Console
    Contact Us Start free

    Create and manage threat prevention security profiles

    This page explains how to create and manage security profiles of the type threat-prevention by using the Google Cloud console or the Google Cloud CLI.

    Before you begin

    Roles

    To get the permissions that you need to create, view, update, or delete security profiles, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access .

    Create a threat prevention security profile

    When you create a threat prevention security profile (security profile of type threat-prevention ), you can specify the name of the security profile as a string or as a unique URL identifier. The unique URL for an organization-scoped security profile can be constructed in the following format:

     organization/ ORGANIZATION_ID 
/locations/ LOCATION 
/securityProfiles/ SECURITY_PROFILE_NAME

    If you use a unique URL identifier for the security profile name, the organization and location of the security profile is already included in the URL identifier. However, if you use only the security profile name, you must specify the organization and location separately. For more information about unique URL identifiers, see security profile specifications .

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. In the project selector menu, select your organization.

    3. Select the Security profilestab.

    4. Click Create profile.

    5. Enter a name in the Namefield.

    6. Optional: Enter a description in the Descriptionfield.

    7. To create a Cloud Next Generation Firewall Enterprise security profile, in the Purposesection, select Cloud NGFW Enterprise.

    8. To create a threat prevention security profile, in the Typesection, select Threat Prevention.

    9. Click Continue.

    Optionally, add severity and threat overrides:

    1. Under Severity overrides, click Editnext to the severity level that you want to override.
    2. In the Override actionlist, select the appropriate action for the severity level.
    3. To add a threat signature override, click Add signature by ID.
    4. In the Signature IDfield, enter the threat ID that you want to override. You can view the threat IDs on the threat dashboard .
    5. In the Override actionlist, select the appropriate action for the threat ID.
    6. Click Create.

    gcloud

    To create a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention create command :

    gcloud network-security security-profiles threat-prevention create NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --project PROJECT_ID 
\
    --description DESCRIPTION

    Replace the following:

    • NAME : the name of the threat prevention security profile; you can specify the name as a string or as a unique URL identifier.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID and LOCATION flags.

    • ORGANIZATION_ID : the organization where the threat prevention security profile is created. If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the threat prevention security profile.

      Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • PROJECT_ID : an optional project ID to use for quotas and access restrictions on the threat prevention security profile.

    • DESCRIPTION : an optional description for the threat prevention security profile.

    View a threat prevention security profile

    You can view the details of a specific threat prevention security profile in an organization.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab. The tab shows a list of configured security profiles.

    3. Click a security profile of type Threat preventionto view the profile details.

    gcloud

    To view the details of a threat prevention security profile, use the gcloud beta network-security security-profiles describe command :

    gcloud beta network-security security-profiles describe NAME 
\
      --organization ORGANIZATION_ID 
\
      --location LOCATION

    Replace the following:

    • NAME : the name of the security profile of type threat-prevention that you want to describe; you can specify the name as a string or as a unique URL identifier.

    If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID and LOCATION flags.

    • ORGANIZATION_ID : the organization where the threat prevention security profile is created. If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the threat prevention security profile. Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    List threat prevention security profiles

    You can list all the threat prevention security profiles in an organization.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab. The tab shows a list of configured security profiles.

    gcloud

    To list all the threat prevention security profiles, use the gcloud network-security security-profiles threat-prevention list command :

    gcloud network-security security-profiles threat-prevention list \
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --project PROJECT_ID

    Replace the following:

    • ORGANIZATION_ID : the organization where the threat prevention security profiles are created.

    • LOCATION : the location of the threat prevention security profiles. Location is always set to global .

    • PROJECT_ID : an optional project ID to use for quotas and access restrictions on the threat prevention security profile.

    Delete a threat prevention security profile

    You can delete a threat prevention security profile by specifying its name, location, and organization. However, if a security profile is referenced by a security profile group, that security profile cannot be deleted.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab. The tab shows a list of configured security profiles.

    3. Select the threat prevention security profile that you want to delete, and then click Delete.

    4. Click Deleteagain to confirm.

    gcloud

    To delete a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention delete command :

    gcloud network-security security-profiles threat-prevention delete NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --project PROJECT_ID

    Replace the following:

    • NAME : the name of the threat prevention security profile that you want to delete; you can specify the name as a string or as a unique URL identifier.

    • ORGANIZATION_ID : the organization where the threat prevention security profile is created. If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the threat prevention security profile.

      Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • PROJECT_ID : an optional project ID to use for quotas and access restrictions on the threat prevention security profile.

    Import a threat prevention security profile

    You can import a threat prevention security profile (either custom-created or previously exported) from a YAML file. When importing a threat prevention security profile, if a profile with the same name already exists, Cloud NGFW updates the existing profile.

    gcloud

    To import a threat prevention security profile from a YAML file, use the gcloud beta network-security security-profiles import command :

    gcloud beta network-security security-profiles import NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --source FILE_NAME

    Replace the following:

    • NAME : the name of the security profile of type threat-prevention that you want to import; you can specify the name as a string or as a unique URL identifier.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID and LOCATION flags.

    • ORGANIZATION_ID : the organization where the threat prevention security profile is created. If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the threat prevention security profile. Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • FILE_NAME : the path to the YAML file containing the configuration export data for the threat prevention security profile. For example, threat-prevention-sp.yaml .

      The YAML file must not contain any output-only fields. Alternatively, you can omit the source flag to read from the standard input.

    Export a threat prevention security profile

    You can export a threat prevention security profile to a YAML file. For example, instead of using the user-interface to modify a large security profile, you can use this functionality to export the security profile, modify it quickly, and import it back.

    gcloud

    To export a threat prevention security profile to a YAML file, use the gcloud beta network-security security-profiles export command :

    gcloud beta network-security security-profiles export NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --destination FILE_NAME

    Replace the following:

    • NAME : the name of the security profile of type threat-prevention that you want to export; you can specify the name as a string or as a unique URL identifier.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID and LOCATION flags.

    • ORGANIZATION_ID : the organization where the threat prevention security profile is created. If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the threat prevention security profile. Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • FILE_NAME : the path to the YAML file into which Cloud NGFW will export the configuration for the threat prevention security profile. For example, threat-prevention-sp.yaml .

      The exported configuration data doesn't contain any output-only fields. Alternatively, you can omit the destination flag to write to the standard output.

    Add override actions in a threat prevention security profile

    You can override the actions associated with specific threat signatures or severity levels in an existing threat prevention security profile.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab.The tab shows a list of configured security profiles.

    3. Select the security profile where you want to override actions, and then click Edit.

    4. Under Severity overrides, click Editnext to the severity level that you want to override.

    5. In Override actionlist, select the appropriate action for the severity level.

    6. Click Confirm.

    7. Click Save.

    gcloud

    To add an override to a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention add-override command :

    gcloud network-security security-profiles threat-prevention add-override NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --project PROJECT_ID 
\
    [--severities SEVERITIES 
| --threat-ids THREAT_IDS 
| --antivirus PROTOCOLS 
] \
    --action ACTION

    Replace the following:

    • NAME : the name of the security profile; you can specify the name as a string or as a unique URL identifier.

    • ORGANIZATION_ID : the organization where the security profile is created.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the security profile.

      Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • PROJECT_ID : an optional project ID to use for quotas and access restrictions on the security profile.

    • SEVERITIES : a comma-separated list of severity levels to override the action for. The firewall endpoint applies the configured --action flag to all threats of the specified severity levels. The severity can be any of following:

      • INFORMATIONAL
      • LOW
      • MEDIUM
      • HIGH
      • CRITICAL

    • THREAT_IDS : a comma-separated list of threat signature IDs to override the action for. The firewall endpoint applies the configured --action flag to all threats of the specified threat IDs.

    • PROTOCOLS : a comma-separated list of network protocols to monitor for the antivirus threat. For more information, see supported protocols .

    • ACTION : the action for the specified threat IDs or severities. For more information, see supported actions .

    List override actions in a threat prevention security profile

    You can list all the override actions in a threat prevention security profile.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab.The tab shows a list of configured security profiles.

    3. Select the security profile to view the configured severity override actions and threat signature override actions.

    gcloud

    To list all override actions in a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention list-overrides command :

    gcloud network-security security-profiles threat-prevention list-overrides NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION

    Replace the following:

    • NAME : the name of the security profile; you can specify the name as a string or as a unique URL identifier.

    • ORGANIZATION_ID : the organization where the security profile is created.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the security profile.

      Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    Update override actions in a threat prevention security profile

    You can update existing override actions for severity levels or threat signatures in a threat prevention security profile.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab. The tab shows a list of configured security profiles.

    3. Select the security profile, and then click Edit.

    4. Under Severity overrides, click Editnext to the severity level where you want to update override action.

    5. In the Override actionlist, select the appropriate action for the severity level.

    6. Click Confirm.

    7. Click Save.

    gcloud

    To update an override action in a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention update-override command :

    gcloud network-security security-profiles threat-prevention update-override NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --project PROJECT_ID 
\
    [--severities SEVERITIES 
| --threat-ids THREAT_IDS 
| --antivirus PROTOCOLS 
] \
    --action ACTION

    Replace the following:

    • NAME : the name of the security profile; you can specify the name as a string or as a unique URL identifier.

    • ORGANIZATION_ID : the organization where the security profile is created.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the security profile.

      Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • PROJECT_ID : an optional project ID to use for quotas and access restrictions on the security profile.

    • SEVERITIES : a comma-separated list of severity levels you want to update overrides for. The severity can be any of following:

      • INFORMATIONAL
      • LOW
      • MEDIUM
      • HIGH
      • CRITICAL

    • THREAT_IDS : a comma-separated list of threat signature IDs you want to update overrides for.

    • PROTOCOLS : a comma-separated list of network protocols to monitor for the antivirus threat. The following protocols are supported:

      • SMTP
      • SMB
      • POP3
      • IMAP
      • HTTP2
      • HTTP
      • FTP

    • ACTION : the default action for the specified threat IDs or severities. The action can be one of the following:

      • DEFAULT
      • ALLOW
      • DENY
      • ALERT

    Delete override actions from a threat prevention security profile

    You can delete existing override actions for severity levels or threat signatures from a threat prevention security profile.

    Console

    1. In the Google Cloud console, go to the Security profilespage.

      Go to Security profiles

    2. Select the Security profilestab. The tab shows a list of configured security profiles.

    3. Select the security profile, and then click Edit.

    4. Under Severity overrides, click Editnext to the severity level where you want to delete the override action.

    5. In the Override actionlist, select No override.

    6. Click Confirm.

    7. Under Signature overrides, select the threat ID that you want to delete.

    8. Click Delete.

    9. Click Save.

    gcloud

    To delete an override action from a threat prevention security profile, use the gcloud network-security security-profiles threat-prevention delete-override command :

    gcloud network-security security-profiles threat-prevention delete-override NAME 
\
    --organization ORGANIZATION_ID 
\
    --location LOCATION 
\
    --project PROJECT_ID 
\
    [--severities SEVERITIES 
| --threat-ids THREAT_IDS 
| --antivirus PROTOCOLS 
]

    Replace the following:

    • NAME : the name of the security profile; you can specify the name as a string or as a unique URL identifier.

    • ORGANIZATION_ID : the organization where the security profile is created.

      If you use a unique URL identifier for the NAME flag, you can omit the ORGANIZATION_ID flag.

    • LOCATION : the location of the security profile.

      Location is always set to global . If you use a unique URL identifier for the NAME flag, you can omit the LOCATION flag.

    • PROJECT_ID : an optional project ID to use for quotas and access restrictions on the security profile.

    • SEVERITIES : a comma-separated list of severity levels you want to delete overrides for. The severity can be any of following:

      • INFORMATIONAL
      • LOW
      • MEDIUM
      • HIGH
      • CRITICAL

    • THREAT_IDS : a comma-separated list of threat signature IDs you want to delete overrides for.

    • PROTOCOLS : a comma-separated list of network protocols to monitor for the antivirus threat. The following protocols are supported:

      • SMTP
      • SMB
      • POP3
      • IMAP
      • HTTP2
      • HTTP
      • FTP

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: