Create and manage threat prevention security profiles

To protect your Google Cloud resources from threats, you define and enforce threat prevention security profiles. This document describes how to create, view, list, modify, and delete these profiles by using the Google Cloud console or the Google Cloud CLI.

This document is intended for network administrators and security engineers who configure network security and threat prevention policies.

Google Cloud supports threat prevention security profiles at two levels:

  • Organization-level security profiles: Enable centralized threat prevention rules that can be applied across multiple projects in your organization.
  • Project-level security profiles: Enable project-specific threat prevention rules tailored to the workloads within a single project.

For more information, see the Security profiles overview.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete security profiles, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization. For more information about granting roles, see Manage access.

Create a threat prevention security profile

Create a security profile of type threat-prevention and specify the name of the security profile as a string or as a unique URL identifier.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization or project where you want to create the security profile.

  3. Select the Security profiles tab.

  4. Click Create profile.

  5. Enter a name in the Name field.

  6. Optional: Enter a description in the Description field.

  7. To create a Cloud Next Generation Firewall Enterprise security profile, in the Purpose section, select Cloud NGFW Enterprise.

  8. To create a threat prevention security profile, in the Type section, select Threat prevention.

  9. Click Continue.

Optionally, add severity and threat overrides:

  1. Under Severity overrides, click Edit next to the severity level that you want to override.
  2. In the Override action list, select the appropriate action for the severity level.
  3. To add a threat signature override, click Add signature by ID.
  4. In the Signature ID field, enter the threat ID that you want to override. You can view the threat IDs on the threat dashboard.
  5. In the Override action list, select the appropriate action for the threat ID.
  6. Click Create.

gcloud

To create a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention create command:

gcloud network-security security-profiles threat-prevention create NAME \
  [--organization ORGANIZATION_ID | --project PROJECT_ID] \
  [--billing-project QUOTA_PROJECT_ID] \
  --description DESCRIPTION \
  --location global

Replace the following:

  • NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

  • DESCRIPTION: an optional description for the threat prevention security profile.

List and view details of a security profile

You can list all threat prevention security profiles created in an organization or a project. You can also view the details of a security profile, such as its profile type, purpose, and description.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization.

  3. Select the Security profiles tab. The tab shows a list of configured security profiles.

  4. To filter for threat prevention security profiles, in the Filter field, specify Profile type as Threat prevention.

    The tab shows a list of Threat prevention security profiles.

  5. Click a security profile of type Threat prevention to view its details.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your project.

  3. Select the Security profiles tab. The tab shows a list of configured security profiles.

  4. Click a security profile of type Threat prevention to view the profile details.

gcloud

To list all threat prevention security profiles, use the gcloud network-security security-profiles threat-prevention list command:

gcloud network-security security-profiles threat-prevention list \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

To view the details of a threat prevention security profile, use the gcloud network-security security-profiles describe command:

gcloud network-security security-profiles describe NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID where the security profile exists. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID where the security profile exists. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

Delete a threat prevention security profile

You can delete a threat prevention security profile by specifying its name, location, and organization or project. However, if a security profile is referenced by a security profile group, that security profile cannot be deleted.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab. The tab shows a list of configured security profiles.

  3. Select the threat prevention security profile that you want to delete, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention delete command:

gcloud network-security security-profiles threat-prevention delete NAME \
  --organization ORGANIZATION_ID | --project PROJECT_ID \
  [--billing-project QUOTA_PROJECT_ID] \
  --location global

Replace the following:

  • NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

Import a threat prevention security profile

You can import a threat prevention security profile (either custom-created or previously exported) from a YAML file. When importing a threat prevention security profile, if a profile with the same name already exists, Cloud NGFW updates the existing profile.

gcloud

To import a threat prevention security profile from a YAML file, use the gcloud network-security security-profiles import command:

gcloud network-security security-profiles import NAME \
  --organization ORGANIZATION_ID | --project PROJECT_ID \
  [--billing-project QUOTA_PROJECT_ID] \
  --source FILE_NAME \
  --location global

Replace the following:

  • NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

  • FILE_NAME: the path to the YAML file containing the configuration export data for the threat prevention security profile. For example, threat-prevention-sp.yaml.

    The YAML file must not contain any output-only fields. Alternatively, you can omit the source flag to read from the standard input.

Export a threat prevention security profile

You can export a threat prevention security profile to a YAML file. For example, instead of using the user-interface to modify a large security profile, you can use this functionality to export the security profile, modify it quickly, and import it back.

gcloud

To export a threat prevention security profile to a YAML file, use the gcloud beta network-security security-profiles export command:

gcloud network-security security-profiles export NAME \
  --organization ORGANIZATION_ID | --project PROJECT_ID \
  [--billing-project QUOTA_PROJECT_ID] \
  --destination FILE_NAME \
  --location global

Replace the following:

  • NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

  • FILE_NAME: the path to the YAML file into which Cloud NGFW will export the configuration for the threat prevention security profile. For example, threat-prevention-sp.yaml.

    The exported configuration data doesn't contain any output-only fields. Alternatively, you can omit the destination flag to write to the standard output.

Add override actions in a threat prevention security profile

You can override the actions associated with specific threat signatures or severity levels in an existing threat prevention security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization or project.

  3. Select the Security profiles tab. The tab shows a list of configured security profiles.

  4. Select the security profile where you want to override actions, and then click Edit.

  5. Under Severity overrides, click Edit next to the severity level that you want to override.

  6. In Override action list, select the appropriate action for the severity level.

  7. Click Confirm.

  8. Click Save.

gcloud

To add an override to a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention add-override command:

gcloud network-security security-profiles threat-prevention add-override NAME \
  --location global \
  [--organization ORGANIZATION_ID | --project PROJECT_ID] \
  [--billing-project QUOTA_PROJECT_ID] \
  [--severities SEVERITIES | --threat-ids THREAT_IDS | --antivirus PROTOCOLS] \
  --action ACTION

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

  • SEVERITIES: a comma-separated list of severity levels to override the action for. The firewall endpoint applies the configured --action flag to all threats of the specified severity levels.

    The severity can be any of following:

    • INFORMATIONAL
    • LOW
    • MEDIUM
    • HIGH
    • CRITICAL
  • THREAT_IDS: a comma-separated list of threat signature IDs to override the action for. The firewall endpoint applies the configured --action flag to all threats of the specified threat IDs.

  • PROTOCOLS: a comma-separated list of network protocols to monitor for the antivirus threat. For more information, see supported protocols.

  • ACTION: the action for the specified threat IDs or severities. For more information, see supported actions.

List override actions in a threat prevention security profile

You can list all the override actions in a threat prevention security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select the organization or project.

  3. Select the Security profiles tab. The tab shows a list of configured security profiles.

  4. Select the security profile to view the configured severity override actions and threat signature override actions.

gcloud

To list override actions in a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention list-overrides command:

gcloud network-security security-profiles threat-prevention list-overrides NAME \
  --location global \
  [--organization ORGANIZATION_ID | --project PROJECT_ID]

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

Update override actions in a threat prevention security profile

You can update existing override actions for severity levels or threat signatures in a threat prevention security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select the organization or project.

  3. Select the Security profiles tab. The tab shows a list of configured security profiles.

  4. Select the security profile, and then click Edit.

  5. Under Severity overrides, click Edit next to the severity level where you want to update override action.

  6. In the Override action list, select the appropriate action for the severity level.

  7. Click Confirm.

  8. Click Save.

gcloud

To update an override action in a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention update-override command:

gcloud network-security security-profiles threat-prevention update-override NAME \
  --location global \
  [--organization ORGANIZATION_ID | --project PROJECT_ID] \
  [--billing-project QUOTA_PROJECT_ID] \
  [--severities SEVERITIES | --threat-ids THREAT_IDS | --antivirus PROTOCOLS] \
  --action ACTION

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

  • SEVERITIES: a comma-separated list of severity levels you want to update overrides for.

    The severity can be any of following:

    • INFORMATIONAL
    • LOW
    • MEDIUM
    • HIGH
    • CRITICAL
  • THREAT_IDS: a comma-separated list of threat signature IDs you want to update overrides for.

  • PROTOCOLS: a comma-separated list of network protocols to monitor for the antivirus threat.

    The following protocols are supported:

    • SMTP
    • SMB
    • POP3
    • IMAP
    • HTTP2
    • HTTP
    • FTP
  • ACTION: the default action for the specified threat IDs or severities.

    The action can be one of the following:

    • DEFAULT
    • ALLOW
    • DENY
    • ALERT

Delete override actions from a threat prevention security profile

You can delete existing override actions for severity levels or threat signatures from a threat prevention security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization or project.

  3. Select the Security profiles tab. The tab shows a list of configured security profiles.

  4. Select the security profile, and then click Edit.

  5. Under Severity overrides, click Edit next to the severity level where you want to delete the override action.

  6. In the Override action list, select No override.

  7. Click Confirm.

  8. Under Signature overrides, select the threat ID that you want to delete.

  9. Click Delete.

  10. Click Save.

gcloud

To delete an override action from a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention delete-override command:

gcloud network-security security-profiles threat-prevention delete-override NAME \
  --location global \
  [--organization ORGANIZATION_ID | --project PROJECT_ID] \
  [--billing-project QUOTA_PROJECT_ID] \
  [--severities SEVERITIES | --threat-ids THREAT_IDS | --antivirus PROTOCOLS]

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile.

  • PROJECT_ID: the project ID. Use this flag for a project-level security profile.

  • QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profiles.

  • SEVERITIES: a comma-separated list of severity levels you want to delete overrides for.

    The severity can be any of following:

    • INFORMATIONAL
    • LOW
    • MEDIUM
    • HIGH
    • CRITICAL
  • THREAT_IDS: a comma-separated list of threat signature IDs you want to delete overrides for.

  • PROTOCOLS: a comma-separated list of network protocols to monitor for the antivirus threat.

    The following protocols are supported:

    • SMTP
    • SMB
    • POP3
    • IMAP
    • HTTP2
    • HTTP
    • FTP

What's next