You can create a custom mirroring security profile only for Packet Mirroring. A custom mirroring security profile is a configuration that mandates the inspection of specified network traffic by a designated network firewall policy rule. Traffic that matches the mirroring rules in the network firewall policy rule is mirrored to the endpoint group referenced by the security profile of that network firewall policy rule.
This page explains how to create and manage custom security profiles by using the Google Cloud CLI.
Before you begin
- You must enable the Network Security API in your project.
- Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.
Roles
To get the permissions that you need to create, view, update, or delete custom security profiles, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.
To check the progress of the operations listed on this page, make sure that
your user role has the following
Compute Network User role
(roles/compute.networkUser) permissions:
networksecurity.operations.getnetworksecurity.operations.list
Create a custom security profile
You can only create a security profile of type CUSTOM_MIRRORING.
When you create a custom security profile, you can specify the name of the custom security profile, the location, and the endpoint group where the traffic is directed.
In this section, create a custom security profile for packet mirroring.
gcloud
To create a custom security profile for packet mirroring, use the
gcloud beta network-security security-profiles custom-mirroring create command:
gcloud beta network-security security-profiles custom-mirroring \
create CUSTOM_MIRRORING_PROFILE_NAME \
--organization ORGANIZATION_ID \
--location=global \
--mirroring-endpoint-group ENDPOINT_GROUP \
--description DESCRIPTION \
--billing-project PROJECT_ID
Replace the following:
CUSTOM_MIRRORING_PROFILE_NAME: the name of the custom security profile.ORGANIZATION_ID: the organization where the custom security profile is created.ENDPOINT_GROUP: the URL of the mirroring endpoint group—for example,projects/12345678/locations/global/mirroringEndpointGroups/mirroringEPG.DESCRIPTION: an optional description for the custom mirroring profile.PROJECT_ID: the project ID to use for quotas and access restrictions on the custom security profile.
List custom security profiles
You can list all the custom security profiles in an organization.
gcloud
To list all the custom mirroring security profiles, use the
gcloud beta network-security security-profiles custom-mirroring list command:
gcloud beta network-security security-profiles custom-mirroring list \
--organization ORGANIZATION_ID \
--location=global \
--billing-project PROJECT_ID
Replace the following:
ORGANIZATION_ID: the organization where the custom security profile is created.PROJECT_ID: the project ID to use for quotas and access restrictions on the custom security profile.
Delete a custom security profile
You can delete a custom mirroring security profile by specifying its name, location, and organization. However, if a custom security profile is referenced by a security profile group, that custom security profile cannot be deleted.
gcloud
To delete the threat prevention custom security profiles, use the
gcloud beta network-security security-profiles custom-profile delete command:
gcloud beta network-security security-profiles custom-profile \
delete CUSTOM_PROFILE_NAME \
--organization ORGANIZATION_ID \
--billing-project PROJECT_ID
--location=global
Replace the following:
CUSTOM_PROFILE_NAME: the name of the custom security profile that you want to delete.ORGANIZATION_ID: the organization where the custom security profile is created.PROJECT_ID: the project ID to use for quotas and access restrictions on the custom security profile.