Stay organized with collections
Save and categorize content based on your preferences.
Verify that an IDS endpoint is functional
To confirm that an IDS endpoint is functional, do the following:
Verify that the IDS endpoint appears in the Cloud IDS Google Cloud console,
and that there is a packet mirroring policy in the Attached Policies column.
Ensure that the attached policy is enabled by clicking the policy name, and
make sure that Policy Enforcement is set to Enabled.
To verify that traffic is being mirrored, choose a VM Instance in the
monitored VPC, go to the Observability tab, and make sure that the Mirrored
Bytes dashboard shows traffic being mirrored to the IDS endpoint.
Ensure that the same traffic (or VM) is not affected by more than one
packet mirroring policy, as each packet can be mirrored to only one
destination. Check the Attached Policies column, and ensure that there is
only one policy per VM.
Generate a test alert by using SSH to connect to a VM in the monitored
network, then run the following command:
If curl is unavailable on the platform, you can use a similar tool for
performing HTTP requests.
After a few seconds, an alert should show up in both the Cloud IDS UI and
in Cloud Logging (Threat Log).
Decrypting traffic for inspection
To inspect traffic, Cloud IDS uses Packet Mirroring to send
packet-level copies of configured traffic to the IDS VM. Even though the
collector destination receives all mirrored packets, any packets that carry data that was
encrypted using a secure protocol like TLS, HTTPS, or HTTP2 can't be decrypted
by Cloud IDS.
For example, if you use HTTPS or HTTP2 as the backend service protocol for an
external application load balancer, packets sent to the load balancer's backends
can be mirrored to Cloud IDS; however, the requests cannot be inspected by
Cloud IDS because the packets carry encrypted data. To enable Cloud IDS
inspection, you must change the backend service protocol to HTTP. Alternatively,
you can use Google Cloud Armor for intrusion
prevention, and enable application load balancer logs for request inspection. For
more information about application load balancer request logging, see
Global external Application Load Balancer logging and
monitoring and
Regional external Application Load Balancer logging and
monitoring.
Only a small volume of traffic is inspected
Cloud IDS inspects traffic sent to or received by resources in mirrored
subnets, including Google Cloud VMs and GKE nodes and
Pods.
If a mirrored subnet contains no VMs, Cloud IDS has no traffic to inspect.
Endpoint policies are ignored when using Cloud NGFW L7 inspection policies
When you use Cloud Next Generation Firewall L7 inspection policies (rules with the
apply_security_profile_group action) and Cloud IDS together, firewall
policy rules are evaluated and traffic is not mirrored for Cloud IDS
inspection. You can avoid this situation by ensuring that
Cloud NGFW L7 inspection policies don't apply to packets that you
need to inspect with Cloud IDS.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eTo confirm an IDS endpoint is functional, verify its presence in the Cloud IDS console, ensure the attached packet mirroring policy is enabled, and confirm traffic mirroring via the \u003ccode\u003eMirrored Bytes\u003c/code\u003e dashboard.\u003c/p\u003e\n"],["\u003cp\u003eEach packet can only be mirrored to one destination, so ensure that a VM is not affected by more than one packet mirroring policy, which can be confirmed in the \u003ccode\u003eAttached Policies\u003c/code\u003e column.\u003c/p\u003e\n"],["\u003cp\u003eGenerate a test alert by using SSH to connect to a VM and run a specific \u003ccode\u003ecurl\u003c/code\u003e command (or similar HTTP request tool) to trigger an alert, which should then be visible in the Cloud IDS UI and Cloud Logging (Threat Log).\u003c/p\u003e\n"],["\u003cp\u003eCloud IDS cannot decrypt traffic encrypted with secure protocols like TLS, HTTPS, or HTTP2, so for inspection, backend service protocols should be changed to HTTP, or use Google Cloud Armor for intrusion prevention.\u003c/p\u003e\n"],["\u003cp\u003eTraffic is only inspected if sent to or received by resources within mirrored subnets, and Cloud NGFW L7 inspection policies will prevent mirroring for Cloud IDS if they apply to the same packets.\u003c/p\u003e\n"]]],[],null,["# Troubleshoot endpoints and inspection\n\nVerify that an IDS endpoint is functional\n-----------------------------------------\n\n| **Note:** If your endpoint generates any alerts, it is considered to be functional.\n\nTo confirm that an IDS endpoint is functional, do the following:\n\n1. Verify that the IDS endpoint appears in the Cloud IDS Google Cloud console, and that there is a packet mirroring policy in the `Attached Policies` column.\n2. Ensure that the attached policy is enabled by clicking the policy name, and make sure that `Policy Enforcement` is set to **Enabled**.\n3. To verify that traffic is being mirrored, choose a VM Instance in the monitored VPC, go to the **Observability** tab, and make sure that the `Mirrored\n Bytes` dashboard shows traffic being mirrored to the IDS endpoint.\n4. Ensure that the same traffic (or VM) is not affected by more than one packet mirroring policy, as each packet can be mirrored to only one destination. Check the `Attached Policies` column, and ensure that there is only one policy per VM.\n5. Generate a test alert by using SSH to connect to a VM in the monitored\n network, then run the following command:\n\n ```\n curl http://example.com/cgi-bin/../../../..//bin/cat%%20/etc/passwd\n ```\n\n If curl is unavailable on the platform, you can use a similar tool for\n performing HTTP requests.\n\n After a few seconds, an alert should show up in both the Cloud IDS UI and\n in Cloud Logging (Threat Log).\n\nDecrypting traffic for inspection\n---------------------------------\n\nTo inspect traffic, Cloud IDS uses Packet Mirroring to send\npacket-level copies of configured traffic to the IDS VM. Even though the\ncollector destination receives all mirrored packets, any packets that carry data that was\nencrypted using a secure protocol like TLS, HTTPS, or HTTP2 can't be decrypted\nby Cloud IDS.\n\nFor example, if you use HTTPS or HTTP2 as the backend service protocol for an\nexternal application load balancer, packets sent to the load balancer's backends\ncan be mirrored to Cloud IDS; however, the requests cannot be inspected by\nCloud IDS because the packets carry encrypted data. To enable Cloud IDS\ninspection, you must change the backend service protocol to HTTP. Alternatively,\nyou can use [Google Cloud Armor](/armor/docs/cloud-armor-overview) for intrusion\nprevention, and enable application load balancer logs for request inspection. For\nmore information about application load balancer request logging, see\n[Global external Application Load Balancer logging and\nmonitoring](/load-balancing/docs/https/https-logging-monitoring#logging) and\n[Regional external Application Load Balancer logging and\nmonitoring](/load-balancing/docs/https/https-reg-logging-monitoring#logging).\n\nOnly a small volume of traffic is inspected\n-------------------------------------------\n\nCloud IDS inspects traffic sent to or received by resources in mirrored\nsubnets, including Google Cloud VMs and GKE nodes and\nPods.\n\nIf a mirrored subnet contains no VMs, Cloud IDS has no traffic to inspect.\n\nEndpoint policies are ignored when using Cloud NGFW L7 inspection policies\n--------------------------------------------------------------------------\n\nWhen you use Cloud Next Generation Firewall L7 inspection policies (rules with the\n`apply_security_profile_group` action) and Cloud IDS together, firewall\npolicy rules are evaluated and traffic is not mirrored for Cloud IDS\ninspection. You can avoid this situation by ensuring that\nCloud NGFW L7 inspection policies don't apply to packets that you\nneed to inspect with Cloud IDS."]]
