Got a simple HTTPS Load Balancer with a backend security policy defined in Cloud Armor assigned to its backend. The security policy is a list of the Cloud Armor WAF rules at differing sensitivity levels.
However, I'm getting some false positives with the incoming traffic failing the WAF rule checks and I would like to see how the requests are failing the rules. The logs give me some header information and the rule that the request is failing, but not how the request is failing the WAF check nor the request's contents.
Is it possible to see the contents of the HTTPS request and how it's failing the specific WAF rule check?
Try to enable Verbose Logging so that Cloud Armor can generate logs for the requests that matches a security policy. This works for both allowed or blocked requests.
Verbose Logging helps with better visibility into the behavior of your security policies, allows you to understand how they are applied to incoming traffic, so you can troubleshoot any issues that you may encounter.
You can change the level of detail logged for a policy by using the --log-level flag. This flag can have the values NORMAL or VERBOSE:
--log-level=[NORMAL | VERBOSE]
For example:
gcloud compute security-policies update ca-policy-1 \
--log-level=VERBOSE
Google recommends that you enable verbose logging when you first create a policy, make changes to a policy, or troubleshoot a policy.