This page describes how to create and manage mirroring rules by using the Google Cloud CLI. Before you create a packet mirroring rule, you must create an endpoint group and endpoint group associations. For more information, see Set up consumer services.
Create and manage mirroring rules for network firewall policies
In this section, learn how to create and manage mirroring rules for global network firewall policies by using the gcloud CLI.
Create mirroring rule
Create a packet mirroring rule in a network firewall policy.
gcloud
To create a mirroring rule in a network firewall policy, use the
gcloud beta compute network-firewall-policies mirroring-rules create
command:
gcloud beta compute network-firewall-policies mirroring-rules create PRIORITY \ --action ACTION \ --firewall-policy FIREWALL_POLICY \ --global-firewall-policy \ --security-profile-group SECURITY_PROFILE_GROUP \ --description DESCRIPTION \ --direction DIRECTION \ --layer4-configs LAYER4_CONIFG \ --src-ip-ranges SRC_IP_RANGE \ --dest-ip-ranges DEST_IP_RANGE
Replace the following:
PRIORITY
: the priority of the rule to add.ACTION
: the action to take if the request matches the match condition.ACTION
must bemirror
ordo_not_mirror
.FIREWALL_POLICY
: the firewall policy ID with which to create a rule.SECURITY_PROFILE_GROUP
: the name of the security profile group that has aCUSTOM_MIRRORING
security profile and is used withmirror
action.DESCRIPTION
: an optional description for the mirroring rule.DIRECTION
: indicates whether the rule is aningress
oregress
rule. If the direction is not specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.LAYER4_CONFIG
: a list of destination protocols and ports to which the firewall rule applies.SRC_IP_RANGE
: the source IP ranges. This is only specified ifDIRECTION
isingress
.DEST_IP_RANGE
: the destination IP ranges. This is only specified ifDIRECTION
isegress
.
Delete mirroring rule
Delete the packet mirroring rule at the specified priority.
gcloud
To delete a mirroring rule from a network firewall policy, use the
gcloud beta compute network-firewall-policies mirroring-rules delete
command:
gcloud beta compute network-firewall-policies mirroring-rules delete PRIORITY \ --firewall-policy FIREWALL_POLICY \ --global-firewall-policy
Replace the following:
PRIORITY
: the priority of the rule to deleteFIREWALL_POLICY
: the firewall policy ID with which to delete a rule
Describe mirroring rule
Describe the network firewall policy mirroring rule at the specified priority.
gcloud
To describe a mirroring rule in a network firewall policy, use the
gcloud beta compute network-firewall-policies mirroring-rules describe
command:
gcloud beta compute network-firewall-policies mirroring-rules describe PRIORITY \ --firewall-policy FIREWALL_POLICY \ --global-firewall-policy
Replace the following:
PRIORITY
: the priority of the rule to describeFIREWALL_POLICY
: the firewall policy ID with which to describe the rule
Update mirroring rule
Update a mirroring rule in a network firewall policy.
gcloud
To update a mirroring rule in a network firewall policy, use the
gcloud beta compute network-firewall-policies mirroring-rules update
command:
gcloud beta compute network-firewall-policies mirroring-rules update PRIORITY \ --action ACTION \ --firewall-policy FIREWALL_POLICY \ --global-firewall-policy \ --security-profile-group SECURITY_PROFILE_GROUP \ --description DESCRIPTION \ --direction DIRECTION \ --layer4-configs LAYER4_CONIFG \ --src-ip-ranges SRC_IP_RANGE \ --dest-ip-ranges DEST_IP_RANGE
Replace the following:
PRIORITY
: the priority of the rule to update.ACTION
: the action to take if the request matches the match condition.ACTION
must bemirror
ordo_not_mirror
.FIREWALL_POLICY
: the firewall policy ID with which to update a rule.SECURITY_PROFILE_GROUP
: the name of the security profile group that has aCUSTOM_MIRRORING
security profile or whetherACTION
ismirror
.DESCRIPTION
: an optional description for the mirroring rule.DIRECTION
: indicates whether the rule is aningress
oregress
rule. If the direction is not specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.LAYER4_CONFIG
: a list of destination protocols and ports to which the firewall rule will apply.SRC_IP_RANGE
: the source IP ranges. This is only specified ifDIRECTION
isingress
.DEST_IP_RANGE
: the destination IP ranges. This is only specified ifDIRECTION
isegress
.
What's next
- Firewall policies and rules overview
- Network Security Integration overview
- Monitor out-of-band integration
- Out-of-band integration overview