Security profile groups let you apply and control network security policies across your deployments. Each security profile group can contain up to one security profile of each of the following types:
THREAT_PREVENTIONURL_FILTERING
By grouping threat prevention and URL filtering profiles, you can enforce multiple security checks on network traffic through a single firewall policy rule, ensuring consistent policy enforcement and simplified management. This document helps network administrators and security engineers configure and manage organization-level and project-level security profile groups.
Before you begin, review the concepts in the Security profile groups overview.
Before you begin
- You must enable the Network Security API in your project.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.You need a threat prevention security profile or a URL filtering security profile.
Roles
To get the permissions that you need to view, update, or delete security profile groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization or project. For more information about granting roles, see Manage access.
To check the progress of the operations listed on this page,
make sure that your user role has the following
Compute Network User
(roles/compute.networkUser) permissions:
networksecurity.operations.getnetworksecurity.operations.list
List and view details of a security profile group
To list all security profile groups, use the Google Cloud console or the gcloud CLI.
You can view the following key details of a security profile group:
- The description
- The type
- The name
- The scope (organization-level or project-level)
Console
In the Google Cloud console, go to the Security profiles page.
From the project picker, select your organization or the project.
Select the Security profile groups tab. The tab shows a list of configured security profile groups.
Select the security profile group to view its details.
gcloud
To list security profile groups, use the gcloud network-security
security-profile-groups list
command:
gcloud network-security security-profile-groups list \
--organization ORGANIZATION_ID | --project PROJECT_ID \
[--billing-project QUOTA_PROJECT_ID] \
--location global
To view details of a security profile group, use the
gcloud network-security security-profile-groups describe command:
gcloud network-security security-profile-groups describe NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
[--billing-project QUOTA_PROJECT_ID] \
--location global
Replace the following:
NAME: the name of the security profile group.If you don't use the the unique URL identifier format for the name, you must specify the organization or the project name, and the location.
ORGANIZATION_ID: the organization ID where the security profile group exists. Use this flag for an organization-level security profile group.PROJECT_ID: the project ID where the security profile group exists. Use this flag for a project-level security profile group.QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.
Update a security profile group
To update a security profile group, use the Google Cloud console or the gcloud CLI.
You can update the following key details of a security profile group:
- The billing project (available for organization-level security profile groups only)
- Change or remove the security profile
- The labels
- The description
You can't change any of the following details:
- The security profile group name
- The security profile group zone
- The security profile group organization or project
To change these details, delete the security profile group and create a new one.
Console
In the Google Cloud console, go to the Security profiles page.
From the project picker, select your organization or the project.
Select the Security profile groups tab. The tab shows a list of configured security profile groups.
Select the security profile group, and then click Edit.
Update the required fields, and then click Save.
gcloud
To update a security profile group, use the
gcloud network-security security-profile-groups update command:
gcloud network-security security-profile-groups update NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
--clear-threat-prevention-profile | --threat-prevention-profile THREAT_SECURITY_PROFILE_URL \
--clear-url-filtering-profile | --url-filtering-profile URL_SECURITY_PROFILE_URL \
[--billing-project QUOTA_PROJECT_ID] \
--description DESCRIPTION \
--location global
Replace the following:
NAME: the name of the security profile group.If you don't use the the unique URL identifier format for the name, you must specify the organization or the project name, and the location.
ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile group.PROJECT_ID: the project ID. Use this flag for a project-level security profile group.THREAT_SECURITY_PROFILE_URL: a unique URL identifier for a security profile ofTHREAT_PREVENTIONtype.To remove a threat prevention security profile, use the
--clear-threat-prevention-profileflag. To change a threat prevention security profile, use the--threat-prevention-profileflag.URL_SECURITY_PROFILE_URL: a unique URL identifier for a security profile ofURL_FILTERINGtype.To remove a URL filtering security profile, use the
--clear-url-filtering-profileflag. To change the URL filtering security profile, use the--url-filtering-profileflag.QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.DESCRIPTION: an optional description for the security profile group.
Delete a security profile group
You can't delete a security profile group that is referenced by a firewall policy rule.
To delete a security profile group, use the Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Security profiles page.
In the project selector menu, select your organization or the project.
Select the Security profile groups tab. The tab shows a list of configured security profile groups.
Select the security profile group, and then click Delete.
Click Delete again to confirm.
gcloud
To delete a security profile group, use the gcloud network-security
security-profile-groups delete
command:
gcloud network-security security-profile-groups delete NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
[--billing-project QUOTA_PROJECT_ID] \
--location global
Replace the following:
NAME: the name of the security profile group.If you don't use the the unique URL identifier format for the name, you must specify the organization or the project name, and the location.
ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile group.PROJECT_ID: the project ID. Use this flag for a project-level security profile group.QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.