A security profile group is a container for security profiles. A firewall policy rule references a security profile group to enable Layer 7 inspection, such as the URL filtering service and the intrusion detection and prevention service, on your network.
This document provides a detailed overview of security profile groups and their capabilities.
Specifications
A security profile group is a resource that you can configure at the organization level or the project level.
Organization-level security profile groups: use these groups to group organization-level security profiles across your organization.
Project-level security profile groups (Preview): use these groups to group project-level security profiles within your project.
In a security profile group, you can add security profiles of types
url-filteringorthreat-preventionin any order.
A security profile group can only contain one security profile of each type. If you want
to add two profiles, they must be of different types. For example, if you add a
security profile of type url-filtering, you can add a second profile of
type threat-prevention to scan the traffic in addition to filtering it.
Each security profile group is uniquely identified by a URL with the following elements:
- Organization ID or Project ID (Preview): ID of the organization or the project.
- Location: scope of the security profile group. Location is always
set to
global. - Name: security profile group name in the following format:
- A string 1-63 characters long
- Includes only alphanumeric characters or hyphens (-)
- Must not start with a number
To construct a unique URL identifier for a security profile group, use the following format:
- For an organizational-level security profile group:
organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/SECURITY_PROFILE_GROUP_NAMEFor example, a security profile group
example-security-profile-groupin organization2345678432has the following unique identifier:organizations/2345678432/locations/global/securityProfileGroups/example-security-profile-group- For a project-level security profile group (Preview):
projects/PROJECT_ID/locations/global/securityProfileGroups/SECURITY_PROFILE_GROUP_NAMEFor example, a security profile group
example-security-profile-groupin projectmy-project-123has the following unique identifier:projects/my-project-123/locations/global/securityProfileGroups/example-security-profile-groupTo perform Layer 7 inspection of the network traffic, a firewall policy rule must contain the name of the security profile group to be used by the firewall endpoint.
Security profile groups apply to firewall policies only when you add a firewall policy rule with action
apply_security_profile_group. You can configure only organization-level security profile groups in hierarchical firewall policy rules, and both organization and project level security profile groups in global network firewall policy rules.The firewall policy rule applies to incoming and outgoing traffic of the Virtual Private Cloud (VPC) network. The matched traffic is redirected to the firewall endpoint along with the configured security profile group name. The firewall endpoint uses the security profiles specified in the security profile group to inspect domain and server name indication (SNI) information, scan packets for threats, and apply configured actions.
The firewall endpoint executes the URL filtering security profile first and then runs the threat prevention security profile. However, if the endpoint detects a possible threat in the HTTP(S) message header, it can use the intrusion detection and prevention service first to evaluate and block the traffic as needed. The traffic that is evaluated and not blocked by intrusion detection and prevention service is then processed by the URL filtering service.
To learn more about how to configure the URL filtering service, see Configure the URL filtering service.
To learn more about how to configure threat prevention, see Configure intrusion detection and prevention service.
Each security profile group must have an associated project ID. The associated project is used for quotas and access restrictions on security profile group resources. If you authenticate your service account by using the
gcloud auth activate-service-accountcommand, you can associate your service account with the security profile group. To learn more about how to create a profile group, see Create a security profile group.When you associate security profile groups with firewall policies by using firewall rules with
apply_security_profile_groupaction, the following constraints apply:- Hierarchical firewall policies: managed at the organization or folder-level, can reference only organization-level security profile groups.
- Global network firewall policies: managed at the project-level, can reference organization-level security profile groups and project-level security profile groups from any project.
Differences between organization-level and project-level security profile groups
The following points summarize the differences between organization-level and project-level security profile groups :
- Organization-level security profile groups apply to both organization-level and project-level endpoints.
- Project-level security profile groups apply to project-level firewall endpoints that are in the same project as the security profile group. They can't be applied to organization-level firewall endpoints.
- Organization-level security profile group can group only organization-level security profiles.
- Project-level security profile group can group only project-level security profiles that exist in the same project.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following security profile group actions:
- Creating a security profile group in an organization or a project
- Modifying or deleting a security profile group in an organization or a project
- Viewing details of a security profile group in an organization or a project
- Viewing a list of security profile groups in an organization or a project
- Using a security profile group in a firewall policy rule
The following table describes the roles that are necessary for each step.
| Ability | Necessary role |
|---|---|
| Create a security profile group | Any of the following roles for the organization or project:
|
| Modify a security profile group | Any of the following roles for the organization or project:
|
| Delete a security profile group |
Compute Network Admin (roles/compute.networkAdmin) role on the organization or project ([Preview](https://cloud.google.com/products#product-launch-stages)) where the security profile group exists.
|
| View details about the security profile group in an organization and a project |
Any of the following roles for the organization or project:
|
| View all of the security profile groups in an organization and a project |
Any of the following roles for the organization or project:
|
| Use a security profile group in a firewall policy rule |
Any of the following roles for the organization or project:
|
What's next
- Configure the URL filtering service
- Configure intrusion detection and prevention service
- Create and manage security profile groups