Google Cloud Platform

Details:

  • Support: Level 1 & 2

  • Supported Version: 1.22.13+

To add a Google Cloud Platform (GCP) device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

In order to create a GCP device you'll need create a GCP Service Account.

  1. Log in to the GCP device.
  2. Click the navigation menu > IAM Admin > Service Account.
  3. Click Create Service Account.
  4. In the Create Service Account dialog box, complete the following:
    1. Enter a Name for the service account.
    2. Click Project Role and select Project, and then Project Viewer.
    3. Click Furnish a New Private Key and select JSON.
    4. Click Save.

    The JSON file will download to computer; it contains the credentials needed to create a new GCP device in SIP.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  1. Click Create, and then click Google Cloud Platform > Project.
  1. General Properties section.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. The Management IP Address box can be left blank.
  1. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  2. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. In the Device SettingsCredentials section, use the copy-and-paste function.
    1. Open the JSON file that was downloaded in Step 1.
    2. Copy the credentials from the file making sure to maintain the JSON format.
    3. Paste the credentials in to the Service Account Credentials section.
    4. Complete Proxy settings as needed.
  2. Monitoring section.

To view firewall hit count data in GCP, you need to set the appropriate roles and permissions that allow access to the firewall rules and the logs that capture this data in GCP Service Account.

To learn more, visit the Google Cloud Network Intelligence Center.

Select the Enable Log Monitoring check box to begin monitoring.

  • By default, Track Usage Via is set to Hit Counters.

  • By default, the Count Retrieval Interval is set to 10 minutes.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Change Monitoring section.

By default, the Enable Change Monitoring check box is selected. To disable this automatic function, clear the check box. When enabled, you must also complete the following fields.

  • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification check box to allow the data collector to verify that there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of system disk space by not posting revisions that did not change from the last normalized revision.
  1. In the Advanced section, select the Use Batch Config Retrieval check box if you are manually sending configurations for this device via your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.

  2. Select an Enforcement Option from the list:

    •  Allow All: All automation is allowed (enforcement, change, manual).

    • Manual Only: When selected all changes must be manually pushed for this device.

    •  Prevent All: No automation is allowed.

    • Window Only: Automation can only take place in the assigned enforcement window.

    If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  3. Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

    1. Click Add.

    2. Complete fields in the Add Supplemental Routes dialog box:

    • Select an Interface.

    If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

    • Type the Destination IP address.
    • Type the Gateway IP address.
    • Select a Virtual Router.
    • Select a Next Virtual Router.
    • Switch the Drop toggle to enable (disabled = Accept).
    • Click Add.
  4. Click Save.
    Devices being managed will be listed in the Discovered Devices section.