Vulnerable traffic reports are reported despite load balancer deny rule on Prisma Cloud

• An alert was triggered for Google Cloud Platform VM instances, indicating potential internet exposure.
• However, upon investigation, it was confirmed that the affected VMs were not accessible from the internet.
• This suggests that the alert may have been a false positive. 

• Prisma Cloud
• GCP alert rule

False positive alert.

There are two potential scenarios where VMs could still be indirectly exposed:

1. Firewall Rule Misconfiguration:
   1. The default VPC firewall rules block all inbound traffic.
   2. One needs to verify that no custom firewall rule has been created that inadvertently allows inbound traffic from 0.0.0.0/0 to the VM's internal IP addresses.
   3. Such a rule if present, could unintentionally expose the VMs to external sources.
2. Absence of Load Balancer Security Policies:
   1. While the VMs are shielded behind the external Load Balancer, if there are no Google Cloud Armor policies or Load Balancer security policies applied to the frontend.
   2. The Load Balancer itself could become a potential target for attacks.
   3. Although the VMs would still not be directly exposed, the absence of such protection could lead to security vulnerabilities at the entry point.

Recommendations:

1. According to the recommendations provided for the policy, a firewall rule should be added to the 'VPC network details' to deny access from 0.0.0.0/0.
2. If there are alternate routes or entry points into the VPC that bypass the Global Load Balancer, traffic may be entering through these paths.
3. Examine other network components such as additional firewalls, security groups and routing rules to confirm there are no alternative paths for traffic ingress.
4. According to the Policy Recommendation for Remediation, it is essential to remove unrestricted access (0.0.0.0/0) in the firewall rules configuration.