Create and manage security profile groups

This page explains how to create and manage security profile groups by using the Google Cloud console or the Google Cloud CLI.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete security profile groups, ask your administrator to grant you the necessary IAM roles on your organization or project. For more information about granting roles, see Manage access.

Create a security profile group

Each security profile group can contain up to one security profile of each of the following types:

  • url-filtering
  • threat-prevention

Organization-level security profile groups

To create an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. To construct the unique URL for a security profile group, use the following format:

organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/NAME

If you use a unique URL identifier for the security profile group name, the organization and the location of the security profile group are already included in the URL identifier. However, if you use only the security profile group name, you must specify the organization and the location separately. For more information about unique URL identifiers, see security profile group specifications.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization.

  3. Select the Security profile groups tab.

Configure a security profile group:

  1. Click Create profile group.
  2. Enter a name in the Name field.
  3. Optional: Enter a description in the Description field.
  4. To create a security profile group for Cloud Next Generation Firewall Enterprise, in the Purpose section, select Cloud NGFW Enterprise.
  5. In the Threat prevention profile list or the URL filtering profile list, select the security profile that you want to add to this security profile group.
  6. Click Create.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups create command:

gcloud network-security security-profile-groups create NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project QUOTA_PROJECT_ID \
    --url-filtering-profile SECURITY_PROFILE_URL \
    --threat-prevention-profile SECURITY_PROFILE_URL \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group is created. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

  • SECURITY_PROFILE_URL: a unique URL identifier for a security profile of either url-filtering or threat-prevention type. You must add at least one of these security profiles.

  • DESCRIPTION: an optional description for the security profile group.

Project-level security profile groups

To create a project-level security profile group, use the gcloud CLI.

When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. To construct the unique URL for a security profile group , use the following format:

projects/PROJECT_ID/locations/global/securityProfileGroups/NAME

If you use a unique URL identifier for the security profile group name, the project, and the location of the security profile group are already included in the URL identifier. However, if you use only the security profile group name, you must specify the project, and the location separately. For more information about unique URL identifiers, see security profile group specifications.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups create command:

gcloud beta network-security security-profile-groups create NAME \
    --project PROJECT_ID \
    --location LOCATION \
    --url-filtering-profile SECURITY_PROFILE_URL \
    --threat-prevention-profile SECURITY_PROFILE_URL \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group is created. If you use a unique URL identifier for the NAME variable, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • SECURITY_PROFILE_URL: a unique URL identifier for a security profile of either url-filtering or threat-prevention type. You must add at least one of these security profiles.

  • DESCRIPTION: an optional description for the security profile group.

View a security profile group

You can view the details of a specific security profile group in an organization or a project.

Organization-level security profile groups

To view an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  3. Select the security profile group to view its details.

gcloud

To view details of a security profile group, use the gcloud network-security security-profile-groups describe command:

gcloud network-security security-profile-groups describe NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project QUOTA_PROJECT_ID

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

Project-level security profile groups

To view a project-level security profile group, use the gcloud CLI.

gcloud

To view details of a security profile group, use the gcloud beta network-security security-profile-groups describe command:

gcloud beta network-security security-profile-groups describe NAME \
    --project PROJECT_ID \
    --location LOCATION

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group exists. If you use a unique URL identifier for the NAME flag, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME flag, you can omit the --location flag.

List security profile groups

You can list all the security profile groups in an organization or a project.

Organization-level security profile groups

To list all organization-level security profile groups, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

gcloud

To list security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project BILLING_PROJECT_ID

Replace the following:

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • BILLING_PROJECT_ID: an optional project ID to use for billing of the security profile group.

Project-level security profile groups

To list all project-level security profile groups, use the gcloud CLI.

gcloud

To list security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --project PROJECT_ID \
    --location LOCATION

Replace the following:

  • PROJECT_ID: the project where the security profile group exists.

  • LOCATION: the location of the security profile group.

    Location is always set to global.

Update a security profile group

You can update the security profile name referenced in a security profile group.

Organization-level security profile groups

To update an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  3. Select the security profile group, and then click Edit.

  4. Update the required fields, and then click Save.

gcloud

To update a security profile group, use the gcloud network-security security-profile-groups update command:

gcloud network-security security-profile-groups update NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --clear-threat-prevention-profile | --threat-prevention-profile SECURITY_PROFILE_URL \
    --clear-url-filtering-profile | --url-filtering-profile SECURITY_PROFILE_URL \
    --billing-project QUOTA_PROJECT_ID \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group that you want to update; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • SECURITY_PROFILE_URL: a unique URL identifier of the security profile of either url-filtering or threat-prevention type.

    Specify at most one of these flags:

    • clear-threat-prevention-profile: clear the threat-prevention-profile field.
    • threat-prevention-profile: update the threat-prevention-profile field with unique URL identifier of the security profile of threat-prevention type.

    Similarly, specify at most one of these flags:

    • clear-url-filtering-profile: clear the url-filtering-profile field.
    • url-filtering-profile: update the url-filtering-profile field with the unique URL identifier of the security profile of the url-filtering type.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

  • DESCRIPTION: an optional description for the security profile group.

Project-level security profile groups

To update a project-level security profile group, use the gcloud CLI.

gcloud

To update a security profile group, use the gcloud beta network-security security-profile-groups update command:

gcloud beta network-security security-profile-groups update NAME \
    --project PROJECT_ID \
    --location LOCATION \
    --clear-threat-prevention-profile | --threat-prevention-profile SECURITY_PROFILE_URL \
    --clear-url-filtering-profile | --url-filtering-profile SECURITY_PROFILE_URL \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group that you want to update; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group exists. If you use a unique URL identifier for the NAME flag, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • SECURITY_PROFILE_URL: a unique URL identifier of the security profile of either url-filtering or threat-prevention type.

    Specify at most one of these flags:

    • clear-threat-prevention-profile: clear the threat-prevention-profile field.
    • threat-prevention-profile: update the threat-prevention-profile field with unique URL identifier of the security profile of threat-prevention type.

    Similarly, specify at most one of these flags:

    • clear-url-filtering-profile: clear the url-filtering-profile field.
    • url-filtering-profile: update the url-filtering-profile field with the unique URL identifier of the security profile of the url-filtering type.

  • DESCRIPTION: an optional description for the security profile group.

Delete a security profile group

You can delete a security profile group by specifying its name, location, and organization or project. However, if a security profile is referenced by a firewall policy, that security profile group cannot be deleted.

Organization-level security profile groups

To delete an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  3. Select the security profile group, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a security profile group, use the gcloud network-security security-profile-groups delete command:

gcloud network-security security-profile-groups delete NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project QUOTA_PROJECT_ID

Replace the following:

  • NAME: the name of the security profile group that you want to delete; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

Project-level security profile groups

To delete a project-level security profile group, use the gcloud CLI.

gcloud

To delete a security profile group, use the gcloud beta network-security security-profile-groups delete command:

gcloud beta network-security security-profile-groups delete NAME \
    --project PROJECT_ID \
    --location LOCATION

Replace the following:

  • NAME: the name of the security profile group that you want to delete; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

What's next