Security profiles overview

Security profiles are policy containers used by multiple network security products. The security profile defines the scope of network traffic to monitor and analyze within the Network Security Integration service.

Why you use security profiles

You use a security profile to specify the action for a matched mirroring rule. Without a security profile attached to the mirroring rule, the integration service doesn't know where to send the mirrored traffic for inspection.

How security profiles work

The security profile works by attaching your network resources to a mirroring firewall rule. When you attach a security profile to a mirroring firewall rule, the profile performs two key functions:

Route traffic: the security profile identifies the endpoint group associated with your Virtual Private Cloud (VPC) network. The endpoint group points to a producer's deployment group. This producer's deployment group organizes your network resources, such as virtual machines (VMs), and defines the traffic scope the integration service can monitor.
Attach the profile: the mirrored packets carry the security profile group data_path_id, which can be used for policy enforcement on the collector. A collector is a user-managed destination in the producer network. A collector receives mirrored traffic from the consumer network for inspection.

This document provides an overview of security profiles and their specific configuration capabilities.

Specifications

Network Security Integration supports security profiles of type CUSTOM_MIRRORING.
The name of a security profile is configured in the following URL identifier format:
- Organization-level: organizations/ORGANIZATION_ID/locations/global/securityProfiles/NAME
- Project-level (Preview): projects/PROJECT_ID/locations/global/securityProfiles/NAME
The NAME of the security profile must meet the following requirements:
- A string 1-63 characters long
- Contains only lowercase alphanumeric characters or hyphens (-)
- Starts with a letter
Examples:
- Organization-level security profile: organizations/2345678432/locations/global/securityProfiles/example-security-profile.
- Project-level security profile (Preview): projects/my-project-123/locations/global/securityProfiles/example-security-profile.
If you use the unique URL identifier for the security profile name, the URL already includes the organization or project, and the location. If you specify only the short name, you must provide the organization ID or the project ID and the location separately when you use gcloud commands.
After you create a security profile, you have the option to attach it to a security profile group. This security profile group is referenced by the network firewall policy of the VPC network where you want to process your network traffic within Network Security Integration.
Traffic that matches the network firewall policy rule is sent to the endpoint group referenced by the security profile.
Each security profile must have an associated project ID. The associated project is used for quotas and access restrictions on security profile resources. If you authenticate your service account by using the gcloud auth activate-service-account command, you can associate your service account with the security profile. For more information, see Create and manage custom security profiles.

Identity and Access Management roles

The following table describes the Identity and Access Management (IAM) roles required for managing the security profiles:

Ability	Necessary role
Create a custom security profile	Security Profile Admin role (`networksecurity.securityProfileAdmin`) on the organization or the project where you want to create a custom security profile.
Modify a custom security profile	Security Profile Admin role (`networksecurity.securityProfileAdmin`) on the organization or the project where the custom security profile exists.
View details about the custom security profile in an organization or a project	Any of the following roles on the organization or the project where the custom security profile exists: Security Profile Admin role (`networksecurity.securityProfileAdmin`) Compute Network User role (`compute.networkUser`) Compute Network Viewer role (`compute.networkViewer`)
View all custom security profiles in an organization or a project	Any of the following roles on the organization or the project where the custom security profile exists: Security Profile Admin role (`networksecurity.securityProfileAdmin`) Compute Network User role (`compute.networkUser`) Compute Network Viewer role (`compute.networkViewer`)
Use a custom security profile in a security profile group	Any of the following roles on the organization or the project where the custom security profile exists: Security Profile Admin role (`networksecurity.securityProfileAdmin`) Compute Network User role (`compute.networkUser`)

If you don't have the Security Profile Admin role (roles/networksecurity.securityProfileAdmin), you can create and manage a custom security profile with the following permissions:

networksecurity.securityProfiles.create
networksecurity.securityProfiles.delete
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.update
networksecurity.securityProfiles.use

For more information about the IAM permissions and the predefined roles, see IAM permissions reference.

Quotas

To view quotas associated with custom security profiles, see Quotas and limits.

Security profiles overview Stay organized with collections Save and categorize content based on your preferences.