Create and manage security profiles

This page explains how to create and manage security profiles by using Google Cloud console and Google Cloud CLI.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete security profiles, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access.

Create a security profile

You can only create a security profile of type threat-prevention.

When you create a security profile, you can specify the name of the security profile as a string or as a unique URL identifier. The unique URL for an organization-scoped security profile can be constructed in the following format:

  organization/ORGANIZATION_ID/locations/LOCATION/securityProfiles/SECURITY_PROFILE_NAME

If you use a unique URL identifier for the security profile name, the organization and location of the security profile is already included in the URL identifier. However, if you use only the security profile name, you must specify the organization and location separately. For more information about unique URL identifiers, see security profile specifications.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization.

  3. Select the Security profiles tab.

Configure a threat prevention security profile:

  1. Click Create profile.
  2. Enter a name in the Name field.
  3. Optional: Enter a description in the Description field.
  4. Click Continue.

Optionally, add severity and threat overrides:

  1. Under Severity overrides, click Edit next to the severity level that you want to override.
  2. In the Override action list, select the appropriate action for the severity level.
  3. To add a threat signature override, click Add signature by ID.
  4. In the Signature ID field, enter the threat ID that you want to override. You can view the threat IDs on the threat dashboard.
  5. In the Override action list, select the appropriate action for the threat ID.
  6. Click Create.

gcloud

To create a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention create command:

gcloud network-security security-profiles threat-prevention \
   create NAME \
   --organization ORGANIZATION_ID \
   --location LOCATION \
   --project PROJECT_ID \
   --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile is created. If you use a unique URL identifier for the name flag, you can omit the organization flag.

  • LOCATION: the location of the security profile.

    Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.

  • PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile.

  • DESCRIPTION: an optional description for the security profile.

List security profiles

You can list all the threat prevention security profiles in an organization.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab. The tab shows a list of configured security profiles.

gcloud

To list all the threat prevention security profiles, use the gcloud network-security security-profiles threat-prevention list command:

gcloud network-security security-profiles threat-prevention list \
   --organization ORGANIZATION_ID \
   --location LOCATION \
   --project PROJECT_ID

Replace the following:

  • ORGANIZATION_ID: the organization where the security profiles are created.

  • LOCATION: the location of the security profiles. Location is always set to global.

  • PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile.

Delete a security profile

You can delete a threat prevention security profile by specifying its name, location, and organization. However, if a security profile is referenced by a security profile group, that security profile cannot be deleted.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab. The tab shows a list of configured security profiles.

  3. Select the security profile that you want to delete, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention delete command:

gcloud network-security security-profiles threat-prevention \
   delete NAME \
   --organization ORGANIZATION_ID \
   --location LOCATION \
   --project PROJECT_ID

Replace the following:

  • NAME: the name of the security profile that you want to delete; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile is created. If you use a unique URL identifier for the name flag, you can omit the organization flag.

  • LOCATION: the location of the security profile.

    Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.

  • PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile.

Add override actions in a security profile

You can override the actions associated with specific threat signatures or severity levels in an existing security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab.The tab shows a list of configured security profiles.

  3. Select the security profile where you want to override actions, and then click Edit.

  4. Under Severity overrides, click Edit next to the severity level that you want to override.

  5. In Override action list, select the appropriate action for the severity level.

  6. Click Confirm.

  7. Click Save.

gcloud

To add an override to a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention add-override command:

gcloud network-security security-profiles threat-prevention \
   add-override NAME \
   --organization ORGANIZATION_ID \
   --location LOCATION \
   --project PROJECT_ID \
   [--severities SEVERITIES | --threat-ids THREAT_IDS] \
   --action ACTION

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile is created.

    If you use a unique URL identifier for the name flag, you can omit the organization flag.

  • LOCATION: the location of the security profile.

    Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.

  • PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile.

  • SEVERITIES: a comma-separated list of severity levels to override the action for. The firewall endpoint applies the configured --action flag to all threats of the specified severity levels. The severity can be any of following:

    • INFORMATIONAL
    • LOW
    • MEDIUM
    • HIGH
    • CRITICAL
  • THREAT_IDS: a comma-separated list of threat signature IDs to override the action for. The firewall endpoint applies the configured --action flag to all threats of the specified threat IDs.

  • ACTION: the default action for the specified threat IDs or severities. The action can be one of the following:

    • DEFAULT
    • ALLOW
    • DENY
    • ALERT

List override actions in a security profile

You can list all the override actions in a security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab.The tab shows a list of configured security profiles.

  3. Select the security profile to view the configured severity override actions and threat signature override actions.

gcloud

To list all override actions in a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention list-overrides command:

gcloud network-security security-profiles threat-prevention \
    list-overrides NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile is created.

    If you use a unique URL identifier for the name flag, you can omit the organization flag.

  • LOCATION: the location of the security profile.

    Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.

Update override actions in a security profile

You can update existing override actions for severity levels or threat signatures in a security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab. The tab shows a list of configured security profiles.

  3. Select the security profile, and then click Edit.

  4. Under Severity overrides, click Edit next to the severity level where you want to update override action.

  5. In the Override action list, select the appropriate action for the severity level.

  6. Click Confirm.

  7. Click Save.

gcloud

To update an override action in a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention update-override command:

gcloud network-security security-profiles threat-prevention \
   update-override NAME \
   --organization ORGANIZATION_ID \
   --location LOCATION \
   --project PROJECT_ID \
   [--severities SEVERITIES | --threat-ids THREAT_IDS] \
   --action ACTION

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile is created.

    If you use a unique URL identifier for the name flag, you can omit the organization flag.

  • LOCATION: the location of the security profile.

    Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.

  • PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile.

  • SEVERITIES: a comma-separated list of severity levels you want to update overrides for. The severity can be any of following:

    • INFORMATIONAL
    • LOW
    • MEDIUM
    • HIGH
    • CRITICAL
  • THREAT_IDS: a comma-separated list of threat signature IDs you want to update overrides for.

  • ACTION: the default action for the specified threat IDs or severities. The action can be one of the following:

    • DEFAULT
    • ALLOW
    • DENY
    • ALERT

Delete override actions from a security profile

You can delete existing override actions for severity levels or threat signatures from a security profile.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. Select the Security profiles tab. The tab shows a list of configured security profiles.

  3. Select the security profile, and then click Edit.

  4. Under Severity overrides, click Edit next to the severity level where you want to delete the override action.

  5. In the Override action list, select No override.

  6. Click Confirm.

  7. Under Signature overrides, select the threat ID that you want to delete.

  8. Click Delete.

  9. Click Save.

gcloud

To delete an override action from a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention delete-override command:

gcloud network-security security-profiles threat-prevention \
   delete-override NAME \
   --organization ORGANIZATION_ID \
   --location LOCATION \
   --project PROJECT_ID \
   [--severities SEVERITIES | --threat-ids THREAT_IDS]

Replace the following:

  • NAME: the name of the security profile; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile is created.

    If you use a unique URL identifier for the name flag, you can omit the organization flag.

  • LOCATION: the location of the security profile.

    Location is always set to global. If you use a unique URL identifier for the name flag, you can omit the location flag.

  • PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile.

  • SEVERITIES: a comma-separated list of severity levels you want to delete overrides for. The severity can be any of following:

    • INFORMATIONAL
    • LOW
    • MEDIUM
    • HIGH
    • CRITICAL
  • THREAT_IDS: a comma-separated list of threat signature IDs you want to delete overrides for.

What's next