Manage security profile groups

Security profile groups let you apply and control network security policies across your deployments. Each security profile group can contain up to one security profile of each of the following types:

  • THREAT_PREVENTION
  • URL_FILTERING

By grouping threat prevention and URL filtering profiles, you can enforce multiple security checks on network traffic through a single firewall policy rule, ensuring consistent policy enforcement and simplified management. This document helps network administrators and security engineers configure and manage organization-level and project-level security profile groups.

Before you begin, review the concepts in the Security profile groups overview.

Before you begin

Roles

To get the permissions that you need to view, update, or delete security profile groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization or project. For more information about granting roles, see Manage access.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

List and view details of a security profile group

To list all security profile groups, use the Google Cloud console or the gcloud CLI.

You can view the following key details of a security profile group:

  • The description
  • The type
  • The name
  • The scope (organization-level or project-level)

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project.

  3. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  4. Select the security profile group to view its details.

gcloud

To list security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

To view details of a security profile group, use the gcloud network-security security-profile-groups describe command:

gcloud network-security security-profile-groups describe NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • NAME: the name of the security profile group.

    If you don't use the the unique URL identifier format for the name, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID where the security profile group exists. Use this flag for an organization-level security profile group.

  • PROJECT_ID: the project ID where the security profile group exists. Use this flag for a project-level security profile group.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.

Update a security profile group

To update a security profile group, use the Google Cloud console or the gcloud CLI.

You can update the following key details of a security profile group:

  • The billing project (available for organization-level security profile groups only)
  • Change or remove the security profile
  • The labels
  • The description

You can't change any of the following details:

  • The security profile group name
  • The security profile group zone
  • The security profile group organization or project

To change these details, delete the security profile group and create a new one.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project.

  3. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  4. Select the security profile group, and then click Edit.

  5. Update the required fields, and then click Save.

gcloud

To update a security profile group, use the gcloud network-security security-profile-groups update command:

gcloud network-security security-profile-groups update NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --clear-threat-prevention-profile | --threat-prevention-profile THREAT_SECURITY_PROFILE_URL \
    --clear-url-filtering-profile | --url-filtering-profile URL_SECURITY_PROFILE_URL \
    [--billing-project QUOTA_PROJECT_ID] \
    --description DESCRIPTION \
    --location global

Replace the following:

  • NAME: the name of the security profile group.

    If you don't use the the unique URL identifier format for the name, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile group.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile group.

  • THREAT_SECURITY_PROFILE_URL: a unique URL identifier for a security profile of THREAT_PREVENTION type.

    To remove a threat prevention security profile, use the --clear-threat-prevention-profile flag. To change a threat prevention security profile, use the --threat-prevention-profile flag.

  • URL_SECURITY_PROFILE_URL: a unique URL identifier for a security profile of URL_FILTERING type.

    To remove a URL filtering security profile, use the --clear-url-filtering-profile flag. To change the URL filtering security profile, use the --url-filtering-profile flag.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.

  • DESCRIPTION: an optional description for the security profile group.

Delete a security profile group

You can't delete a security profile group that is referenced by a firewall policy rule.

To delete a security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization or the project.

  3. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  4. Select the security profile group, and then click Delete.

  5. Click Delete again to confirm.

gcloud

To delete a security profile group, use the gcloud network-security security-profile-groups delete command:

gcloud network-security security-profile-groups delete NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • NAME: the name of the security profile group.

    If you don't use the the unique URL identifier format for the name, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile group.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile group.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.

What's next