This page assumes that you are familiar with the concepts described in Hierarchical firewall policies. To see examples of hierarchical firewall policy implementations, see Hierarchical firewall policy examples.
Limitations
- Hierarchical firewall policy rules don't support source tags or source service accounts.
- Hierarchical firewall policy rules don't support using network tags to define targets. You must use a target VPC network or target service account instead.
- Firewall policies can be applied at the folder and the organization level, but not at the VPC network level. Regular VPC firewall rules are supported for VPC networks.
- Only one firewall policy can be associated to a resource (folder or organization), although the virtual machine (VM) instances in a folder can inherit rules from the entire hierarchy of resources above the VM.
- Firewall Rules Logging is
supported for
allow
anddeny
rules but is not supported forgoto_next
rules. - IPv6 Hop-by-Hop protocol is not supported in firewall rules.
Firewall policy tasks
Create a firewall policy
You can create a policy at any resource (organization or folder) of your organization hierarchy. After you create a policy, you can associate it with any resource of your organization. After it's associated, the policy's rules become active for VMs under the associated resource in the hierarchy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or a folder within your organization.
Click Create firewall policy.
Give the policy a Name.
If you want to create rules for your policy, click Continue > Add rule.
For details, see Create firewall rules.
If you want to associate the policy with a resource, click Continue > Associate policy with resources.
For details, see Associate a policy with the organization or a folder.
Click Create.
gcloud
gcloud compute firewall-policies create \ [--organization ORG_ID] | --folder FOLDER_ID] \ --short-name SHORT_NAME
Replace the following:
ORG_ID
: your organization's ID
Specify this ID if you are creating the policy at the organization level. This ID only indicates where the policy lives; it does not automatically associate the policy with the organization resource.FOLDER_ID
: the ID of a folder
Specify this ID if you are creating the policy in a given folder. This ID only indicates where the policy lives; it does not automatically associate the policy with that folder.SHORT_NAME
: a name for the policy
A policy created by using the Google Cloud CLI has two names: a system-generated name and a short name provided by you. When using the Google Cloud CLI to update an existing policy, you can provide either the system-generated name or the short name and the organization ID. When using the API to update the policy, you must provide the system-generated name.
Create firewall rules
Hierarchical firewall policy rules must be created in a hierarchical firewall policy. The rules are not active until you associate the containing policy to a resource.
Each hierarchical firewall policy rule can include either IPv4 or IPv6 ranges, but not both.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains your policy.
Click the name of your policy.
Click Add rule.
Populate the rule fields:
- Priority: the numeric evaluation order of the rule. The rules are
evaluated from highest to lowest priority where
0
is the highest priority. Priorities must be unique for each rule. A good practice is to give rules priority numbers that allow later insertion (such as100
,200
,300
). - Set Logs collection to On or Off.
- For Direction of traffic, specify whether this rule is an Ingress or Egress rule.
- For Action on match, choose one of the following options:
- Allow: allows the connections that match the rule.
- Deny: denies the connections that match the rule.
- Go to next: the evaluation of the connection is passed to the next lower firewall rule in the hierarchy.
- Proceed to L7 inspection: sends the packets to
the configured firewall endpoint
for Layer 7 inspection.
- In the Security profile group list, select the name of a security profile group.
- To enable TLS inspection of the packets, select Enable TLS inspection. To learn more about how rules and corresponding actions are evaluated for each network interface of the VM, see Policy and rule evaluation order.
- Optional: You can restrict the rule to certain networks by specifying them in the Target networks field. Click ADD NETWORK, and then select the Project and the Network. You can add multiple target networks to a rule.
- Optional: You can restrict the rule to VMs that are running with access to certain service accounts by specifying the accounts in the Target service accounts field.
- For an Ingress rule, specify the Source filter:
- To filter incoming traffic by source IPv4 ranges, select
IPv4, and then enter the CIDR blocks in the IP range
field. Use
0.0.0.0/0
for any IPv4 source. - To filter incoming traffic by source IPv6 ranges, select IPv6,
and then enter the CIDR blocks into the IP range
field. Use
::/0
for any IPv6 source.
- To filter incoming traffic by source IPv4 ranges, select
IPv4, and then enter the CIDR blocks in the IP range
field. Use
- For an Egress rule, specify the Destination filter:
- To filter outgoing traffic by destination IPv4 ranges, select
IPv4, and then enter the CIDR blocks in the IP range
field. Use
0.0.0.0/0
for any IPv4 destination. - To filter outgoing traffic by destination IPv6 ranges, select IPv6,
and then enter the CIDR blocks into the IP range
field. Use
::/0
for any IPv6 destination.
- To filter outgoing traffic by destination IPv4 ranges, select
IPv4, and then enter the CIDR blocks in the IP range
field. Use
- Optional: If you are creating an Ingress rule, specify the source FQDNs that this rule applies to. If you are creating an Egress rule, select the destination FQDNs that this rule applies to. For more information about domain name objects, see Domain name objects.
- Optional: If you are creating an Ingress rule, select the source Geolocations that this rule applies to. If you are creating an Egress rule, select the destination Geolocations that this rule applies to. For more information about geolocation objects, see Geolocation objects.
- Optional: If you are creating an Ingress rule, select the source Address groups that this rule applies to. If you are creating an Egress rule, select the destination Address groups that this rule applies to. For more information about address groups, see Address groups for firewall policies.
- Optional: If you are creating an Ingress rule, select the source Google Cloud Threat Intelligence lists that this rule applies to. If you are creating an Egress rule, select the destination Google Cloud Threat Intelligence lists that this rule applies to. For more information about Google Threat Intelligence, see Google Threat Intelligence for firewall policy rules.
Optional: For an Ingress rule, specify the Destination filters:
- To filter incoming traffic by destination IPv4 ranges, select
IPv4 and enter the CIDR blocks into the
IP range field. Use
0.0.0.0/0
for any IPv4 destination. - To filter incoming traffic by destination IPv6 ranges, select
IPv6 ranges and enter the CIDR blocks into the
Destination IPv6 ranges field. Use
::/0
for any IPv6 destination. For more information, see Destination for ingress rules.
- To filter incoming traffic by destination IPv4 ranges, select
IPv4 and enter the CIDR blocks into the
IP range field. Use
Optional: For an Egress rule, specify the Source filter:
- To filter outgoing traffic by source IPv4 ranges, select
IPv4, and then enter the CIDR blocks in the IP range
field. Use
0.0.0.0/0
for any IPv4 source. - To filter outgoing traffic by source IPv6 ranges, select IPv6,
and then enter the CIDR blocks into the IP range
field. Use
::/0
for any IPv6 source. For more information, see Source for egress rules.
- To filter outgoing traffic by source IPv4 ranges, select
IPv4, and then enter the CIDR blocks in the IP range
field. Use
For Protocols and ports, either specify that the rule applies to all protocols and all destination ports or specify to which protocols and destination ports it applies.
To specify IPv4 ICMP, use
icmp
or protocol number1
. To specify IPv6 ICMP, use the protocol number58
. For more information about protocols, see Protocols and ports.Click Create.
- Priority: the numeric evaluation order of the rule. The rules are
evaluated from highest to lowest priority where
Click Add rule to add another rule.
Click Continue > Associate policy with resources to associate the policy with resources, or click Create to create the policy.
gcloud
gcloud compute firewall-policies rules create PRIORITY \ [--organization ORG_ID] \ --firewall-policy POLICY_NAME \ [--direction DIRECTION] \ [--src-network-scope SRC_NETWORK_SCOPE] \ [--src-networks SRC_VPC_NETWORK,[SRC_VPC_NETWORK,...]] \ [--dest-network-scope DEST_NETWORK_SCOPE] \ [--src-ip-ranges IP_RANGES] \ [--dest-ip-ranges IP_RANGES ] \ [--src-region-codes COUNTRY_CODE,[COUNTRY_CODE,...]] \ [--dest-region-codes COUNTRY_CODE,[COUNTRY_CODE,...]] \ [--src-threat-intelligence LIST_NAMES[,LIST_NAME,...]] \ [--dest-threat-intelligence LIST_NAMES[,LIST_NAME,...]] \ [--src-address-groups ADDR_GRP_URL[,ADDR_GRP_URL,...]] \ [--dest-address-groups ADDR_GRP_URL[,ADDR_GRP_URLL,...]] \ [--dest-fqdns DOMAIN_NAME[,DOMAIN_NAME,...]] \ [--src-fqdns DOMAIN_NAME[,DOMAIN_NAME,...]] \ --action ACTION \ [--security-profile-group SECURITY_PROFILE_GROUP] \ [--tls-inspect | --no--tls-inspect] \ [--layer4-configs PROTOCOL_PORT] \ [--target-resources NETWORKS] \ [--target-service-accounts SERVICE_ACCOUNTS] \ [--enable-logging | --no-enable-logging] \ [--disabled]
Replace the following:
PRIORITY
: the numeric evaluation order of the ruleThe rules are evaluated from highest to lowest priority, where
0
is the highest priority. Priorities must be unique for each rule. A good practice is to give rules priority numbers that allow later insertion (such as100
,200
,300
).ORG_ID
: your organization's IDPOLICY_NAME
: either the short name or the system-generated name of the policyDIRECTION
: indicates whether the rule is anINGRESS
(the default) orEGRESS
rule- Include
--src-ip-ranges
to specify IP ranges for the source of traffic. - Include
--dest-ip-ranges
to specify IP ranges for the destination of traffic.
For more information, see targets, source, and destination.
- Include
SRC_NETWORK_SCOPE
: indicates the scope of the source network traffic to which the ingress rule is applied. You can set this argument to one of the following values:INTERNET
NON_INTERNET
VPC_NETWORKS
INTRA_VPC
To clear the value for this argument, use an empty string. An empty value indicates all network scopes. For more information, see Understand network scope types.
SRC_VPC_NETWORK
: a comma-separated list of VPC networksYou can use
--src-networks
only when the--src-network-scope
is set toVPC_NETWORKS
.DEST_NETWORK_SCOPE
: indicates the scope of the destination network traffic to which the egress rule is applied. You can set this argument to one of the following values:INTERNET
NON_INTERNET
To clear the value for this argument, use an empty string. An empty value indicates all network scopes.
For more information, see Understand network scope types.
IP_RANGES
: a comma-separated list of CIDR-formatted IP ranges, either all IPv4 ranges or all IPv6 ranges—examples:--src-ip-ranges=10.100.0.1/32,10.200.0.0/24
--src-ip-ranges=2001:0db8:1562::/96,2001:0db8:1723::/96
COUNTRY_CODE
: a comma-separated list of two-letter country codes- For the ingress direction, specify the source country codes in the
--src-region-code
flag. You cannot use the--src-region-code
flag for the egress direction, or when the--src-network-scope
is set toNON_INTERNET
,VPC_NETWORK
, orINTRA_VPC
. - For the egress direction, specify the destination country codes in the
--dest-region-code
flag; you cannot use the--dest-region-code
flag for the ingress direction
- For the ingress direction, specify the source country codes in the
LIST_NAMES
: a comma-separated list of names of Google Threat Intelligence lists- For the ingress direction, specify the source Google Threat Intelligence
lists in the
--src-threat-intelligence
flag. You cannot use the--src-threat-intelligence
flag for the egress direction, or when the--src-network-scope
is set toNON_INTERNET
,VPC_NETWORK
, orINTRA_VPC
. - For the egress direction, specify the destination Google Threat Intelligence
lists in the
--dest-threat-intelligence
flag; you cannot use the--dest-threat-intelligence
flag for the ingress direction
- For the ingress direction, specify the source Google Threat Intelligence
lists in the
ADDR_GRP_URL
: a unique URL identifier for the address group- For the ingress direction, specify the source address groups in the
--src-address-groups
flag; you cannot use the--src-address-groups
flag for the egress direction - For the egress direction, specify the destination address groups
in the
--dest-address-groups
flag; you cannot use the--dest-address-groups
flag for the ingress direction
- For the ingress direction, specify the source address groups in the
DOMAIN_NAME
: a comma-separated list of domain names in the format described in Domain name format- For the ingress direction, specify the source domain names in the
--src-fqdns
flag; you cannot use the--src-fqdns
flag for the egress direction - For the egress direction, specify the destination address groups
in the
--dest-fqdns
flag; you cannot use the--dest-fqdns
flag for the ingress direction
- For the ingress direction, specify the source domain names in the
ACTION
: one of the following actions:allow
: allows connections that match the ruledeny
: denies connections that match the ruleapply_security_profile_group
: transparently sends the packets to the configured firewall endpoint for Layer 7 inspectiongoto_next
: passes connection evaluation to the next level in the hierarchy, either a folder or the network
To learn more about how rules and corresponding actions are evaluated for each network interface of the VM, see Policy and rule evaluation order.
SECURITY_PROFILE_GROUP
: the name of a security profile group used for Layer 7 inspection; specify this argument only when theapply_security_profile_group
action is selected--tls-inspect
: inspects the TLS traffic by using the TLS inspection policy when theapply_security_profile_group
action is selected in the rule; by default, TLS inspection is disabled, or you can specify--no-tls-inspect
PROTOCOL_PORT
: a comma-separated list of protocol names or numbers (tcp,17
), protocols and destination ports (tcp:80
), or protocols and destination port ranges (tcp:5000-6000
)You cannot specify a port or port range without a protocol. For ICMP, you cannot specify a port or port range—for example:
--layer4-configs tcp:80,tcp:443,udp:4000-5000,icmp
.To specify IPv4 ICMP, use
icmp
or protocol number1
. To specify IPv6 ICMP, use protocol number58
. For more information, see Protocols and ports.NETWORKS
: a comma-separated list of VPC network resource URLs in the formhttps://www.googleapis.com/compute/v1/projects/
PROJECT_ID/global/networks/
NETWORK_NAME, where PROJECT_ID is the project ID of the project that contains the VPC network, and NETWORK_NAME is the network name. If omitted, the rule applies to all VPC networks under the resource.For more information, see Targets for hierarchical firewall policy rules.
SERVICE_ACCOUNTS
: a comma-separated list of service accounts; the rule is applied only to VMs that are running with access to the specified service accountFor more information, see Targets for hierarchical firewall policy rules.
--enable-logging
and--no-enable-logging
: enables or disables Firewall Rules Logging for the given rule--disabled
: indicates that the firewall rule, although it exists, is not to be considered when processing connections; omitting this flag enables the rule, or you can specify--no-disabled
Associate a policy with the organization or folder
Associate a policy with a resource to activate the policy rules for any VMs under the resource in the hierarchy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains your policy.
Click your policy.
Click the Associations tab.
Click Add Association.
Select the organization root or select folders within the organization.
Click Add.
gcloud
gcloud compute firewall-policies associations create \ --firewall-policy POLICY_NAME \ --organization ORG_ID \ [ --folder FOLDER_ID ] \ [ --name ASSOCIATION_NAME ] \ [ --replace-association-on-target ]
Replace the following:
POLICY_NAME
: either the short name or the system-generated name of the policyORG_ID
: your organization's IDFOLDER_ID
: if you are associating the policy with a folder, specify it here; omit if you are associating the policy to the organization levelASSOCIATION_NAME
: an optional name for the association; if unspecified, the name is set to "organizationORG_ID
" or "folderFOLDER_ID
"--replace-association-on-target
By default, if you attempt to insert an association to an organization or folder that already has an association, the method fails. If you specify this flag, the existing association is deleted at the same time that the new association is created. This prevents the resource from being without a policy during the transition.
Move a policy from one resource to another
Moving a policy changes which resource owns the policy. To move a policy, you must
have move
permissions on both the old and new resources.
Moving a policy does not affect any existing policy associations or the evaluation of existing rules, but it might affect who has permissions to modify or associate the policy after the move.
Console
Use the Google Cloud CLI for this procedure.
gcloud
gcloud compute firewall-policies move POLICY_NAME \ --organization ORG_ID \ [--folder FOLDER_ID]
Replace the following:
POLICY_NAME
: either the short name or the system-generated name of the policy that you are movingORG_ID
: your organization's ID; if you are moving the policy to the organization, specify this ID but don't specify a folderFOLDER_ID
: if you are associating the policy with a folder, specify it here; omit if you are associating the policy to the organization
Update a policy description
The only policy field that can be updated is the Description field.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click Edit.
Modify the Description.
Click Save.
gcloud
gcloud compute firewall-policies update POLICY_NAME \ --description DESCRIPTION \ --organization ORG_ID
List policies
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
For an organization, the Firewall policies associated with this organization section shows the associated policies. The Firewall policies located in this organization section lists policies that are owned by the organization.
For a folder, the Firewall policies associated with this folder or inherited by this folder section shows the policies associated or inherited by the folder. The Firewall policies located in this folder section lists policies that are owned by the folder.
gcloud
gcloud compute firewall-policies list \ [--organization ORG_ID | --folder FOLDER_ID]
Describe a policy
You can see all the details of a policy, including all its firewall rules. In addition, you can see many attributes that are in all the rules in the policy. These attributes count toward a per-policy limit.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
gcloud
gcloud compute firewall-policies describe POLICY_NAME \ --organization ORG_ID
Delete a policy
You must delete all associations on an organization firewall policy before you can delete it.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click the policy that you want to delete.
Click the Associations tab.
Select all associations.
Click Remove Associations.
After all associations are removed, click Delete.
gcloud
List all resources associated with a firewall policy:
gcloud compute firewall-policies describe POLICY_NAME \ --organization ORG_ID
Delete individual associations. To remove the association, you must have the
compute.orgSecurityResourceAdmin
role on the associated resource or ancestor of that resource.gcloud compute firewall-policies associations delete RESOURCE_NAME \ --organization ORG_ID \ --firewall-policy POLICY_NAME
Delete the policy:
gcloud compute firewall-policies delete POLICY_NAME \ --organization ORG_ID
List associations for a resource
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
For the selected resource (organization or folder), a list of associated and inherited policies appears.
gcloud
gcloud compute firewall-policies associations list \ [--organization ORG_ID | --folder FOLDER_ID]
List associations for a policy
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click the Associations tab.
Associations are listed in the table.
gcloud
gcloud compute firewall-policies describe POLICY_ID
Delete an association
To stop enforcement of a firewall policy on the organization or a folder, delete the association.
However, if you intend to swap out one firewall policy for another, it is not necessary to delete the existing association first. Doing so would leave a period of time where neither policy is enforced. Instead, replace the existing policy when you associate a new policy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click the Associations tab.
Select the association that you want to delete.
Click Remove Associations.
gcloud
gcloud compute firewall-policies associations delete ASSOCIATION_NAME \ --firewall-policy POLICY_NAME \ --organization ORG_ID
Firewall policy rule tasks
Create a rule in an existing firewall policy
List all rules in a policy
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy. Rules are listed on the Firewall rules tab.
gcloud
gcloud compute firewall-policies list-rules POLICY_NAME \ --organization ORG_ID
Describe a rule
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click the priority of the rule.
gcloud
gcloud compute firewall-policies rules describe PRIORITY \ --organization ORG_ID \ --firewall-policy POLICY_NAME
Replace the following:
PRIORITY
: the priority of the rule that you want to view; because each rule must have a unique priority, this setting uniquely identifies a ruleORG_ID
: your organization's IDPOLICY_NAME
: the short name or system-generated name of the policy that contains the rule
Update a rule
For field descriptions, see Creating firewall rules.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click the priority of the rule.
Click Edit.
Modify the fields that you want to change.
Click Save.
gcloud
gcloud compute firewall-policies rules update RULE_NAME \ --firewall-policy POLICY_NAME \ --organization ORG_ID \ [...fields you want to modify...]
Clone rules from one policy to another
Remove all rules from the target policy and replace them with the rules in the source policy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click the policy that you want to copy rules from.
Click Clone at the top of the screen.
Provide the name of a target policy.
Click Continue > Associate policy with resources if you want to associate the new policy immediately.
Click Clone.
gcloud
gcloud compute firewall-policies clone-rules POLICY_NAME \ --organization ORG_ID \ --source-firewall-policy SOURCE_POLICY
Replace the following:
POLICY_NAME
: the policy to receive the copied rulesORG_ID
: your organization's IDSOURCE_POLICY
: the policy to copy the rules from; must be the URL of the resource
Delete a rule from a policy
Deleting a rule from a policy removes the rule from all VMs that are inheriting the rule.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click your policy.
Select the rule that you want to delete.
Click Delete.
gcloud
gcloud compute firewall-policies rules delete PRIORITY \ --organization ORG_ID \ --firewall-policy POLICY_NAME
Replace the following:
PRIORITY
: the priority of the rule that you want to delete from the policyORG_ID
: your organization's IDPOLICY_NAME
: the policy containing the rule
Get effective firewall rules for a network
Displays all hierarchical firewall policy rules, VPC firewall rules, and global network firewall policy rules applied to a specified VPC network.
Console
In the Google Cloud console, go to the VPC networks page.
Click the network you want to view firewall policy rules for.
Click Firewall policies.
Expand each firewall policy to view the rules that apply to this network.
gcloud
gcloud compute networks get-effective-firewalls NETWORK_NAME
Replace the following:
NETWORK_NAME
: the network to get effective rules for
You can also view effective firewall rules for a network from the Firewall page.
Console
In the Google Cloud console, go to the Firewall policies page.
The firewall policies are listed in the Firewall policies inherited by this project section.
Click each firewall policy to view the rules that apply to this network.
Get effective firewall rules for a VM interface
Displays all hierarchical firewall policy rules, VPC firewall rules, and global network firewall policy rules applied to a specified Compute Engine VM interface.
Console
In the Google Cloud console, go to the VM instances page.
In the project selector pull-down menu, select the project containing the VM.
Click the VM.
For Network interfaces, click the interface.
Effective firewall rules appear in Firewall and routes details.
gcloud
gcloud compute instances network-interfaces get-effective-firewalls INSTANCE_NAME \ [--network-interface INTERFACE] \ [--zone ZONE]
Replace the following:
INSTANCE_NAME
: the VM to get effective rules for; if no interface is specified, returns rules for the primary interface (nic0
)INTERFACE
: the VM interface to get effective rules for; default isnic0
ZONE
: the zone of the VM; optional if the chosen zone is already set as the default
Troubleshooting
This section contains explanations for error messages that you might encounter.
FirewallPolicy may not specify a name. One will be provided.
You cannot specify a policy name. Hierarchical firewall policy "names" are numerical IDs generated by Google Cloud when the policy is created. However, you can specify a friendlier short name that acts as an alias in many contexts.
FirewallPolicy may not specify associations on creation.
Associations can only be created after hierarchical firewall policies are created.
Can not move firewall policy to a different organization.
Hierarchical firewall policy moves must stay within the same organization.
The attachment already has an association. Please set the option of replacing existing association to true if you want to replace the old one.
If a resource is already attached with a hierarchical firewall policy, the attachment operation fails unless the option of replacing the existing associations is set to true.
Cannot have rules with the same priorities.
Priorities of rules are required to be unique within a hierarchical firewall policy.
Direction must be specified on firewall policy rule.
When creating hierarchical firewall policy rules by sending REST requests directly, the direction of the rule must be specified. When using the Google Cloud CLI and no direction is specified, the default is
INGRESS
.Can not specify enable_logging on a goto_next rule.
Firewall Logging is not allowed for rules with goto_next action because goto_next actions are used to represent the evaluation order of different firewall policies and are not terminal actions—for example, ALLOW or DENY.
Must specify at least one destination on Firewall policy rule.
The
layer4Configs
flag in the firewall policy rule must specify at least one protocol or protocol and destination port.For more details about troubleshooting firewall policy rules, see VPC firewall rules troubleshooting.