GCP Firewall Rules
Import Google Cloud Platform VPC firewall rules exported as JSON. netbobr parses both single rules and arrays of rules, extracting source/destination ranges, protocols, and ports for compliance analysis.
Export command
Export your GCP firewall rules using the gcloud CLI:
# Export all firewall rules as JSON
gcloud compute firewall-rules list --format=json > firewall-rules.json
# Export rules for a specific network
gcloud compute firewall-rules list --filter="network:default" --format=json > default-rules.json
# Export a specific rule
gcloud compute firewall-rules describe my-rule --format=json > rule.jsonThe --format=json flag is required. Without it, gcloud outputs a table format that cannot be parsed.
Supported JSON shapes
netbobr accepts two shapes of GCP firewall JSON:
- Array of rules -- output from
gcloud compute firewall-rules list --format=json - Single rule object -- output from
gcloud compute firewall-rules describe --format=json
Minimal example
[
{
"name": "allow-https-ingress",
"direction": "INGRESS",
"network": "projects/my-project/global/networks/default",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["443"]
}
],
"sourceRanges": ["10.0.0.0/8"]
},
{
"name": "allow-web-egress",
"direction": "EGRESS",
"network": "projects/my-project/global/networks/default",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["80", "443"]
}
],
"destinationRanges": ["0.0.0.0/0"]
}
]Parser behavior
| Rule direction | Source | Destination |
|---|---|---|
INGRESS | sourceRanges array | 0.0.0.0/0 (implicit) |
EGRESS | 0.0.0.0/0 (implicit) | destinationRanges array |
- If an
INGRESSrule has nosourceRangesand no source tags or service accounts, the source defaults to0.0.0.0/0. - Each entry in the
allowedarray mapsIPProtocolto a protocol (tcp-> TCP,udp-> UDP,icmp-> ICMP,all-> ANY). - If an
allowedentry has noportsarray, the port defaults to0-65535(all ports). - Every combination of source, destination, and port creates a separate flow for analysis.
Limitations and warnings
| Limitation | Detail |
|---|---|
| Source tags | sourceTags (network tags) cannot be resolved to CIDRs. Each tag generates a warning. |
| Target tags | targetTags cannot be resolved to CIDRs. Each tag generates a warning. |
| Source service accounts | sourceServiceAccounts cannot be resolved to CIDRs. Each SA generates a warning. |
| Target service accounts | targetServiceAccounts cannot be resolved to CIDRs. Each SA generates a warning. |
| Tier 2 rules | GCP firewall rules have source OR destination ranges, not both specific CIDRs. Rules requiring both a specific source and destination cannot be expressed. |
| Priority field | The priority field is read but not used for rule ordering. |
Accuracy
Accuracy measured against a 400-rule CSV baseline (360 Tier 1 + 40 Tier 2).
| Metric | Value |
|---|---|
| CLI match rate | 74.3% (297/400) |
| Browser match rate | 74.3% (297/400) |
| Tier 1 accuracy | 85.3% (297/348) |
| Tier 2 accuracy | 0% (40 flows -- expected gap) |
| Field accuracy | 100% (risk score, risk level, verdict) |
| Extra flows | 2 (from rule consolidation edge cases) |
The 40 missing Tier 2 flows are expected -- GCP firewall rules cannot express rules with both specific source and destination CIDRs. The remaining gaps come from rules involving wide port ranges combined with the ANY protocol.
Troubleshooting
"No flows parsed"
Verify the file is JSON format. The --format=json flag is required when exporting. Plain gcloud compute firewall-rules list outputs a table, not JSON.
"Missing rules" Check if rules use network tags or service accounts instead of IP ranges. These appear as warnings in the results banner but produce no analyzable flows since the CIDR addresses are unknown.
"Rules showing wrong direction"
Verify the direction field is INGRESS or EGRESS. Some export tools may change the case. The parser normalizes to uppercase before checking.
CLI usage:
npx @netbobr/cli analyze firewall-rules.json --cloud-format gcp-fwBrowser: Drag and drop the .json file onto the import area. GCP firewall format is auto-detected.