This predefined role contains the
recommender.computeFirewallInsightTypeConfigs.update
permission,
which is required to
configure observation period and refresh cycle.
For some insights, you can configure an observation period—the time interval
the insight covers. For example, you can configure the observation period for
overly permissive and deny rule insights. The default observation window is
six weeks, and you can configure the observation period between seven
days to one year.
For example, if you set the observation period for deny rule insights
to two months, when you review the list of deny rules with
hits after the observation period, Firewall Insights shows you
only those that had hits during the past two months. Suppose
you later change the observation period to one month; Firewall Insights
might identify a different number of rules because it would analyze a
shorter time interval.
When reviewing insights and configuring observation periods, be aware of the
following:
When you configure the observation period for deny rules with hits,
Firewall Insights updates the insight results immediately.
When you update the observation period for overly permissive rule insights,
Firewall Insights can take up to 48 hours to update
existing results. In the interim, the observation period for existing
results matches the previously configured observation period.
For overly permissive insights, if the insight identified no firewall rules,
Firewall Insights does not display the observation period
to identify the insights used.
Shadowed rule insights do not have an observation period because they do not
evaluate historical data. Shadowed rule analysis evaluates your existing
firewall rule configuration every 24 hours.
Traffic log data from the last 24 hours might not be included when
generating insights.
Console
Configure an observation period:
In the Google Cloud console, go to the Firewall Insights page.
As appropriate, set the Observation period drop-down list to the
appropriate time for each of the following:
Overly permissive rule insights
Deny rule insights
API
To set the observation period for deny rules with hits, you must use the
Google Cloud console. However, you can use the Recommender API to set
the observation period for overly permissive rule insights. You can also use
the API to enable insights and to retrieve configuration details.
To set the observation period for overly permissive rules insights, use the
updateConfig method.
To use the updateConfig method, set values for all of its
parameters. Also specify whether shadowed rule insights
and overly permissive rule insights are enabled or disabled.
To make this type of update, use the following request.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Set up observation period and refresh cycle\n\nThis page describes how to configure an observation period and a refresh cycle in\nFirewall Insights.\n\nFor an overview of the available insights, see\n[Firewall Insights categories and states](/network-intelligence-center/docs/firewall-insights/concepts/insights-categories-states).\n\nFor a list of firewall usage metrics, see\n[View Firewall Insights metrics](/network-intelligence-center/docs/firewall-insights/how-to/view-metrics).\n\nRequired roles and permissions\n------------------------------\n\n\nTo get the permission that\nyou need to configure observation period and refresh cycle,\n\nask your administrator to grant you the\n\n\n[Firewall Recommender Admin](/iam/docs/roles-permissions/recommender#recommender.firewallAdmin) (`roles/recommender.firewallAdmin`)\nIAM role on your project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThis predefined role contains the\n` recommender.computeFirewallInsightTypeConfigs.update`\npermission,\nwhich is required to\nconfigure observation period and refresh cycle.\n\n\nYou might also be able to get\nthis permission\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nConfigure observation period\n----------------------------\n\nFor some insights, you can configure an *observation period* ---the time interval\nthe insight covers. For example, you can configure the observation period for\noverly permissive and `deny` rule insights. The default observation window is\nsix weeks, and you can configure the observation period between seven\ndays to one year.\n\nFor example, if you set the observation period for `deny` rule insights\nto two months, when you review the list of `deny` rules with\nhits after the observation period, Firewall Insights shows you\nonly those that had hits during the past two months. Suppose\nyou later change the observation period to one month; Firewall Insights\nmight identify a different number of rules because it would analyze a\nshorter time interval.\n\nWhen reviewing insights and configuring observation periods, be aware of the\nfollowing:\n\n- When you configure the observation period for `deny` rules with hits,\n Firewall Insights updates the insight results immediately.\n\n- When you update the observation period for overly permissive rule insights,\n Firewall Insights can take up to 48 hours to update\n existing results. In the interim, the observation period for existing\n results matches the previously configured observation period.\n\n- For overly permissive insights, if the insight identified no firewall rules,\n Firewall Insights does not display the observation period\n to identify the insights used.\n\n- Shadowed rule insights do not have an observation period because they do not\n evaluate historical data. Shadowed rule analysis evaluates your existing\n firewall rule configuration every 24 hours.\n\n- Traffic log data from the last 24 hours might not be included when\n generating insights.\n\n### Console\n\nConfigure an observation period:\n\n1. In the Google Cloud console, go to the **Firewall Insights** page.\n\n [Go to Firewall Insights](https://console.cloud.google.com/net-intelligence/firewalls)\n2. Click **Configuration**.\n\n3. Click **Observation period**.\n\n4. As appropriate, set the **Observation period** drop-down list to the\n appropriate time for each of the following:\n\n - **Overly permissive rule insights**\n\n - **Deny rule insights**\n\n### API\n\nTo set the observation period for `deny` rules with hits, you must use the\nGoogle Cloud console. However, you can use the Recommender API to set\nthe observation period for overly permissive rule insights. You can also use\nthe API to enable insights and to retrieve configuration details.\n\nTo set the observation period for overly permissive rules insights, use the\n[`updateConfig` method](/recommender/docs/reference/rest/v1beta1/projects.locations.insightTypes/updateConfig).\n\nTo use the `updateConfig` method, set values for all of its\nparameters. Also specify whether shadowed rule insights\nand overly permissive rule insights are enabled or disabled.\n\nTo make this type of update, use the following request. \n\n```\n PATCH https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config\n {\n \"name\": \"projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config\",\n \"insightTypeGenerationConfig\": {\n \"params\": {\n \"observation_period\": \"OBSERVATION_PERIOD_OVERLY_PERMISSIVE\",\n \"enable_shadowed_rule_insights\": ENABLEMENT_SHADOWED,\n \"enable_overly_permissive_rule_insights\": ENABLEMENT_OVERLY_PERMISSIVE\n }\n },\n \"etag\": \"\\\"ETAG\\\"\",\n }\n```\n\nReplace the following values:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of your project\n- \u003cvar translate=\"no\"\u003eOBSERVATION_PERIOD_OVERLY_PERMISSIVE\u003c/var\u003e: the time, in seconds, of the observation period for overly permissive rules insights\n- \u003cvar translate=\"no\"\u003eENABLEMENT_SHADOWED\u003c/var\u003e: a boolean value that represents whether shadowed rule insights are enabled\n- \u003cvar translate=\"no\"\u003eENABLEMENT_OVERLY_PERMISSIVE\u003c/var\u003e: a boolean value that represents whether overly permissive rule insights are enabled\n- \u003cvar translate=\"no\"\u003eETAG\u003c/var\u003e: the [IAM policy etag](/iam/docs/policies) value; to retrieve the etag value, use the `getConfig` method, as described in the following section\n\n#### Example\n\n```\n PATCH https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config\n {\n \"name\": \"projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config\",\n \"insightTypeGenerationConfig\": {\n \"params\": {\n \"observation_period\": \"604800s\",\n \"enable_shadowed_rule_insights\": true,\n \"enable_overly_permissive_rule_insights\": true\n }\n },\n \"etag\": \"\\\"ETAG\\\"\",\n }\n```\n\n#### Retrieve configuration details\n\n\nTo retrieve details about how Firewall Insights is configured, use the\n[`getConfig` method](/recommender/docs/reference/rest/v1beta1/projects.locations.insightTypes/getConfig)\nas shown in the following example. \n\n```\n GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/insightTypes/google.compute.firewall.Insight/config\n```\n\nSchedule a custom refresh cycle\n-------------------------------\n\nSet up a refresh cycle to generate shadowed rule insights for your project.\n\nYou can schedule the refresh cycle to begin on a specified date and customize\nthe cycle frequency. The default cycle frequency is one day (24 hours). \n\n### Console\n\nConfigure a custom refresh cycle for insights:\n\n1. In the Google Cloud console, go to the **Firewall Insights** page.\n\n [Go to Firewall Insights](https://console.cloud.google.com/net-intelligence/firewalls)\n2. Click **Configuration**.\n\n3. Click **Enablement**.\n\n4. To enable shadowed rule insights, click the toggle.\n\n5. In the **Start on** field, enter a date from which the custom refresh\n cycle starts.\n\n6. In the **Repeat every** field, select the frequency for the refresh\n cycle starting from the cycle start date:\n\n - **day**: every 24 hours\n - **week**: every week on the days you select\n - **month**: every month\n - **quarter**: every quarter\n\n The new insight generation schedule takes effect 24 hours after saving\n changes to the schedule.\n\nWhat's next\n-----------\n\n- [View and understand Firewall Insights](/network-intelligence-center/docs/firewall-insights/how-to/view-understand-insights)\n- [Review and optimize firewall rules](/network-intelligence-center/docs/firewall-insights/how-to/review-optimize)"]]
