Create and manage mirroring rules

This page describes how to create and manage mirroring rules by using the Google Cloud CLI. Before you create a packet mirroring rule, you must create an endpoint group and endpoint group associations. For more information, see Set up consumer services.

Create and manage mirroring rules for network firewall policies

In this section, learn how to create and manage mirroring rules for global network firewall policies.

Create a firewall policy with a mirroring rule

Create a packet mirroring rule in a network firewall policy.

Console

To create a network firewall policy, follow these steps:

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector list, select your Google Cloud project within your organization.

  3. Click Create firewall policy.

  4. In the Policy name field, enter a name for the policy.

  5. For Deployment scope, select Global.

  6. To create mirroring rules for your policy, click Continue > Continue.

  7. In the Add mirroring rules section, click Create mirroring rule.

    1. In the Priority field, set the order number for the rule, where 0 is the highest priority.
    2. For Direction of traffic, choose Ingress.
    3. For Action on match, choose Mirror.
    4. For Security profile group, select the custom mirroring security profile group.
    5. For Target, specify the target of the rule.
    6. For Source, specify the source filter.
    7. For Destinations, specify the destination filters.
    8. For Protocols and ports, either specify that the rule applies to all protocols and all destination ports or which protocols and destination ports the rule applies to.
    9. Click Create.

  8. If you want to associate the policy with a network, click Continue, and then click Associate policy with networks. For more information, see Associate a policy with the network.

  9. Click Create.

gcloud

To create a mirroring rule in a network firewall policy, use the gcloud compute network-firewall-policies mirroring-rules create command:

 gcloud compute network-firewall-policies mirroring-rules create PRIORITY \
     --action ACTION \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy \
     --security-profile-group SECURITY_PROFILE_GROUP \
     --description DESCRIPTION \
     --direction DIRECTION \
     --layer4-configs LAYER4_CONIFG \
     --src-ip-ranges SRC_IP_RANGE \
     --dest-ip-ranges DEST_IP_RANGE

Replace the following:

  • PRIORITY: the priority of the rule to add.

  • ACTION: the action to take if the request matches the match condition. ACTION must be mirror or do_not_mirror.

  • FIREWALL_POLICY: the firewall policy ID with which to create a rule.

  • SECURITY_PROFILE_GROUP: the name of the security profile group that has a CUSTOM_MIRRORING security profile and is used with mirror action.

  • DESCRIPTION: an optional description for the mirroring rule.

  • DIRECTION: indicates whether the rule is an ingress or egress rule. If the direction isn't specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.

  • LAYER4_CONFIG: a list of destination protocols and ports to which the firewall rule applies.

  • SRC_IP_RANGE: the source IP ranges. This is only specified if DIRECTION is ingress.

  • DEST_IP_RANGE: the destination IP ranges. This is only specified if DIRECTION is egress.

Terraform

To create a mirroring rule, you can use a google_compute_network_firewall_policy_packet_mirroring_rule resource.

resource "google_compute_network_firewall_policy_packet_mirroring_rule" "default" {
  provider               = google-beta
  firewall_policy        = google_compute_network_firewall_policy.default.name
  priority               = 1000
  action                 = "mirror"
  direction              = "INGRESS"
  security_profile_group = google_network_security_security_profile_group.default.id

  match {
    layer4_configs {
      ip_protocol = "tcp"
      ports       = ["80"]
    }
    src_ip_ranges = ["10.10.0.0/16"]
  }
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Describe mirroring rule

Describe the network firewall policy mirroring rule at the specified priority.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. From the project picker, select your Google Cloud project that contains the global network firewall policy.

  3. Click your policy.

  4. To see the details of a rule, click the priority of the rule.

gcloud

To describe a mirroring rule in a network firewall policy, use the gcloud compute network-firewall-policies mirroring-rules describe command:

 gcloud compute network-firewall-policies mirroring-rules describe PRIORITY \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy

Replace the following:

  • PRIORITY: the priority of the rule to describe

  • FIREWALL_POLICY: the firewall policy ID with which to describe the rule

Update mirroring rule

Update a mirroring rule in a network firewall policy.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. From the project picker, select your Google Cloud project that contains the policy.

  3. Click your policy.

  4. In the Mirroring rules section, click the priority of rule that you want to update.

  5. Click Edit.

  6. After you edit the rule, click Save.

gcloud

To update a mirroring rule in a network firewall policy, use the gcloud compute network-firewall-policies mirroring-rules update command:

 gcloud compute network-firewall-policies mirroring-rules update PRIORITY \
     --action ACTION \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy \
     --security-profile-group SECURITY_PROFILE_GROUP \
     --description DESCRIPTION \
     --direction DIRECTION \
     --layer4-configs LAYER4_CONIFG \
     --src-ip-ranges SRC_IP_RANGE \
     --dest-ip-ranges DEST_IP_RANGE

Replace the following:

  • PRIORITY: the priority of the rule to update.

  • ACTION: the action to take if the request matches the match condition. ACTION must be mirror or do_not_mirror.

  • FIREWALL_POLICY: the firewall policy ID with which to update a rule.

  • SECURITY_PROFILE_GROUP: the name of the security profile group that has a CUSTOM_MIRRORING security profile or whether ACTION is mirror.

  • DESCRIPTION: an optional description for the mirroring rule.

  • DIRECTION: indicates whether the rule is an ingress or egress rule. If the direction isn't specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.

  • LAYER4_CONFIG: a list of destination protocols and ports to which the firewall rule will apply.

  • SRC_IP_RANGE: the source IP ranges. This is only specified if DIRECTION is ingress.

  • DEST_IP_RANGE: the destination IP ranges. This is only specified if DIRECTION is egress.

Delete mirroring rule

Delete the packet mirroring rule at the specified priority.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. From the project picker, select your Google Cloud project that contains the policy.

  3. Click your policy.

  4. Select the mirroring rule that you want to delete.

  5. Click Delete.

gcloud

To delete a mirroring rule from a network firewall policy, use the gcloud compute network-firewall-policies mirroring-rules delete command:

 gcloud compute network-firewall-policies mirroring-rules delete PRIORITY \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy

Replace the following:

  • PRIORITY: the priority of the rule to delete

  • FIREWALL_POLICY: the firewall policy ID with which to delete a rule

What's next