host and path. ```cel evaluateAdaptiveProtectionAutoDeploy() && request.headers['host'] == ... && request.path == ... ``` -------------------------------- ### get Source: https://docs.cloud.google.com/armor/docs/audit-logging Retrieves information about a backend service. This is not a long-running operation. ```APIDOC ## get ### Description Retrieves information about a backend service. This is not a long-running operation. ### Method v1.compute.backendServices.get ### Audit Log Type Data access ### Permissions - compute.backendServices.get - ADMIN_READ ### Filter protoPayload.methodName="v1.compute.backendServices.get" ``` -------------------------------- ### Throttle Rule Log Example Source: https://docs.cloud.google.com/armor/docs/request-logging This log entry details a request blocked by a throttle rule in a Cloud Armor security policy. It shows the configured action and the outcome. ```json jsonPayload: { enforcedSecurityPolicy: { priority: 100 name: "sample-prod-policy" configuredAction: "THROTTLE" outcome: "DENY" rateLimitAction: { key:"sample-key" outcome:"RATE_LIMIT_THRESHOLD_EXCEED" } } @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" statusDetails: "denied_by_security_policy" } httpRequest: {8} resource: {2} timestamp: "2021-03-17T19:16:48.185763Z" ``` -------------------------------- ### Example Cloud Armor log entry Source: https://docs.cloud.google.com/armor/docs/troubleshooting This log entry shows details of a request, including the source IP, referer, and the Cloud Armor policy that enforced an action, indicating which rule was matched and why. ```json httpRequest: { referer: "http://www.altostrat.com/" remoteIp: "23.230.32.10" requestMethod: "HEAD" requestSize: "79" requestUrl: "http://www.example.com/" responseSize: "258" status: 404 userAgent: "Mozilla/5.0" } … jsonPayload: { @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" enforcedSecurityPolicy: { configuredAction: "DENY" name: "POLICY_NAME" outcome: "DENY" priority: 50 } statusDetails: "denied_by_security_policy" } … ``` -------------------------------- ### Best practice: Validate upstream source and apply user IP logic Source: https://docs.cloud.google.com/armor/docs/user-ip-overview This example demonstrates a two-rule security policy. The first rule (higher priority) validates that the immediate client IP (`origin.ip`) belongs to a trusted upstream provider. The second rule (lower priority) applies the intended logic using the `origin.user_ip` field. ```cel evaluateThreatIntelligence('iplist-public-clouds', origin.ip) ``` ```cel inIpRange(origin.user_ip, '9.9.9.0/24') ``` -------------------------------- ### Cloud Armor Security Policy Rule Structure Source: https://docs.cloud.google.com/armor/docs/troubleshooting This is an example output from describing a security policy, illustrating how rules with different priorities and match conditions are structured. Pay attention to `priority`, `action`, and `match` fields. ```yaml creationTimestamp: '2017-04-18T14:47:58.045-07:00 description: fingerprint: Yu5spBjdoC0= id: '2560355463394441057' kind: compute#securityPolicy name: POLICY_NAME rules: -action: allow description: allow high priority rule kind: compute#securityPolicyRule match: srcIpRanges: -"1.2.3.4/32" preview: false priority: 100 -action: deny description: deny lower priority rule kind: compute#securityPolicyRule match: srcIpRanges: -"1.2.3.0/24 preview: false priority: 200 -action: deny description: default rule kind: compute#securityPolicyRule match: srcIpRanges: -"* preview: false priority: 2147483647 selfLink: http://www.googleapis.com/compute/v1/projects/bigclustertestdev0-devconsole/global/securityPolicies/sp ``` -------------------------------- ### Set up a basic preconfigured WAF rule Source: https://docs.cloud.google.com/armor/docs/configure-waf Use this rule to enable all signatures with a sensitivity level less than or equal to the specified value. Replace placeholders with your specific configuration details. ```cel evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': SENSITIVITY}) ``` ```bash gcloud compute security-policies rules create PRIORITY \ --security-policy POLICY_NAME \ --expression "evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': SENSITIVITY})" \ --action deny-403 ``` -------------------------------- ### Example: Delete a specific rule Source: https://docs.cloud.google.com/armor/docs/configure-security-policies Example command to delete a rule with priority 1000 from the 'my-policy' security policy. ```bash gcloud compute security-policies rules delete 1000 \ --security-policy my-policy ``` -------------------------------- ### Ativar a proteção adaptável para uma política de segurança (com variável) Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection?hl=pt Ative a proteção adaptável para uma política de segurança especificada. Substitua POLICY_NAME pela sua política. ```bash gcloud compute security-policies update POLICY_NAME \ --enable-layer7-ddos-defense ``` -------------------------------- ### Initialize Google Cloud CLI Source: https://docs.cloud.google.com/armor/docs/custom-constraints Run this command to initialize the Google Cloud CLI. Ensure you have the latest version by running `gcloud components update` if needed. ```bash gcloud init ``` -------------------------------- ### Set up a WAF rule with opted-in signatures Source: https://docs.cloud.google.com/armor/docs/configure-waf Create a WAF rule that only evaluates specified signatures. This requires setting the sensitivity level to 0. Replace signature names with the actual IDs you wish to opt in. ```cel evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': 0, 'opt_in_rule_ids': ['SIGNATURE_1', 'SIGNATURE_2']}) ``` ```bash gcloud compute security-policies rules create PRIORITY \ --security-policy POLICY_NAME \ --expression "evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': 0, 'opt_in_rule_ids': ['SIGNATURE_1', 'SIGNATURE_2']})" \ --action deny-403 ``` -------------------------------- ### List Available Preconfigured Expression Sets Source: https://docs.cloud.google.com/armor/docs/configure-security-policies Run this command to view the predefined application protection rules and signatures available in Cloud Armor, such as OWASP Core Rule Set. ```bash gcloud compute security-policies list-preconfigured-expression-sets ``` -------------------------------- ### Example Exported Security Policy Structure Source: https://docs.cloud.google.com/armor/docs/configure-security-policies This is an example of the structure of an exported Cloud Armor security policy in YAML format. It includes policy details and rules. ```yaml description: my description fingerprint: PWfLGDWQDLY= id: '123' name: my-policy rules: - action: allow description: default rule match: config: srcIpRanges: - '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/my-policy ``` -------------------------------- ### Ativar a proteção adaptável para uma política de segurança Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection?hl=pt Use este comando para ativar a proteção adaptável para uma política de segurança existente. Certifique-se de que substitui MY-SECURITY-POLICY pelo nome da sua política. ```bash gcloud compute security-policies update MY-SECURITY-POLICY \ --enable-layer7-ddos-defense ``` -------------------------------- ### Cloud Logging: DDoS Mitigation Started Event Log Source: https://docs.cloud.google.com/armor/docs/ddos-visibility This log entry details the start of a DDoS mitigation event, including target VIP, total traffic volume, and top source IPs and geographies. ```json { "id": "20220101_1235_mitigiation_1.2.3.4", "mitigationType": "MITIGATION_STARTED", "targetVip": "1.2.3.4", "totalVolume": { "pps": "1234000", "bps": "9876000000" }, "started": { "totalAttackVolume": { "pps": "1000000", "bps": "9000000000" }, "topSourceIp": [ { "ipAddress": "1.2.3.4", "volume": { "pps": "10000", "bps": "2000000" } }, { "ipAddress": "2.3.4.5", "volume": { "pps": "5000", "bps": "1000000" } } ], "topSourceGeo": [ { "geo": "US", "volume": { "pps": "100000", "bps": "20000000" } } ] } } ``` -------------------------------- ### Visualizza le policy di sicurezza effettive per una risorsa Source: https://docs.cloud.google.com/armor/docs/hierarchical-policies-using?hl=it Recupera tutte le regole delle policy di sicurezza Cloud Armor che si applicano a una risorsa protetta specifica. Questo comando è utile per il debug e la verifica delle configurazioni di sicurezza. ```bash gcloud compute backend-services get-effective-security-policies PROTECTED_RESOURCE ``` -------------------------------- ### Configurar uma unidade de tráfego detalhada por anfitrião Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection?hl=pt Configure a proteção adaptável para detetar ataques em e sugerir mitigações independentes para cada anfitrião atrás do seu serviço de back-end. Isto utiliza a flag `--traffic-granularity-configs` para especificar a granularidade do tipo de cabeçalho HTTP do anfitrião. ```bash gcloud compute security-policies add-layer7-ddos-defense-threshold-config POLICY_NAME \ --threshold-config-name=per-host-config \ --traffic-granularity-configs=type=HTTP_HEADER_HOST;enableEachUniqueValue=true ``` -------------------------------- ### Cloud Logging Filter for Mitigation Started Events Source: https://docs.cloud.google.com/armor/docs/advanced-network-ddos?hl=zh-TW Use this log filter in Cloud Logging to view events where DDoS mitigation has started. It specifically targets network security policy resources and the 'MITIGATION_STARTED' mitigation type. ```json resource.type="network_security_policy"jsonPayload.mitigationType="MITIGATION_STARTED" ``` -------------------------------- ### Personalizar limites de implementação automática e deteção para unidades de tráfego detalhadas Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection?hl=pt Personalize os limites de implementação automática e deteção para unidades de tráfego detalhadas específicas, como um anfitrião e caminho de URL. Substitua HOST e PATH pelas suas variáveis. ```bash gcloud compute security-policies add-layer7-ddos-defense-threshold-config POLICY_NAME \ --threshold-config-name=my-host-config \ --auto-deploy-impacted-baseline-threshold=0.01 \ --auto-deploy-expiration-sec=3600 \ --traffic-granularity-configs=type=HTTP_HEADER_HOST;value=HOST,type=HTTP_PATH;value=PATH ``` -------------------------------- ### String Length Calculation Source: https://docs.cloud.google.com/armor/docs/rules-language-reference Get the length of a string. ```cel size(x) ``` -------------------------------- ### Set up a custom constraint Source: https://docs.cloud.google.com/armor/docs/custom-constraints Use this command to make a custom constraint available for organization policies. Replace CONSTRAINT_PATH with the path to your custom constraint YAML file. ```bash gcloud org-policies set-custom-constraint CONSTRAINT_PATH ``` -------------------------------- ### Enable Adaptive Protection and Apply to Backend Service Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection First, enable Adaptive Protection for a policy if it's not already enabled. Then, apply this policy to a backend service. ```bash gcloud compute security-policies update POLICY_NAME --enable-layer7-ddos-defense ``` -------------------------------- ### Cloud Armor Ongoing Mitigation Log Entry Example Source: https://docs.cloud.google.com/armor/docs/advanced-network-ddos?hl=zh-TW This example log entry illustrates the format for a 'MITIGATION_ONGOING' event in Cloud Armor. It provides details such as alert ID, mitigation type, target VIP, current traffic volumes, and ongoing attack characteristics. ```json @type: "type.googleapis.com/google.cloud.networksecurity.cloudarmor.logging.v1.CloudArmorMitigationAlert" alertId: "11275630857957031521" mitigation_type: "MITIGATION_ONGOING" target_vip: "XXX.XXX.XXX.XXX" total_volume: { pps: 1500000 bps: 150000000 } ongoing: { total_attack_volume: { pps: 1100000 bps: 110000000 } classified_attack: { attack_type: "NTP-udp" attack_volume: { pps: 500000 bps: 50000000 } } classified_attack: { attack_type: "CHARGEN-udp" attack_volume: { pps: 600000 bps: 60000000 } } attack_sources: { top_source_asns: { asn: "ABCDEF" volume: { pps: 20000 bps: 2000000 } } top_source_asns: { asn: "UVWXYZ" volume: { pps: 20000 bps: 2000000 } } top_source_geos: { region_code: "XX" volume: { pps: 20000 bps: 2000000 } } top_source_geos: { region_code: "XY" volume: { pps: 20000 bps: 2000000 } } top_source_ips: { region_code: "xx.xx.xx.xx" volume: { pps: 20000 bps: 2000000 } } top_source_ips: { region_code: "yy.yy.yy.yy" volume: { pps: 20000 bps: 2000000 } } } } ``` -------------------------------- ### Desativar a proteção adaptável para uma política de segurança Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection?hl=pt Use este comando para desativar a proteção adaptável para uma política de segurança. Substitua MY-SECURITY-POLICY pelo nome da sua política. ```bash gcloud compute security-policies update MY-SECURITY-POLICY \ --no-enable-layer7-ddos-defense ``` -------------------------------- ### getIamPolicy Source: https://docs.cloud.google.com/armor/docs/audit-logging Gets the IAM policy for a backend service. This is not a long-running operation. ```APIDOC ## getIamPolicy ### Description Gets the IAM policy for a backend service. This is not a long-running operation. ### Method v1.compute.backendServices.getIamPolicy ### Audit Log Type Data access ### Permissions - compute.backendServices.getIamPolicy - ADMIN_READ ### Filter protoPayload.methodName="v1.compute.backendServices.getIamPolicy" ``` -------------------------------- ### getHealth Source: https://docs.cloud.google.com/armor/docs/audit-logging Gets the health status of a backend service. This is not a long-running operation. ```APIDOC ## getHealth ### Description Gets the health status of a backend service. This is not a long-running operation. ### Method v1.compute.backendServices.getHealth ### Audit Log Type Data access ### Permissions - compute.backendServices.get - ADMIN_READ ### Filter protoPayload.methodName="v1.compute.backendServices.getHealth" ``` -------------------------------- ### Describe a backend service Source: https://docs.cloud.google.com/armor/docs/troubleshooting Use this command to describe a backend service, which can help in troubleshooting traffic issues by verifying its configuration. ```bash gcloud compute backend-services describe BACKEND_SERVICE ``` -------------------------------- ### String Starts With Substring Operator Source: https://docs.cloud.google.com/armor/docs/rules-language-reference Check if a string begins with a specific substring. ```cel x.startsWith(y) ``` -------------------------------- ### Original security policy structure Source: https://docs.cloud.google.com/armor/docs/configure-security-policies Example of an exported security policy structure before modification. This serves as a baseline for updates. ```yaml description: my description fingerprint: PWfLGDWQDLY= id: '123' name: my-policy rules: - action: deny(404) description: my-rule-1 match: expr: expression: evaluatePreconfiguredWaf('xss-stable') versionedExpr: SRC_IPS_V1 preview: false priority: 1 - action: allow description: my-rule-2 match: config: srcIpRanges: - '1.2.3.4' versionedExpr: SRC_IPS_V1 preview: false priority: 2 - action: deny description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges: - '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/my-policy ``` -------------------------------- ### Add Preconfigured WAF Rule in Preview Mode Source: https://docs.cloud.google.com/armor/docs/troubleshooting Use this command to add a preconfigured WAF rule in preview mode. This allows you to monitor its behavior without blocking traffic. ```bash gcloud compute security-policies rules create 1000 \ --security-policy POLICY_NAME \ --expression "evaluatePreconfiguredWaf('xss-stable')" \ --action deny-403 \ --preview ``` -------------------------------- ### Go to Support Page Source: https://docs.cloud.google.com/armor/docs/getting-support Navigate to the Google Cloud Support page to manage cases and request assistance. ```text Go to Support ``` -------------------------------- ### Modified security policy structure Source: https://docs.cloud.google.com/armor/docs/configure-security-policies Example of a security policy structure after modification. Rules can be reordered, priorities changed, and new rules added. ```yaml description: my description fingerprint: PWfLGDWQDLY= id: '123' name: my-policy rules: - action: deny(404) description: my-rule-1 match: expr: expression: evaluatePreconfiguredWaf('xss-stable') versionedExpr: SRC_IPS_V1 preview: false priority: 1 - action: allow description: my-new-rule match: config: srcIpRanges: - '1.2.3.1' versionedExpr: SRC_IPS_V1 preview: false priority: 10 - action: allow description: my-rule-2 match: config: srcIpRanges: - '1.2.3.4' versionedExpr: SRC_IPS_V1 preview: false priority: 11 - action: deny description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges: - '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/my-policy ``` -------------------------------- ### List custom constraints for an organization Source: https://docs.cloud.google.com/armor/docs/custom-constraints Verify that your custom constraint has been successfully set up by listing all custom constraints for your organization. Replace ORGANIZATION_ID with your organization's ID. ```bash gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID ``` -------------------------------- ### Create Google Cloud Armor Security Policies Source: https://docs.cloud.google.com/armor/docs/example-policies Use these commands to create new security policies for managing traffic. ```bash gcloud compute security-policies create mobile-clients-policy \ --description "policy for external users" ``` ```bash gcloud compute security-policies create internal-users-policy \ --description "policy for internal test users" ``` -------------------------------- ### Describe a Specific Rule in a Security Policy Source: https://docs.cloud.google.com/armor/docs/configure-security-policies?hl=zh-CN Use the gcloud compute security-policies rules describe command to get details about a specific rule within a security policy, identified by its priority. ```bash gcloud compute security-policies rules describe PRIORITY \ --security-policy POLICY_NAME ``` -------------------------------- ### Sample Cloud Armor Log Entry for Allowed Request Source: https://docs.cloud.google.com/armor/docs/troubleshooting Analyze HTTP(S) logs to understand why traffic was allowed. Check fields like `configuredAction`, `name`, `outcome`, and `priority` to ensure they align with your intended deny rule. ```json httpRequest: remoteIp: 104.133.0.95 requestMethod: GET requestSize: '801' requestUrl: http://74.125.67.38/ responseSize: '246' serverIp: 10.132.0.4 status: 200 userAgent: curl/7.35.0 insertId: ajvis5ev4i60 internalId: projectNumber: '895280006100' jsonPayload: '@type': type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry enforcedSecurityPolicy: configuredAction: ACCEPT name: mydev-policy-log-test1 outcome: ACCEPT priority: 2147483647 statusDetails: response_sent_by_backend logName: projects/mydev-staging/logs/requests resource: labels: backend_service_name: BACKEND_SERVICE_NAME forwarding_rule_name: FORWARDING_RULE_NAME project_id: PROJECT_ID target_proxy_name: TARGET_HTTP_PROXY_NAME url_map_name: URL_MAP_NAME zone: global type: http_load_balancer severity: INFO timestamp: '2017-04-18T18:57:05.845960288Z' ``` -------------------------------- ### Set Sensitivity Level for Preconfigured WAF Rule Source: https://docs.cloud.google.com/armor/docs/rule-tuning Tune a preconfigured WAF rule by selecting a sensitivity level. This example sets the sensitivity to '1', enabling signatures at levels 0 and 1. ```cel evaluatePreconfiguredWaf( 'sqli-v422-stable', { 'sensitivity': 1 } ) ``` -------------------------------- ### Describe All Rules in a Security Policy Source: https://docs.cloud.google.com/armor/docs/configure-security-policies?hl=zh-CN Use the gcloud compute security-policies describe command to list all rules and the description for a specific security policy. ```bash gcloud compute security-policies describe NAME ``` -------------------------------- ### Update a Cloud Armor security policy Source: https://docs.cloud.google.com/armor/docs/example-policies Use the `gcloud compute security-policies update` command to modify an existing policy. This example shows how to enable JSON parsing and change the log level. ```bash gcloud compute security-policies update my-policy \ --json-parsing=STANDARD \ --log-level=VERBOSE ``` -------------------------------- ### 更新默认规则为拒绝 Source: https://docs.cloud.google.com/armor/docs/network-edge-policies?hl=zh-CN 将网络边缘安全政策中的默认规则设置为拒绝所有未匹配其他规则的流量。如果默认规则已经是拒绝状态,则可跳过。 ```bash gcloud compute security-policies rules update 2147483647 \ --security-policy=POLICY_NAME \ --action=deny \ --region=REGION_NAME ``` -------------------------------- ### Error message when custom constraint is violated Source: https://docs.cloud.google.com/armor/docs/custom-constraints This is an example of the error output received when attempting to create a resource that violates an active custom organization policy. The message indicates which policy prevented the operation. ```text ERROR: (gcloud.compute.securityPolicies.create) Could not fetch resource: - Operation denied by custom org policy: [customConstraints/custom.requireStandardJsonParsing] : Security policies must have standard JSON parsing enabled. ``` -------------------------------- ### Create a Cloud Armor network security policy Source: https://docs.cloud.google.com/armor/docs/advanced-network-ddos Use this command to create a new security policy of type CLOUD_ARMOR_NETWORK. Replace `SECURITY_POLICY_NAME` and `REGION` with your specific values. ```bash gcloud compute security-policies create SECURITY_POLICY_NAME \ --type CLOUD_ARMOR_NETWORK \ --region REGION ``` -------------------------------- ### Allow traffic from a named IP list Source: https://docs.cloud.google.com/armor/docs/armor-named-ip This is an example of a preconfigured rule that allows all traffic from a specified named IP address list. It simplifies traffic management by automatically synchronizing with provider data. ```plaintext evaluatePreconfiguredExpr('provider-a') => allow traffic ``` -------------------------------- ### Enroll project in Cloud Armor Enterprise Paygo Source: https://docs.cloud.google.com/armor/docs/armor-enterprise-using Use this command to enroll a project in the Cloud Armor Enterprise Paygo tier. Ensure you have the necessary permissions. ```bash gcloud compute project-info update --cloud-armor-tier CA_ENTERPRISE_PAYGO ``` -------------------------------- ### Cloud Armor Mitigation Started Log Source: https://docs.cloud.google.com/armor/docs/advanced-network-ddos Represents a log entry when Cloud Armor begins mitigating a DDoS attack. It details the target, total traffic volume, and classified attack details. ```json @type: "type.googleapis.com/google.cloud.networksecurity.cloudarmor.logging.v1.CloudArmorMitigationAlert" alertId: "11275630857957031521" mitigation_type: "MITIGATION_STARTED" target_vip: "XXX.XXX.XXX.XXX" total_volume: { pps: 1400000 bps: 140000000 } started: { total_attack_volume: { pps: 1100000 bps: 110000000 } classified_attack: { attack_type: "NTP-udp" attack_volume: { pps: 500000 bps: 50000000 } } classified_attack: { attack_type: "CHARGEN-udp" attack_volume: { pps: 600000 bps: 60000000 } } attack_sources: { top_source_asns: { asn: "ABCDEF" volume: { pps: 20000 bps: 2000000 } } top_source_asns: { asn: "UVWXYZ" volume: { pps: 20000 bps: 2000000 } } top_source_geos: { region_code: "XX" volume: { pps: 20000 bps: 2000000 } } top_source_geos: { region_code: "XY" volume: { pps: 20000 bps: 2000000 } } top_source_ips: { region_code: "xx.xx.xx.xx" volume: { pps: 20000 bps: 2000000 } } top_source_ips: { region_code: "yy.yy.yy.yy" volume: { pps: 20000 bps: 2000000 } } } } ``` -------------------------------- ### Create Security Policy Rule with Preconfigured WAF Source: https://docs.cloud.google.com/armor/docs/example-policies Creates a security policy rule that uses a preconfigured expression set to mitigate SQLi attacks. ```bash gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "evaluatePreconfiguredWaf('sqli-v422-stable')" \ --action "deny-403" ``` -------------------------------- ### Add an advanced rule to a regional security policy Source: https://docs.cloud.google.com/armor/docs/example-policies Add a custom advanced rule to a regional security policy. This example allows requests containing a specific cookie value. Replace POLICY_NAME and REGION. ```bash gcloud compute security-policies rules create 1000 --action=allow \ --expression="has(request.headers['cookie']) && request.headers['cookie'].contains('80=EXAMPLE')" \ --security-policy=POLICY_NAME \ --region=REGION ``` -------------------------------- ### Create a security policy rule referencing a named IP address list Source: https://docs.cloud.google.com/armor/docs/troubleshooting Use this command to create a security policy rule that evaluates a named IP address list. Ensure the provider is supported and the list name is accurate. ```bash gcloud compute security-policies rules create 750 \ --security-policy my \ --expression "evaluatePreconfiguredExpr('sourceiplist-example')" \ --action "allow" ``` -------------------------------- ### Create a project-scoped IPv4 address group for Cloud Armor or NGFW Source: https://docs.cloud.google.com/armor/docs/address-groups-using Use this command to create an IPv4 address group with a capacity of 1000, suitable for both Cloud Armor and Cloud NGFW. The capacity cannot be changed after creation. ```bash gcloud network-security address-groups create GROUP_NAME \ --location global \ --description "address group description" \ --capacity 1000 \ --type IPv4 \ --purpose DEFAULT,CLOUD_ARMOR ``` -------------------------------- ### Rate-Based Ban Rule Log Example Source: https://docs.cloud.google.com/armor/docs/request-logging This log entry illustrates a request denied by a rate-based ban rule within a Cloud Armor security policy. It specifies the rule's priority, name, and action. ```json jsonPayload: { @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" enforcedSecurityPolicy: { priority: 150 name: "sample-prod-policy" outcome: "DENY" configuredAction: "RATE_BASED_BAN" rateLimitAction: { key:"sample-key" outcome:"BAN_THRESHOLD_EXCEED" } } statusDetails: "denied_by_security_policy" } httpRequest: {8} resource: {2} timestamp: "2021-03-17T19:27:17.393244Z" ``` -------------------------------- ### Configure Customized Adaptive Protection Thresholds Source: https://docs.cloud.google.com/armor/docs/configure-adaptive-protection Apply custom detection thresholds to Adaptive Protection for a security policy. This command sets the attack volume detection to 1.5 times the baseline QPS and requires backend load to exceed 90% of capacity. ```bash gcloud compute security-policies add-layer7-ddos-defense-threshold-config POLICY_NAME \ --threshold-config-name=my-customized-thresholds \ --detection-load-threshold=0.9 \ --detection-relative-to-baseline-qps=1.5 ```