Create and manage custom mirroring security profiles

You can create a custom mirroring security profile only for Packet Mirroring. A custom mirroring security profile is a configuration that mandates the inspection of specified network traffic by a designated network firewall policy rule. Traffic that matches the mirroring rules in the network firewall policy rule is mirrored to the endpoint group referenced by the security profile of that network firewall policy rule.

This page explains how to create and manage custom security profiles by using the Google Cloud CLI.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete custom security profiles, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

Create a custom security profile

You can only create a security profile of type CUSTOM_MIRRORING. You can create security profiles at organization or project level (Preview).

When you create a custom security profile, you can specify the name of the custom security profile, the location, and the endpoint group where the traffic is directed.

In this section, create a custom security profile for packet mirroring.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project (Preview).

  3. On the Security profiles tab, click Create profile.

  4. For Name, enter a name.

  5. For Security profile purpose, select NSI out-of-band.

  6. For Project, select the project that hosts the mirroring endpoint group.

  7. For Mirroring endpoint group, select the mirroring endpoint group.

  8. Click Create.

gcloud

To create a custom security profile for packet mirroring, use the gcloud network-security security-profiles custom-mirroring create command:

gcloud network-security security-profiles custom-mirroring \
    create CUSTOM_MIRRORING_PROFILE_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    --mirroring-endpoint-group ENDPOINT_GROUP \
    --description DESCRIPTION \
    [--billing-project QUOTA_PROJECT_ID]

Replace the following:

  • CUSTOM_MIRRORING_PROFILE_NAME: the name of the custom security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID. Use this flag to create an organization-level security profile.

  • PROJECT_ID: your project ID. Use this flag to create a project-level security profile (Preview).

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profiles custom-mirroring create command.

  • ENDPOINT_GROUP: the URL of the mirroring endpoint group—for example, projects/12345678/locations/global/mirroringEndpointGroups/mirroringEPG.

  • DESCRIPTION: an optional description for the custom mirroring profile.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profiles.

Terraform

To create a security profile, you can use a google_network_security_security_profile resource.

resource "google_network_security_security_profile" "default" {
  name     = "security-profile"
  type     = "CUSTOM_MIRRORING"
  parent   = "organizations/${data.google_organization.default.org_id}"
  location = "global"

  custom_mirroring_profile {
    mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.default.id
  }
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

List and view details of a custom security profile

You can list custom security profiles in an organization or a project (Preview), and view the details of a profile, such as its name and endpoint group ID.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project (Preview). The tab lists all security profiles.

  3. On the Security profiles tab, click the name of the security profile to see its details.

gcloud

To list all custom mirroring security profiles, use the gcloud network-security security-profiles custom-mirroring list command:

gcloud network-security security-profiles custom-mirroring list \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    [--billing-project QUOTA_PROJECT_ID]

To view details of a custom mirroring security profile, use the gcloud network-security security-profiles custom-mirroring describe command:

gcloud network-security security-profiles custom-mirroring \
    describe CUSTOM_MIRRORING_PROFILE_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    [--billing-project QUOTA_PROJECT_ID]

Replace the following:

  • CUSTOM_MIRRORING_PROFILE_NAME: the name of the custom security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile exists.

  • PROJECT_ID: your project ID where the security profile exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profiles custom-mirroring describe command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profiles.

The output is similar to the following:

  • Organization-level security profiles: organizations/ORGANIZATION_ID/locations/global/securityProfiles/CUSTOM_MIRRORING_PROFILE_NAME
  • Project-level security profiles (Preview): projects/PROJECT_ID/locations/global/securityProfiles/CUSTOM_MIRRORING_PROFILE_NAME

Delete a custom security profile

You can delete a custom mirroring security profile by specifying its name, location, and organization or project. However, if a custom security profile is referenced by a security profile group, that custom security profile cannot be deleted.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project (Preview).

  3. On the Security profiles tab, select the checkbox of the security profile, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a custom mirroring security profile, use the gcloud network-security security-profiles custom-mirroring delete command:

gcloud network-security security-profiles custom-mirroring \
    delete CUSTOM_MIRRORING_PROFILE_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    [--billing-project QUOTA_PROJECT_ID]

Replace the following:

  • CUSTOM_MIRRORING_PROFILE_NAME: the name of the custom security profile that you want to delete.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile exists.

  • PROJECT_ID: your project ID where the security profile exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profiles custom-mirroring delete command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profiles.

What's next