- NAME
-
- gcloud compute network-firewall-policies rules update - updates a Compute Engine network firewall policy rule
- SYNOPSIS
-
-
gcloud compute network-firewall-policies rules update
PRIORITY
--firewall-policy
=FIREWALL_POLICY
[--action
=ACTION
] [--description
=DESCRIPTION
] [--dest-address-groups
=[DEST_ADDRESS_GROUPS
,…]] [--dest-fqdns
=[DEST_FQDNS
,…]] [--dest-ip-ranges
=[DEST_IP_RANGE
,…]] [--dest-region-codes
=[DEST_REGION_CODES
,…]] [--dest-threat-intelligence
=[DEST_THREAT_INTELLIGENCE_LISTS
,…]] [--direction
=DIRECTION
] [--[no-]disabled
] [--[no-]enable-logging
] [--layer4-configs
=[LAYER4_CONFIG
,…]] [--new-priority
=NEW_PRIORITY
] [--security-profile-group
=SECURITY_PROFILE_GROUP
] [--src-address-groups
=[SOURCE_ADDRESS_GROUPS
,…]] [--src-fqdns
=[SOURCE_FQDNS
,…]] [--src-ip-ranges
=[SRC_IP_RANGE
,…]] [--src-region-codes
=[SOURCE_REGION_CODES
,…]] [--src-secure-tags
=[SOURCE_SECURE_TAGS
,…]] [--src-threat-intelligence
=[SOURCE_THREAT_INTELLIGENCE_LISTS
,…]] [--target-secure-tags
=[TARGET_SECURE_TAGS
,…]] [--target-service-accounts
=[TARGET_SERVICE_ACCOUNTS
,…]] [--[no-]tls-inspect
] [--firewall-policy-region
=FIREWALL_POLICY_REGION
|--global-firewall-policy
] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
gcloud compute network-firewall-policies rules update
is used to update network firewall policy rules. - EXAMPLES
-
To update a rule with priority
in a global network firewall policy with name10
to change the action tomy-policy
and description toallow
, run:new example rule
gcloud compute network-firewall-policies rules update 10 --firewall-policy=my-policy --action=allow --description="new example rule"
- POSITIONAL ARGUMENTS
-
PRIORITY
- Priority of the rule to be updated. Valid in [0, 65535].
- REQUIRED FLAGS
-
--firewall-policy
=FIREWALL_POLICY
- Firewall policy ID with which to update rule.
- OPTIONAL FLAGS
-
--action
=ACTION
-
Action to take if the request matches the match condition.
ACTION
must be one of:allow
,deny
,goto_next
,apply_security_profile_group
. --description
=DESCRIPTION
- An optional, textual description for the rule.
--dest-address-groups
=[DEST_ADDRESS_GROUPS
,…]- Destination address groups to match for this rule. Can only be specified if DIRECTION is engress.
--dest-fqdns
=[DEST_FQDNS
,…]-
Destination FQDNs to match for this rule. Can only be specified if DIRECTION is
egress
. --dest-ip-ranges
=[DEST_IP_RANGE
,…]- Destination IP ranges to match for this rule.
--dest-region-codes
=[DEST_REGION_CODES
,…]-
Destination Region Code to match for this rule. Can only be specified if
DIRECTION is
egress
. --dest-threat-intelligence
=[DEST_THREAT_INTELLIGENCE_LISTS
,…]-
Destination Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is
egress
. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy. --direction
=DIRECTION
-
Direction of the traffic the rule is applied. The default is to apply on
incoming traffic.
DIRECTION
must be one of:INGRESS
,EGRESS
. --[no-]disabled
-
Use this flag to disable the rule. Disabled rules will not affect traffic. Use
--disabled
to enable and--no-disabled
to disable. --[no-]enable-logging
-
Use this flag to enable logging of connections that allowed or denied by this
rule. Use
--enable-logging
to enable and--no-enable-logging
to disable. --layer4-configs
=[LAYER4_CONFIG
,…]- A list of destination protocols and ports to which the firewall rule will apply.
--new-priority
=NEW_PRIORITY
- New priority for the rule to update. Valid in [0, 65535].
--security-profile-group
=SECURITY_PROFILE_GROUP
- A security profile group to be used with apply_security_profile_group action.
--src-address-groups
=[SOURCE_ADDRESS_GROUPS
,…]- Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.
--src-fqdns
=[SOURCE_FQDNS
,…]-
Source FQDNs to match for this rule. Can only be specified if DIRECTION is
ingress
. --src-ip-ranges
=[SRC_IP_RANGE
,…]- A list of IP address blocks that are allowed to make inbound connections that match the firewall rule to the instances on the network. The IP address blocks must be specified in CIDR format: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either --src-ip-ranges or --src-secure-tags must be specified for INGRESS traffic. If both --src-ip-ranges and --src-secure-tags are specified, the rule matches if either the range of the source matches --src-ip-ranges or the secure tag of the source matches --src-secure-tags.Multiple IP address blocks can be specified if they are separated by commas.
--src-region-codes
=[SOURCE_REGION_CODES
,…]-
Source Region Code to match for this rule. Can only be specified if DIRECTION is
ingress
. - A list of instance secure tags indicating the set of instances on the network to which the rule applies if all other fields match. Either --src-ip-ranges or --src-secure-tags must be specified for ingress traffic. If both --src-ip-ranges and --src-secure-tags are specified, an inbound connection is allowed if either the range of the source matches --src-ip-ranges or the tag of the source matches --src-secure-tags. Secure Tags can be assigned to instances during instance creation.
--src-threat-intelligence
=[SOURCE_THREAT_INTELLIGENCE_LISTS
,…]-
Source Threat Intelligence lists to match for this rule. Can only be specified
if DIRECTION is
ingress
. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy. - An optional, list of target secure tags with a name of the format tagValues/ or full namespaced name
--target-service-accounts
=[TARGET_SERVICE_ACCOUNTS
,…]- List of target service accounts for the rule.
--[no-]tls-inspect
-
Use this flag to indicate whether TLS traffic should be inspected using the TLS
inspection policy when the security profile group is applied. Default: no TLS
inspection. Use
--tls-inspect
to enable and--no-tls-inspect
to disable. -
At most one of these can be specified:
--firewall-policy-region
=FIREWALL_POLICY_REGION
-
Region of the firewall policy to operate on. Overrides the default
compute/region
property value for this command invocation. --global-firewall-policy
- If set, the firewall policy is global.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
These variants are also available:
gcloud alpha compute network-firewall-policies rules update
gcloud beta compute network-firewall-policies rules update
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-23 UTC.