Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to create and manage mirroring rules by
using the Google Cloud CLI. Before you create
a packet mirroring rule, you must create an endpoint group and endpoint
group associations. For more information, see
Set up consumer services.
Create and manage mirroring rules for network firewall policies
ACTION: the action to take if the request matches
the match condition. ACTION must be mirror or do_not_mirror.
FIREWALL_POLICY: the firewall policy ID with which to
create a rule.
SECURITY_PROFILE_GROUP: the name of the security profile
group that has a CUSTOM_MIRRORING security profile and is used with
mirror action.
DESCRIPTION: an optional description for the
mirroring rule.
DIRECTION: indicates whether the rule is an ingress
or egress rule. If the direction is not specified, it defaults to
applying the rule on incoming traffic. For incoming traffic, you
cannot specify destination ranges. For outbound traffic, you cannot
specify source ranges or source tags.
LAYER4_CONFIG: a list of destination protocols and
ports to which the firewall rule applies.
SRC_IP_RANGE: the source IP ranges. This is only
specified if DIRECTION is ingress.
DEST_IP_RANGE: the destination IP ranges. This is
only specified if DIRECTION is egress.
ACTION: the action to take if the request matches
the match condition. ACTION must be mirror or do_not_mirror.
FIREWALL_POLICY: the firewall policy ID with which to
update a rule.
SECURITY_PROFILE_GROUP: the name of the security profile
group that has a CUSTOM_MIRRORING security profile or
whether ACTION is mirror.
DESCRIPTION: an optional description for the
mirroring rule.
DIRECTION: indicates whether the rule is an ingress
or egress rule. If the direction is not specified, it defaults to
applying the rule on incoming traffic. For incoming traffic, you
cannot specify destination ranges. For outbound traffic, you cannot
specify source ranges or source tags.
LAYER4_CONFIG: a list of destination protocols and
ports to which the firewall rule will apply.
SRC_IP_RANGE: the source IP ranges. This is only
specified if DIRECTION is ingress.
DEST_IP_RANGE: the destination IP ranges. This is
only specified if DIRECTION is egress.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create and manage mirroring rules\n\nThis page describes how to create and manage mirroring rules by\nusing the Google Cloud CLI. Before you create\na packet mirroring rule, you must create an endpoint group and endpoint\ngroup associations. For more information, see\n[Set up consumer services](/network-security-integration/docs/out-of-band/configure-consumer-service).\n\nCreate and manage mirroring rules for network firewall policies\n---------------------------------------------------------------\n\nIn this section, learn how to create and manage mirroring rules for\n[global network firewall policies](/firewall/docs/network-firewall-policies) by\nusing the gcloud CLI.\n\n### Create mirroring rule\n\nCreate a packet mirroring rule in a network firewall policy.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `compute.firewallPolicies.update`\n\n**Roles**\n\n- [`compute.securityAdmin`](https://cloud.google.com/compute/docs/access/iam#compute.securityAdmin) \n\n### gcloud\n\nTo create a mirroring rule in a network firewall policy, use the\n[`gcloud compute network-firewall-policies mirroring-rules create` command](/sdk/gcloud/reference/compute/network-firewall-policies/mirroring-rules/create): \n\n```\n gcloud compute network-firewall-policies mirroring-rules create PRIORITY \\\n --action ACTION \\\n --firewall-policy FIREWALL_POLICY \\\n --global-firewall-policy \\\n --security-profile-group SECURITY_PROFILE_GROUP \\\n --description DESCRIPTION \\\n --direction DIRECTION \\\n --layer4-configs LAYER4_CONIFG \\\n --src-ip-ranges SRC_IP_RANGE \\\n --dest-ip-ranges DEST_IP_RANGE\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePRIORITY\u003c/var\u003e: the priority of the rule to add.\n\n- \u003cvar translate=\"no\"\u003eACTION\u003c/var\u003e: the action to take if the request matches\n the match condition. `ACTION` must be `mirror` or `do_not_mirror`.\n\n- \u003cvar translate=\"no\"\u003eFIREWALL_POLICY\u003c/var\u003e: the firewall policy ID with which to\n create a rule.\n\n- \u003cvar translate=\"no\"\u003eSECURITY_PROFILE_GROUP\u003c/var\u003e: the name of the security profile\n group that has a `CUSTOM_MIRRORING` security profile and is used with\n `mirror` action.\n\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: an optional description for the\n mirroring rule.\n\n- \u003cvar translate=\"no\"\u003eDIRECTION\u003c/var\u003e: indicates whether the rule is an `ingress`\n or `egress` rule. If the direction is not specified, it defaults to\n applying the rule on incoming traffic. For incoming traffic, you\n cannot specify destination ranges. For outbound traffic, you cannot\n specify source ranges or source tags.\n\n- \u003cvar translate=\"no\"\u003eLAYER4_CONFIG\u003c/var\u003e: a list of destination protocols and\n ports to which the firewall rule applies.\n\n- \u003cvar translate=\"no\"\u003eSRC_IP_RANGE\u003c/var\u003e: the source IP ranges. This is only\n specified if `DIRECTION` is `ingress`.\n\n- \u003cvar translate=\"no\"\u003eDEST_IP_RANGE\u003c/var\u003e: the destination IP ranges. This is\n only specified if `DIRECTION` is `egress`.\n\n### Terraform\n\nTo create a mirroring rule, you can use a [`google_compute_network_firewall_policy_packet_mirroring_rule` resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_packet_mirroring_rule). \n\n resource \"google_compute_network_firewall_policy_packet_mirroring_rule\" \"default\" {\n provider = google-beta\n firewall_policy = google_compute_network_firewall_policy.default.name\n priority = 1000\n action = \"mirror\"\n direction = \"INGRESS\"\n security_profile_group = google_network_security_security_profile_group.default.id\n\n match {\n layer4_configs {\n ip_protocol = \"tcp\"\n ports = [\"80\"]\n }\n src_ip_ranges = [\"10.10.0.0/16\"]\n }\n }\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n### Delete mirroring rule\n\nDelete the packet mirroring rule at the specified priority.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `compute.firewallPolicies.update`\n\n**Roles**\n\n- [`compute.securityAdmin`](https://cloud.google.com/compute/docs/access/iam#compute.securityAdmin) \n\n### gcloud\n\nTo delete a mirroring rule from a network firewall policy, use the\n[`gcloud compute network-firewall-policies mirroring-rules delete` command](/sdk/gcloud/reference/compute/network-firewall-policies/mirroring-rules/delete): \n\n```\n gcloud compute network-firewall-policies mirroring-rules delete PRIORITY \\\n --firewall-policy FIREWALL_POLICY \\\n --global-firewall-policy\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePRIORITY\u003c/var\u003e: the priority of the rule to delete\n\n- \u003cvar translate=\"no\"\u003eFIREWALL_POLICY\u003c/var\u003e: the firewall policy ID with which to\n delete a rule\n\n### Describe mirroring rule\n\nDescribe the network firewall policy mirroring rule at the specified priority.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `compute.firewallPolicies.get`\n\n**Roles**\n\n- [`compute.securityAdmin`](https://cloud.google.com/compute/docs/access/iam#compute.securityAdmin)\n- [`compute.networkAdmin`](https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin) \n\n### gcloud\n\nTo describe a mirroring rule in a network firewall policy, use the\n[`gcloud compute network-firewall-policies mirroring-rules describe` command](/sdk/gcloud/reference/compute/network-firewall-policies/mirroring-rules/describe): \n\n```\n gcloud compute network-firewall-policies mirroring-rules describe PRIORITY \\\n --firewall-policy FIREWALL_POLICY \\\n --global-firewall-policy\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePRIORITY\u003c/var\u003e: the priority of the rule to describe\n\n- \u003cvar translate=\"no\"\u003eFIREWALL_POLICY\u003c/var\u003e: the firewall policy ID with which to\n describe the rule\n\n### Update mirroring rule\n\nUpdate a mirroring rule in a network firewall policy.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `compute.firewallPolicies.update`\n\n**Roles**\n\n- [`compute.securityAdmin`](https://cloud.google.com/compute/docs/access/iam#compute.securityAdmin) \n\n### gcloud\n\nTo update a mirroring rule in a network firewall policy, use the\n[`gcloud compute network-firewall-policies mirroring-rules update` command](/sdk/gcloud/reference/compute/network-firewall-policies/mirroring-rules/update): \n\n```\n gcloud compute network-firewall-policies mirroring-rules update PRIORITY \\\n --action ACTION \\\n --firewall-policy FIREWALL_POLICY \\\n --global-firewall-policy \\\n --security-profile-group SECURITY_PROFILE_GROUP \\\n --description DESCRIPTION \\\n --direction DIRECTION \\\n --layer4-configs LAYER4_CONIFG \\\n --src-ip-ranges SRC_IP_RANGE \\\n --dest-ip-ranges DEST_IP_RANGE\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePRIORITY\u003c/var\u003e: the priority of the rule to update.\n\n- \u003cvar translate=\"no\"\u003eACTION\u003c/var\u003e: the action to take if the request matches\n the match condition. `ACTION` must be `mirror` or `do_not_mirror`.\n\n- \u003cvar translate=\"no\"\u003eFIREWALL_POLICY\u003c/var\u003e: the firewall policy ID with which to\n update a rule.\n\n- \u003cvar translate=\"no\"\u003eSECURITY_PROFILE_GROUP\u003c/var\u003e: the name of the security profile\n group that has a `CUSTOM_MIRRORING` security profile or\n whether `ACTION` is `mirror`.\n\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: an optional description for the\n mirroring rule.\n\n- \u003cvar translate=\"no\"\u003eDIRECTION\u003c/var\u003e: indicates whether the rule is an `ingress`\n or `egress` rule. If the direction is not specified, it defaults to\n applying the rule on incoming traffic. For incoming traffic, you\n cannot specify destination ranges. For outbound traffic, you cannot\n specify source ranges or source tags.\n\n- \u003cvar translate=\"no\"\u003eLAYER4_CONFIG\u003c/var\u003e: a list of destination protocols and\n ports to which the firewall rule will apply.\n\n- \u003cvar translate=\"no\"\u003eSRC_IP_RANGE\u003c/var\u003e: the source IP ranges. This is only\n specified if `DIRECTION` is `ingress`.\n\n- \u003cvar translate=\"no\"\u003eDEST_IP_RANGE\u003c/var\u003e: the destination IP ranges. This is\n only specified if `DIRECTION` is `egress`.\n\nWhat's next\n-----------\n\n- [Firewall policies and rules overview](/network-security-integration/docs/out-of-band/firewall-policies-overview)\n- [Network Security Integration overview](/network-security-integration/docs/nsi-overview)\n- [Monitor out-of-band integration](/network-security-integration/docs/out-of-band/monitor-out-of-band-integration)\n- [Out-of-band integration overview](/network-security-integration/docs/out-of-band/out-of-band-integration-overview)"]]
