Manage security profile groups

This page explains how to manage security profile groups by using the Google Cloud console or the Google Cloud CLI.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

Before you begin

Roles

To get the permissions that you need to view, update, or delete security profile groups, ask your administrator to grant you the necessary IAM roles on your organization or project. For more information about granting roles, see Manage access.

View a security profile group

You can view the details of a specific security profile group in an organization or a project.

Organization-level security profile groups

To view an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  3. Select the security profile group to view its details.

gcloud

To view details of a security profile group, use the gcloud network-security security-profile-groups describe command:

gcloud network-security security-profile-groups describe NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project QUOTA_PROJECT_ID

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

Project-level security profile groups

To view a project-level security profile group, use the gcloud CLI.

gcloud

To view details of a security profile group, use the gcloud beta network-security security-profile-groups describe command:

gcloud beta network-security security-profile-groups describe NAME \
    --project PROJECT_ID \
    --location LOCATION

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group exists. If you use a unique URL identifier for the NAME flag, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME flag, you can omit the --location flag.

List security profile groups

You can list all the security profile groups in an organization or a project.

Organization-level security profile groups

To list all organization-level security profile groups, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

gcloud

To list security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project BILLING_PROJECT_ID

Replace the following:

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • BILLING_PROJECT_ID: an optional project ID to use for billing of the security profile group.

Project-level security profile groups

To list all project-level security profile groups, use the gcloud CLI.

gcloud

To list security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --project PROJECT_ID \
    --location LOCATION

Replace the following:

  • PROJECT_ID: the project where the security profile group exists.

  • LOCATION: the location of the security profile group.

    Location is always set to global.

Update a security profile group

You can update the security profile name referenced in a security profile group.

Organization-level security profile groups

To update an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  3. Select the security profile group, and then click Edit.

  4. Update the required fields, and then click Save.

gcloud

To update a security profile group, use the gcloud network-security security-profile-groups update command:

gcloud network-security security-profile-groups update NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --clear-threat-prevention-profile | --threat-prevention-profile SECURITY_PROFILE_URL \
    --clear-url-filtering-profile | --url-filtering-profile SECURITY_PROFILE_URL \
    --billing-project QUOTA_PROJECT_ID \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group that you want to update; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • SECURITY_PROFILE_URL: a unique URL identifier of the security profile of either url-filtering or threat-prevention type.

    Specify at most one of these flags:

    • clear-threat-prevention-profile: clear the threat-prevention-profile field.
    • threat-prevention-profile: update the threat-prevention-profile field with unique URL identifier of the security profile of threat-prevention type.

    Similarly, specify at most one of these flags:

    • clear-url-filtering-profile: clear the url-filtering-profile field.
    • url-filtering-profile: update the url-filtering-profile field with the unique URL identifier of the security profile of the url-filtering type.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

  • DESCRIPTION: an optional description for the security profile group.

Project-level security profile groups

To update a project-level security profile group, use the gcloud CLI.

gcloud

To update a security profile group, use the gcloud beta network-security security-profile-groups update command:

gcloud beta network-security security-profile-groups update NAME \
    --project PROJECT_ID \
    --location LOCATION \
    --clear-threat-prevention-profile | --threat-prevention-profile SECURITY_PROFILE_URL \
    --clear-url-filtering-profile | --url-filtering-profile SECURITY_PROFILE_URL \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group that you want to update; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group exists. If you use a unique URL identifier for the NAME flag, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • SECURITY_PROFILE_URL: a unique URL identifier of the security profile of either url-filtering or threat-prevention type.

    Specify at most one of these flags:

    • clear-threat-prevention-profile: clear the threat-prevention-profile field.
    • threat-prevention-profile: update the threat-prevention-profile field with unique URL identifier of the security profile of threat-prevention type.

    Similarly, specify at most one of these flags:

    • clear-url-filtering-profile: clear the url-filtering-profile field.
    • url-filtering-profile: update the url-filtering-profile field with the unique URL identifier of the security profile of the url-filtering type.

  • DESCRIPTION: an optional description for the security profile group.

Delete a security profile group

You can delete a security profile group by specifying its name, location, and organization or project. However, if a security profile is referenced by a firewall policy, that security profile group cannot be deleted.

Organization-level security profile groups

To delete an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profile groups tab. The tab shows a list of configured security profile groups.

  3. Select the security profile group, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a security profile group, use the gcloud network-security security-profile-groups delete command:

gcloud network-security security-profile-groups delete NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project QUOTA_PROJECT_ID

Replace the following:

  • NAME: the name of the security profile group that you want to delete; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

Project-level security profile groups

To delete a project-level security profile group, use the gcloud CLI.

gcloud

To delete a security profile group, use the gcloud beta network-security security-profile-groups delete command:

gcloud beta network-security security-profile-groups delete NAME \
    --project PROJECT_ID \
    --location LOCATION

Replace the following:

  • NAME: the name of the security profile group that you want to delete; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group exists. If you use a unique URL identifier for the NAME variable, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

What's next