Create security profile groups (original) (raw)

This page explains how to createsecurity profile groupsby using the Google Cloud console or the Google Cloud CLI.

To check the progress of the operations listed on this page, make sure that your user role has the followingCompute Network User(roles/compute.networkUser) permissions:

• networksecurity.operations.get
• networksecurity.operations.list

Before you begin

• You must enablethe Network Security APIin your project.
• Install the gcloud CLI if you want to run the gcloudcommand-line examples in this guide.
• You need a threat prevention security profileor a URL filtering security profile.

Roles

To get the permissions that you need to create security profile groups, ask your administrator to grant you the necessaryIAM roles on your organization or project. For more information about granting roles, seeManage access.

Each security profile group can contain up to one security profile of each of the following types:

• url-filtering
• threat-prevention

Organization-level security profile groups

To create an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. To construct the unique URL for a security profile group, use the following format:

organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/NAME

If you use a unique URL identifier for the security profile group name, the organization and the location of the security profile group are already included in the URL identifier. However, if you use only the security profile group name, you must specify the organization and the location separately. For more information about unique URL identifiers, seesecurity profile group specifications.

Permissions required for this task

To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles on your organization.

Permissions

• networksecurity.securityProfileGroups.create

Roles

• Security Profile Admin (roles/networksecurity.securityProfileAdmin) at the organization level for organization-level security profile groups, and at either the project or organization level for security profile groups

Console

1. In the Google Cloud console, go to the Security profiles page.
   Go to Security profiles
2. In the project selector menu, select your organization.
3. Select the Security profile groups tab.

Configure a security profile group:

1. Click Create profile group.
2. Enter a name in the Name field.
3. Optional: Enter a description in the Description field.
4. To create a security profile group for Cloud Next Generation Firewall Enterprise, in the Purpose section, select Cloud NGFW Enterprise.
5. In the Threat prevention profile list or the URL filtering profilelist, select the security profile that you want to add to this security profile group.
6. Click Create.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups createcommand:

gcloud network-security security-profile-groups create NAME
--organization ORGANIZATION_ID
--location LOCATION
--billing-project QUOTA_PROJECT_ID
--url-filtering-profile SECURITY_PROFILE_URL
--threat-prevention-profile SECURITY_PROFILE_URL
--description DESCRIPTION

Replace the following:

• NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.
• ORGANIZATION_ID: the organization where the security profile group is created. If you use a unique URL identifier for theNAME variable, you can omit the --organization flag.
• LOCATION: the location of the security profile group.
  Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.
• QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.
• SECURITY_PROFILE_URL: a unique URL identifier for a security profile of either url-filtering or threat-preventiontype. You must add at least one of these security profiles.
• DESCRIPTION: an optional description for the security profile group.

Project-level security profile groups

To create a project-level security profile group, use the gcloud CLI.

When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. To construct the unique URL for a security profile group , use the following format:

projects/PROJECT_ID/locations/global/securityProfileGroups/NAME

If you use a unique URL identifier for the security profile group name, the project, and the location of the security profile group are already included in the URL identifier. However, if you use only the security profile group name, you must specify the project, and the location separately. For more information about unique URL identifiers, seesecurity profile group specifications.

Permissions required for this task

To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles on your project.

Permissions

• networksecurity.securityProfileGroups.create

Roles

• Security Profile Admin (roles/networksecurity.securityProfileAdmin) at either the project or organization level

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups createcommand:

gcloud beta network-security security-profile-groups create NAME
--project PROJECT_ID
--location LOCATION
--url-filtering-profile SECURITY_PROFILE_URL
--threat-prevention-profile SECURITY_PROFILE_URL
--description DESCRIPTION

Replace the following:

• NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.
• PROJECT_ID: the project where the security profile group is created. If you use a unique URL identifier for theNAME variable, you can omit the --project flag.
• LOCATION: the location of the security profile group.
  Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.
• SECURITY_PROFILE_URL: a unique URL identifier for a security profile of either url-filtering or threat-preventiontype. You must add at least one of these security profiles.
• DESCRIPTION: an optional description for the security profile group.

What's next

• Manage security profile groups
• Create and manage firewall endpoints