Create and manage mirroring rules

This page describes how to create and manage mirroring rules by using the Google Cloud CLI. Before you create a packet mirroring rule, you must create an endpoint group and endpoint group associations. For more information, see Set up consumer services.

Create and manage mirroring rules for network firewall policies

In this section, learn how to create and manage mirroring rules for global network firewall policies by using the gcloud CLI.

Create mirroring rule

Create a packet mirroring rule in a network firewall policy.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.

Permissions

compute.firewallPolicies.update

Roles

compute.securityAdmin

gcloud

To create a mirroring rule in a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules create command:

 gcloud beta compute network-firewall-policies mirroring-rules create PRIORITY \
     --action ACTION \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy \
     --security-profile-group SECURITY_PROFILE_GROUP \
     --description DESCRIPTION \
     --direction DIRECTION \
     --layer4-configs LAYER4_CONIFG \
     --src-ip-ranges SRC_IP_RANGE \
     --dest-ip-ranges DEST_IP_RANGE

Replace the following:

PRIORITY: the priority of the rule to add.
ACTION: the action to take if the request matches the match condition. ACTION must be mirror or do_not_mirror.
FIREWALL_POLICY: the firewall policy ID with which to create a rule.
SECURITY_PROFILE_GROUP: the name of the security profile group that has a CUSTOM_MIRRORING security profile and is used with mirror action.
DESCRIPTION: an optional description for the mirroring rule.
DIRECTION: indicates whether the rule is an ingress or egress rule. If the direction is not specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.
LAYER4_CONFIG: a list of destination protocols and ports to which the firewall rule applies.
SRC_IP_RANGE: the source IP ranges. This is only specified if DIRECTION is ingress.
DEST_IP_RANGE: the destination IP ranges. This is only specified if DIRECTION is egress.

Delete mirroring rule

Delete the packet mirroring rule at the specified priority.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.

Permissions

compute.firewallPolicies.update

Roles

compute.securityAdmin

gcloud

To delete a mirroring rule from a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules delete command:

 gcloud beta compute network-firewall-policies mirroring-rules delete PRIORITY \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy

Replace the following:

PRIORITY: the priority of the rule to delete
FIREWALL_POLICY: the firewall policy ID with which to delete a rule

Describe mirroring rule

Describe the network firewall policy mirroring rule at the specified priority.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.

Permissions

compute.firewallPolicies.get

Roles

gcloud

To describe a mirroring rule in a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules describe command:

 gcloud beta compute network-firewall-policies mirroring-rules describe PRIORITY \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy

Replace the following:

PRIORITY: the priority of the rule to describe
FIREWALL_POLICY: the firewall policy ID with which to describe the rule

Update mirroring rule

Update a mirroring rule in a network firewall policy.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.

Permissions

compute.firewallPolicies.update

Roles

compute.securityAdmin

gcloud

To update a mirroring rule in a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules update command:

 gcloud beta compute network-firewall-policies mirroring-rules update PRIORITY \
     --action ACTION \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy \
     --security-profile-group SECURITY_PROFILE_GROUP \
     --description DESCRIPTION \
     --direction DIRECTION \
     --layer4-configs LAYER4_CONIFG \
     --src-ip-ranges SRC_IP_RANGE \
     --dest-ip-ranges DEST_IP_RANGE

Replace the following:

PRIORITY: the priority of the rule to update.
ACTION: the action to take if the request matches the match condition. ACTION must be mirror or do_not_mirror.
FIREWALL_POLICY: the firewall policy ID with which to update a rule.
SECURITY_PROFILE_GROUP: the name of the security profile group that has a CUSTOM_MIRRORING security profile or whether ACTION is mirror.
DESCRIPTION: an optional description for the mirroring rule.
DIRECTION: indicates whether the rule is an ingress or egress rule. If the direction is not specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.
LAYER4_CONFIG: a list of destination protocols and ports to which the firewall rule will apply.
SRC_IP_RANGE: the source IP ranges. This is only specified if DIRECTION is ingress.
DEST_IP_RANGE: the destination IP ranges. This is only specified if DIRECTION is egress.

Create and manage mirroring rules