Back to All Scenarios
PASSEDcloud / gcp_vpc
GCP: GCP VPC Firewall Rule Accidentally Deleted
A critical VPC firewall rule allowing HTTPS traffic was deleted during a Terraform destroy of a staging environment. Production affected.
Pattern
FIREWALL_RULE_BLOCK
Expected: GCP_FIREWALL_DELETED
Severity
HIGH
Confidence
68%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | GCP_FIREWALL_DELETED | FIREWALL_RULE_BLOCK | |
| Severity Assessment | CRITICAL | HIGH | |
| Incident Correlation | N/A | None | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
GCP VPC 'prod-network'. Firewall rule 'allow-https' deleted by Terraform targeting wrong project. All inbound HTTPS blocked. 20 instances affected.
Injected Error Messages (1)
GCP VPC firewall rule deleted — 'allow-https' rule removed (Terraform targeted wrong project), all inbound HTTPS traffic blocked to 20 instances, production down
Neural Engine Root Cause Analysis
Firewall rule block detected — legitimate traffic is being denied by a firewall ACL or security policy. This may be caused by an overly restrictive rule, a recent policy change, or an implicit deny catching traffic that should be permitted. Blocked traffic can prevent application connectivity, break integrations, and disrupt business operations.
Remediation Plan
1. Identify the specific firewall rule or ACL entry causing the block from the firewall logs (note rule ID, source, destination, port).
2. Verify whether the traffic should be permitted — confirm with the application owner or network documentation.
3. If the block is a false positive, create or modify a firewall rule to allow the traffic with the principle of least privilege.
4. Check for recent firewall policy changes that may have inadvertently blocked the traffic.
5. Test the fix by re-initiating the blocked connection and verifying it passes through the firewall.
Improvements Applied
- Pattern classified as FIREWALL_RULE_BLOCK (expected GCP_FIREWALL_DELETED)
- Severity: HIGH (expected CRITICAL)
Tested: 2026-04-02Monitors: 1 | Incidents: 1Test ID: cmnhnr9bl09cdlig7yjzkfuma