Advanced Configuration on GCP

The configuration keys listed below must be set from the GCP Console at Compute Engine -> Metadata, or through GCP REST API's SetCommonInstanceMetadata method. The metadata key name must be specified as <deployment name>-<configuration key name> . For example, for a deployment named jenkins and the configuration key disable-dns-check , the metadata key name will be jenkins-disable-dns-check .

Configuration Key Default Value Usage Notes
disable-dns-check no

When set to no , destination IP Addresses in TLS connections from clients are checked against a list independently generated by the firewall for the hostname in question to detect spoofing attempts.

When set to yes , IP Address to hostname corroboration is not attempted.

You may encounter some CDN hostnames that change the IP Address presented in a DNS lookup quite aggressively and over a very wide range of addresses. In such cases, setting this configuration key to a truthy value will disable this specific check for all hostnames in the whitelist. A telltale sign of this occurring with a hostname is the log line "DNS lookup IPs did not match" in the firewall's flow log.