Security profile overview

Security profiles help you define Layer 7 inspection policy for your Google Cloud resources. They are generic policy structures that are used by firewall endpoints to scan intercepted traffic to provide application Layer services, such as intrusion prevention.

This document provides a detailed overview of security profiles and their capabilities.

Specifications

  • A security profile is an organizational level resource.

  • Cloud Next Generation Firewall supports security profiles of type threat prevention.

  • Each security profile is uniquely identified by a URL with the following elements:

    • Organization ID: ID of the organization.
    • Location: scope of security profile. Location is always set to global.
    • Name: security profile name in the following format:
      • A string 1-63 characters long
      • Includes only alphanumeric characters or hyphens (-)
      • Must not start with a number

  • To construct a unique URL identifier for a security profile, use the following format:

    organization/ORGANIZATION_ID/locations/LOCATION/securityProfiles/SECURITY_PROFILE_NAME

    For example, a global security profile example-security-profile in organization 2345678432 has the following unique identifier:

    organization/2345678432/locations/global/securityProfiles/example-security-profile

  • After you create a security profile, you have the option to attach it to a security profile group or to attach it later. This security profile group is referenced by the firewall policy of the Virtual Private Cloud (VPC) network where you want to enforce Layer 7 inspection.

  • Each security profile must have an associated project ID. The associated project is used for quotas and access restrictions on security profile resources. If you authenticate your service account by using the gcloud auth activate-service-account command, you can associate your service account with the security profile. To learn more about how to create a security profile, see Create and manage security profiles.

Threat prevention security profile

Cloud NGFW uses threat prevention security profiles to provide intrusion prevention service.

When you create a security profile of type threat-prevention, the following default threat signatures with default severity and associated actions are added to the profile:

  • Vulnerability detection signatures
  • Anti-spyware signatures
  • Antivirus signatures
  • DNS signatures

You have the option to add severity overrides to your security profiles. Each default signature has a threat severity level. The severity level indicates the risk of the detected threat. Each severity level also has an associated default action. The default action specifies the measures Cloud NGFW takes to handle threats with a specific severity level. You can use security profiles to override the default action for a severity level.

The following actions are supported:

  • No override: performs the default action associated with the threat.
  • Deny: logs the threat and drops the packet.
  • Alert: logs the threat and allows the session.
  • Allow: ignores the threat, if detected.

When you create a security profile, the default override action for all severity levels is set to No override.

You can also add signature overrides to your security profiles. Each threat signature has an associated default action. You can use security profiles to override the default actions of the threat signatures by using the preceding actions. Signature overrides take precedence over severity overrides.

To learn more about how to configure threat prevention, see Configure intrusion prevention service.

Identity and Access Management roles

Identity and Access Management (IAM) roles govern the following security profiles actions:

  • Creating a security profile in an organization
  • Modifying or deleting a security profile
  • Viewing details of a security profile
  • Viewing a list of security profiles in an organization
  • Using a security profile in a security profile group

The following table describes the roles that are necessary for each step.

Ability Necessary role
Create a security profile compute.networkAdmin role on the organization where the security profile is created.
Modify a security profile compute.networkAdmin role on the organization where the security profile is created.
View details about the security profile in an organization Any of the following roles for the organization:
compute.networkAdmin
compute.networkViewer
compute.networkUser
View all of the security profiles in an organization Any of the following roles for the organization:
compute.networkAdmin
compute.networkViewer
compute.networkUser
Use a security profile in a security profile group Any of the following roles for the organization:
compute.networkAdmin
compute.networkUser

Quotas

To view quotas associated with security profiles, see Quotas and limits.

Pricing

Pricing for security profiles is described in Cloud Next Generation Firewall Enterprise pricing.

What's next