Hit Counter Permissions

To view firewall hit counter data in GCP, you need to have the appropriate roles and permissions that allow access to the firewall rules and the logs that capture this data.

Here's what you'll need:

Viewing Firewall Rules and Logs

To access firewall rules and view hit counts, you typically need:

• Compute Network Viewer (roles/compute.networkViewer): This role provides read-only access to Google Cloud networking resources, including firewall rules.

• Logs Viewer (roles/logging.viewer): This role allows you to view logs in Cloud Logging, where firewall hit count data is often stored.

Additional Permissions for Logs Access

If the firewall hit count data is stored in a Cloud Storage bucket (for example, if you are exporting logs to Cloud Storage), you'll need:

• Storage Object Viewer (roles/storage.objectViewer): This grants read-only access to the objects in a specific Cloud Storage bucket.

Fine-Grained Permissions (Custom Role)

If you are creating a custom role for more granular control, ensure the role has the following permissions:

• compute.firewalls.get: To view specific firewall rules.

• logging.logs.list: To list the logs that may contain firewall hit count data.

• logging.logEntries.list: To view the actual log entries.

• storage.objects.get: To read the firewall hit count data from a Cloud Storage bucket, if applicable.

Summary of Roles

• Compute Network Viewer (roles/compute.networkViewer)

• Logs Viewer (roles/logging.viewer)

• Storage Object Viewer (roles/storage.objectViewer) for Cloud Storage

These roles should provide you with the necessary access to view firewall hit count data from a storage account or from GCP logging services.

To learn more, visit the Google Cloud Network Intelligence Center.