Security profiles overview

Security profiles are organization-level policy containers used by multiple network security products. The security profile defines the scope of network traffic to monitor and analyze within the Network Security Integration service.

Why you use security profiles

You use a security profile to specify the action for a matched mirroring rule. Without a security profile attached to the mirroring rule, the integration service doesn't know where to send the mirrored traffic for inspection.

How security profiles work

The security profile works by attaching your network resources to a mirroring firewall rule. When you attach a security profile to a mirroring firewall rule, the profile performs two key functions:

Route traffic: the security profile identifies the endpoint group associated with your Virtual Private Cloud (VPC) network. The endpoint group points to a producer's deployment group. This producer's deployment group organizes your network resources, such as virtual machines (VMs), and defines the traffic scope the integration service can monitor.
Attach the profile: the mirrored packets carry the security profile group data_path_id, which can be used for policy enforcement on the collector. A collector is a user-managed destination in the producer network. A collector receives mirrored traffic from the consumer network for inspection.

This document provides an overview of security profiles and their specific configuration capabilities.

Specifications

A security profile is an organizational-level resource.
Network Security Integration supports security profiles of type CUSTOM_MIRRORING.
Each security profile is uniquely identified by a URL with the following elements:
- Organization ID: ID of the organization.
- Location: scope of the security profile. Location is always set to global.
- Name: security profile name in the following format:
  - A string 1-63 characters long
  - Includes only lowercase alphanumeric characters or hyphens (-)
  - Must start with a letter
To construct a unique URL identifier for a security profile, use the following format:
```
organization/ORGANIZATION_ID/locations/LOCATION/securityProfiles/SECURITY_PROFILE_NAME
```
Replace the following:
- ORGANIZATION_ID: ID of the organization.
- LOCATION: scope of the security profile. Location is always set to global.
- SECURITY_PROFILE_NAME: the name of the security profile.
For example, a global security profile example-security-profile in organization 2345678432 has the following unique identifier:
```
organization/2345678432/locations/global/securityProfiles/example-security-profile
```
After you create a security profile, you have the option to attach it to a security profile group. This security profile group is referenced by the network firewall policy of the VPC network where you want to process your network traffic within Network Security Integration.
Traffic that matches the network firewall policy rule is sent to the endpoint group referenced by the security profile.
Each security profile must have an associated project ID. The associated project is used for quotas and access restrictions on security profile resources. If you authenticate your service account by using the gcloud auth activate-service-account command, you can associate your service account with the security profile. For more information, see Create and manage custom security profiles.

Identity and Access Management roles

Identity and Access Management (IAM) roles govern the following security profiles actions:

Creating a custom security profile in an organization
Modifying or deleting a custom security profile
Viewing details of a custom security profile
Viewing a list of custom security profiles in an organization
Using a custom security profile in a security profile group

The following table describes the roles that are necessary for each step.

Ability	Necessary role
Create a custom security profile	Security Profile Admin role (`networksecurity.securityProfileAdmin`) on the organization where the custom security profile is created.
Modify a custom security profile	Security Profile Admin role (`networksecurity.securityProfileAdmin`) on the organization where the custom security profile is created.
View details about the custom security profile in an organization	Any of the following roles for the organization: Security Profile Admin role (`networksecurity.securityProfileAdmin`) Compute Network User role (`compute.networkUser`) Compute Network Viewer role (`compute.networkViewer`)
View all of the custom security profiles in an organization	Any of the following roles for the organization: Security Profile Admin role (`networksecurity.securityProfileAdmin`) Compute Network User role (`compute.networkUser`) Compute Network Viewer role (`compute.networkViewer`)
Use a custom security profile in a security profile group	Any of the following roles for the organization: Security Profile Admin role (`networksecurity.securityProfileAdmin`) Compute Network User role (`compute.networkUser`)

If you don't have the Security Profile Admin role (roles/networksecurity.securityProfileAdmin), you can create and manage custom security profile with the following permissions:

networksecurity.securityProfiles.create
networksecurity.securityProfiles.delete
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.update
networksecurity.securityProfiles.use

For more information about the IAM permissions and the predefined roles, see IAM permissions reference.

Quotas

To view quotas associated with custom security profiles, see Quotas and limits.

Security profiles overview Stay organized with collections Save and categorize content based on your preferences.