Console
    Start free

    Use global network firewall policies and rules

    This page assumes that you are familiar with the concepts described in the Global network firewall policies overview .

    Firewall policy tasks

    This section describes how to create and manage global network firewall policies.

    Create a global network firewall policy

    When you create a global network firewall policy using the Google Cloud console, you can associate the policy with a Virtual Private Cloud (VPC) network during creation. If you create the policy using the Google Cloud CLI, you must associate the policy with a network after you create the policy.

    The VPC network with which the global network firewall policy is associated must be in the same project as the global network firewall policy.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector list, select your project within your organization.

    3. Click Create firewall policy.

    4. In the Policy namefield, enter a name for the policy.

    5. For Deployment scope, select Global.

    6. To create rules for your policy, click Continue.

    7. In the Add rulessection, click Create firewall rule.

      For more information, see Create a rule .

    8. If you want to associate the policy with a network, click Continue.

    9. In the Associate policy with networkssection, click Associate.

      For more information, see Associate a policy with a network .

    10. Click Create.

    gcloud

    gcloud compute network-firewall-policies create \ NETWORK_FIREWALL_POLICY_NAME 
\
    --description DESCRIPTION 
--global

    Replace the following:

    • NETWORK_FIREWALL_POLICY_NAME : a name for the policy
    • DESCRIPTION : a description for the policy

    Associate a policy with a network

    When you associate a firewall policy with a VPC network, all rules in the firewall policy, except the disabled rules, apply to the VPC network.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains your policy.

    3. Click your policy.

    4. Click the Associationstab.

    5. Click Add association.

    6. Select the networks within the project.

    7. Click Associate.

    gcloud

    gcloud compute network-firewall-policies associations create \
    --firewall-policy POLICY_NAME 
\
    --network NETWORK_NAME 
\
    [ --name ASSOCIATION_NAME 
] \
    --global-firewall-policy

    Replace the following:

    • POLICY_NAME : either the short name or the system-generated name of the policy.
    • NETWORK_NAME : the name of your network.
    • ASSOCIATION_NAME : an optional name for the association; if unspecified, the name is set to network- NETWORK_NAME .

    Delete an association

    If you need to change the global network firewall policy that's associated with a VPC network, we recommend that you first associate a new policy instead of deleting an existing associated policy. You can associate a new policy in one step, which helps to ensure that a global network firewall policy is always associated with the VPC network.

    To delete an association between a global network firewall policy and a VPC network, follow the steps mentioned in this section. Rules in the global network firewall policy don't apply to new connections after its association is deleted.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project or the folder that contains the policy.

    3. Click your policy.

    4. Click the Associationstab.

    5. Select the association that you want to delete.

    6. Click Remove association.

    gcloud

    gcloud compute network-firewall-policies associations delete ASSOCIATION_NAME 
\
    --name ASSOCIATION_NAME 
\
    --firewall-policy POLICY_NAME 
\
    --global-firewall-policy

    Describe a global network firewall policy

    You can view details about a global network firewall policy, including the policy rules and the associated rule attributes. All these rule attributes are counted as part of the rule attribute quota. For more information, see "Rule attributes per global network firewall policy" in the Per firewall policy table.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the global network firewall policy.

    3. Click your policy.

    gcloud

    gcloud compute network-firewall-policies describe POLICY_NAME 
\
    --global

    Update a global network firewall policy description

    The only policy field that can be updated is the Descriptionfield.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the global network firewall policy.

    3. Click your policy.

    4. Click Edit.

    5. In the Descriptionfield, change the text.

    6. Click Save.

    gcloud

    gcloud compute network-firewall-policies update POLICY_NAME 
\
    --description DESCRIPTION 
\
    --global

    List global network firewall policies

    You can view a list of the policies available in your project.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the policy.

      The Network firewall policiessection shows the policies available in your project.

    gcloud

    gcloud compute network-firewall-policies list --global

    Delete a global network firewall policy

    Before you can delete a global network firewall policy, you must delete all of its associations .

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the policy.

    3. Click the policy that you want to delete.

    4. Click the Associationstab.

    5. Select all associations.

    6. Click Remove association.

    7. After all associations are removed, click Delete.

    gcloud

    Use the following command to delete the policy:

    gcloud compute network-firewall-policies delete POLICY_NAME 
\
    --global

    Firewall policy rule tasks

    This section describes how to create and manage global network firewall policy rules.

    Create a rule

    Each rule in a global network firewall policy is either an ingress rule or an egress rule with a unique priority. For details about the other parameters of a rule, including valid source combinations and destination combinations, see Firewall policy rules .

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains your policy.

    3. Click the name of your global policy.

    4. On the Firewall rulestab, click Create firewall rule.

    5. Fill in the rule fields:

      1. In the Priorityfield, set the order number for the rule, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.
      2. For Direction of traffic, choose ingress or egress.
      3. For Action on match, choose one of the following options:
        1. Allow: allows the connections that match the rule.
        2. Deny: denies the connections that match the rule.
        3. Go to next: passes the evaluation of the connection to the next lower firewall rule in the hierarchy.
        4. Apply security profile group: sends the packets to the configured firewall endpoint for Layer 7 inspection and prevention.
          • In the Security profile grouplist, select the name of a security profile group.
          • To enable TLS inspection of the packets, select Enable TLS inspection.
      4. Set Logscollection to Onor Off.

      5. Specify the target of the rule. Choose one of the following options for the Targetfield:

        • If you want the rule to apply to all instances in the network, choose Apply to all.
        • If you want the rule to apply to select instances by associated service account, first choose Service accounts, then, in Service account scope, indicate whether the service account is in the current project or in another one and, in the Target service accountfield, choose or type the service account name.

        • If you want the rule to apply to select instances by secure tags , choose Secure tags.

          • Click Select scope for tagsand select the organization or project in which you want to create secure tags. Enter the key-value pairs to which the rule is to apply.
          • To add more key-value pairs, click Add tag.

      6. For an ingress rule, specify the source network type:

        • To filter incoming traffic belonging to any network type, select All network types.
        • To filter incoming traffic belonging to a specific network type, select Specific network type.
          • To filter incoming traffic belonging to the internet ( INTERNET ) network type, select Internet.
          • To filter incoming traffic belonging to the non-internet ( NON-INTERNET ) network type, select Non-internet.
          • To filter incoming traffic belonging to the intra VPC ( INTRA_VPC ) network type, select Intra VPC.
          • To filter incoming traffic belonging to the VPC networks ( VPC_NETWORKS ) type, select VPC networks, and then specify one or more networks using the following button:
            • Select current project: lets you add one or more networks from the current project.
            • Manually enter network: lets you manually enter a project and network.
            • Select project: lets you choose a project from which you can choose a network. For more information about the network types, see Network types .

      7. For an egress rule, specify the destination network type:

        • To filter outgoing traffic belonging to any network type, select All network types.
        • To filter outgoing traffic belonging to a specific network type, select Specific network type.
          • To filter outgoing traffic belonging to the internet ( INTERNET ) network type, select Internet.
          • To filter outgoing traffic belonging to the non-internet ( NON-INTERNET ) network type, select Non-internet. For more information about the network types, see Network types .

      8. For an ingress rule, specify the source filter:

        • To filter incoming traffic by source IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP rangesfield. Use 0.0.0.0/0 for any IPv4 source.
        • To filter incoming traffic by source IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 rangesfield. Use ::/0 for any IPv6 source.

        • To limit source by secure tags, in the Secure tagssection, click Select scope for tags.

          • Select the organization or project for which you want to create tags. Enter the key-value pairs to which the rule is to apply.
          • To add more key-value pairs, click Add tag.

      9. For an egress rule, specify the destination filter:

        • To filter outgoing traffic by destination IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP rangesfield. Use 0.0.0.0/0 for any IPv4 destination.
        • To filter outgoing traffic by destination IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 rangesfield. Use ::/0 for any IPv6 destination.

      10. Optional: If you are creating an ingress rule, specify the source FQDNs that this rule applies to. If you are creating an egress rule, select the destination FQDNs that this rule applies to. For more information about domain name objects, see FQDN objects .

      11. Optional: If you are creating an ingress rule, select the source geolocations that this rule applies to. If you are creating an egress rule, select the destination geolocations that this rule applies to. For more information about geolocation objects, see Geolocation objects .

      12. Optional: If you are creating an ingress rule, select the source address groups that this rule applies to. If you are creating an egress rule, select the destination address groups that this rule applies to. For more information about address groups, see Address groups for firewall policies .

      13. Optional: If you are creating an ingress rule, select the source Google Cloud Threat Intelligencelists that this rule applies to. If you are creating an egress rule, select the destination Google Cloud Threat Intelligencelists that this rule applies to. For more information about Google Threat Intelligence, see Google Threat Intelligence for firewall policy rules .

      14. Optional: For an ingress rule, specify the destination filters:

        • To filter incoming traffic by destination IPv4 ranges, select IPv4and enter the CIDR blocks into the IP rangesfield. Use 0.0.0.0/0 for any IPv4 destination.
        • To filter incoming traffic by destination IPv6 ranges, select IPv6 rangesand enter the CIDR blocks into the Destination IPv6 rangesfield. Use ::/0 for any IPv6 destination. For more information, see Destinations for ingress rules .

      15. Optional: For an egress rule, specify the source filter:

        • To filter outgoing traffic by source IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP rangesfield. Use 0.0.0.0/0 for any IPv4 source.
        • To filter outgoing traffic by source IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 rangesfield. Use ::/0 for any IPv6 source. For more information, see Sources for egress rules .

      16. For Protocols and ports, either specify that the rule applies to all protocols and all destination ports or specify to which protocols and destination ports the rule applies.

      17. Click Create.

    6. Click Create firewall ruleto add another rule.

    gcloud

    To create an ingress rule, use the following command:

    gcloud compute network-firewall-policies rules create PRIORITY 
\
    --firewall-policy POLICY_NAME 
\
    --global-firewall-policy \
    --description DESCRIPTION 
\
    --direction INGRESS \
    --action ACTION 
\
    [--enable-logging | --no-enable-logging] \
    [--disabled | --no-disabled] \
    [--target-secure-tags TARGET_SECURE_TAGS 
] \
    [--target-service-accounts TARGET_SERVICE_ACCOUNTS 
] \
    [--layer4-configs LAYER_4_CONFIGS 
] \
    [--src-ip-ranges SRC_IP_RANGES 
] \
    [--src-address-groups SRC_ADDRESS_GROUPS 
] \
    [--src-fqdns SRC_DOMAIN_NAMES 
] \
    [--src-secure-tags SRC_SECURE_TAGS 
] \
    [--src-region-codes SRC_COUNTRY_CODES 
] \
    [--src-threat-intelligence SRC_THREAT_LIST_NAMES 
] \
    [--src-network-type SRC_NETWORK_TYPE 
] \
    [--src-networks SRC_VPC_NETWORK 
] \
    [--dest-ip-ranges DEST_IP_RANGES 
]

    Replace the following:

    • PRIORITY : the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.
    • POLICY_NAME : the name of the global network firewall policy that contains the new rule.
    • DESCRIPTION : an optional description for the new rule
    • ACTION : specify one of the following actions:
      • allow : allows connections that match the rule.
      • deny : denies connections that match the rule.
      • apply_security_profile_group : transparently sends the packets to the configured firewall endpoint for Layer 7 inspection. When the action is apply_security_profile_group :
        • You must include --security-profile-group SECURITY_PROFILE_GROUP , where SECURITY_PROFILE_GROUP is the name of a security profile group used for Layer 7 inspection.
        • Include either --tls-inspect or --no-tls-inspect to enable or disable TLS inspection.
      • goto_next : continues to the next step of the Firewall rule evaluation process .
    • The --enable-logging and --no-enable-logging parameters enable or disable Firewall Rules Logging.
    • The --disabled and --no-disabled parameters control whether the rule is disabled (not enforced) or enabled (enforced).
    • Specify a target :
      • TARGET_SECURE_TAGS : a comma-separated list of secure tags .
      • TARGET_SERVICE_ACCOUNTS : a comma-separated list of service accounts.
      • If you omit both the --target-secure-tags and --target-service-accounts parameters, the rule applies to the broadest target.
    • LAYER_4_CONFIGS : a comma-separated list of Layer 4 configurations. Each Layer 4 configuration can be one of the following:
      • An IP protocol name ( tcp ) or IANA IP protocol number ( 17 ) without any destination port.
      • An IP protocol name and destination port separated by a colon ( tcp:80 ).
      • An IP protocol name and destination port range separated by a colon using a dash to separate the beginning and ending destination ports ( tcp:5000-6000 ). For more information, see Protocols and ports .
    • Specify a source for the ingress rule :
      • SRC_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
      • SRC_ADDRESS_GROUPS : a comma-separated list of address groups specified by their unique URL identifiers . Address groups in the list must contain all IPv4 addresses or all IPv6 addresses, not a combination of both.
      • SRC_DOMAIN_NAMES : a comma-separated list of FQDN objects specified in the domain name format .
      • SRC_SECURE_TAGS : a comma-separated list of Tags . You cannot use the --src-secure-tags parameter if the --src-network-type is INTERNET .
      • SRC_COUNTRY_CODES : a comma-separated list of two-letter country codes. For more information, see Geolocation objects . You cannot use the --src-region-codes parameter if the --src-network-type is NON_INTERNET , VPC_NETWORK , or INTRA_VPC .
      • SRC_THREAT_LIST_NAMES : a comma-separated list of names of Google Threat Intelligence lists. For more information, see Google Threat Intelligence for firewall policy rules . You cannot use the --src-threat-intelligence parameter if the --src-network-type is NON_INTERNET , VPC_NETWORK , or INTRA_VPC .
      • SRC_NETWORK_TYPE : defines a source network types to be used in conjunction with another supported destination parameter to produce a specific destination combination. Valid values are INTERNET , NON_INTERNET , VPC_NETWORK , or INTRA_VPC . For more information, see Network types .
      • SRC_VPC_NETWORK : a comma-separated list of VPC networks specified by their URL identifiers. Specify this parameter only when the --src-network-type is VPC_NETWORKS .
    • Optionally, specify a destination for the ingress rule :
      • DEST_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.

    To create an egress rule, use the following command:

    gcloud compute network-firewall-policies rules create PRIORITY 
\
    --firewall-policy POLICY_NAME 
\
    --global-firewall-policy \
    --description DESCRIPTION 
\
    --direction EGRESS \
    --action ACTION 
\
    [--enable-logging | --no-enable-logging] \
    [--disabled | --no-disabled] \
    [--target-secure-tags TARGET_SECURE_TAGS 
] \
    [--target-service-accounts TARGET_SERVICE_ACCOUNTS 
] \
    [--layer4-configs LAYER_4_CONFIGS 
] \
    [--src-ip-ranges SRC_IP_RANGES 
] \
    [--dest-ip-ranges DEST_IP_RANGES 
] \
    [--dest-address-groups DEST_ADDRESS_GROUPS 
] \
    [--dest-fqdns DEST_DOMAIN_NAMES 
] \
    [--dest-region-codes DEST_COUNTRY_CODES 
] \
    [--dest-threat-intelligence DEST_THREAT_LIST_NAMES 
] \
    [--dest-network-type DEST_NETWORK_TYPE 
]

    Replace the following:

    • PRIORITY : the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.
    • POLICY_NAME : the name of the global network firewall policy that contains the new rule.
    • DESCRIPTION : an optional description for the new rule
    • ACTION : specify one of the following actions:
      • allow : allows connections that match the rule.
      • deny : denies connections that match the rule.
      • apply_security_profile_group : transparently sends the packets to the configured firewall endpoint for Layer 7 inspection. When the action is apply_security_profile_group :
        • You must include --security-profile-group SECURITY_PROFILE_GROUP , where SECURITY_PROFILE_GROUP is the name of a security profile group used for Layer 7 inspection.
        • Include either --tls-inspect or --no-tls-inspect to enable or disable TLS inspection.
      • goto_next : continues to the next step of the Firewall rule evaluation process .
    • The --enable-logging and --no-enable-logging parameters enable or disable Firewall Rules Logging.
    • The --disabled and --no-disabled parameters control whether the rule is disabled (not enforced) or enabled (enforced).
    • Specify a target :
      • TARGET_SECURE_TAGS : a comma-separated list of secure tags .
      • TARGET_SERVICE_ACCOUNTS : a comma-separated list of service accounts.
      • If you omit both the --target-secure-tags and --target-service-accounts parameters, the rule applies to the broadest target.
    • LAYER_4_CONFIGS : a comma-separated list of Layer 4 configurations. Each Layer 4 configuration can be one of the following:
      • An IP protocol name ( tcp ) or IANA IP protocol number ( 17 ) without any destination port.
      • An IP protocol name and destination port separated by a colon ( tcp:80 ).
      • An IP protocol name and destination port range separated by a colon using a dash to separate the beginning and ending destination ports ( tcp:5000-6000 ). For more information, see Protocols and ports .
    • Optionally, specify a source for the egress rule :
      • SRC_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
    • Specify a destination for the egress rule :
      • DEST_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
      • DEST_ADDRESS_GROUPS : a comma-separated list of address groups specified by their unique URL identifiers .
      • DEST_DOMAIN_NAMES : a comma-separated list of FQDN objects specified in the domain name format .
      • DEST_COUNTRY_CODES : a comma-separated list of two-letter country codes. For more information, see Geolocation objects .
      • DEST_THREAT_LIST_NAMES : a comma-separated list of names of Google Threat Intelligence lists. For more information, see Google Threat Intelligence for firewall policy rules .
      • DEST_NETWORK_TYPE : defines a destination network types to be used in conjunction with another supported destination parameter to produce a specific destination combination. Valid values are INTERNET and NON_INTERNET . For more information, see Network types .

    Update a rule

    For flag descriptions, see Create a rule .

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the policy.

    3. Click your policy.

    4. Click the priority of the rule.

    5. Click Edit.

    6. Modify the flags that you want to change.

    7. Click Save.

    gcloud

    gcloud compute network-firewall-policies rules update RULE_PRIORITY 
\
    --firewall-policy POLICY_NAME 
\
    --global-firewall-policy \
    [...flags you want to modify...]

    Describe a rule

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the policy.

    3. Click your policy.

    4. Click the priority of the rule.

    gcloud

    gcloud compute network-firewall-policies rules describe PRIORITY 
\
    --firewall-policy POLICY_NAME 
--global-firewall-policy

    Replace the following:

    • PRIORITY : the priority number that uniquely identifies the rule.
    • POLICY_NAME : the name of the policy that contains the rule

    Delete a rule

    Deleting a rule from a policy causes the rule to no longer apply to new connections to or from the rule's target.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the policy.

    3. Click your policy.

    4. Select the rule that you want to delete.

    5. Click Delete.

    gcloud

    gcloud compute network-firewall-policies rules delete PRIORITY 
\
    --firewall-policy POLICY_NAME 
\
    --global-firewall-policy

    Replace the following:

    • PRIORITY : the priority number that uniquely identifies the rule.
    • POLICY_NAME : the policy containing the rule

    Clone rules from one policy to another

    Cloning copies the rules from a source policy to a target policy, replacing all existing rules in the target policy.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains the policy.

    3. Click the policy from which you want to copy the rules.

    4. Click Cloneat the top of the screen.

    5. Provide the name of a target policy.

    6. If you want to associate the new policy immediately, click Continue  > Associate.

    7. In the Associate policy with VPC networkspage, select the networks and click Associate.

    8. Click Continue.

    9. Click Clone.

    gcloud

    gcloud compute network-firewall-policies clone-rules TARGET_POLICY 
\
    --global \
    --source-firewall-policy SOURCE_POLICY

    Replace the following:

    • TARGET_POLICY : the name of the target policy
    • SOURCE_POLICY : the URL of the source policy

    Get effective firewall rules for a network

    You can view all hierarchical firewall policy rules, VPC firewall rules, and global network firewall policy rules that apply to all regions of a VPC network.

    Console

    1. In the Google Cloud console, go to the VPC networkspage.

      Go to VPC networks

    2. Click the network you want to view firewall policy rules for.

    3. On the VPC network detailspage, click Firewallstab.

    4. To view the rules that apply to this network, click Firewall rule viewtab.

    gcloud

    gcloud compute networks get-effective-firewalls NETWORK_NAME

    Replace the following:

    • NETWORK_NAME : the network for which you want to view the effective rules.

    You can also view effective firewall rules for a network from the Firewallpage.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. The firewall policies are listed in the Firewall policies inherited by this projectsection.

    3. Click each firewall policy to view the rules that apply to this network.

    Get effective firewall rules for a VM interface

    You can view all firewall rules—from all applicable firewall policies and VPC firewall rules—that apply to a network interface of a Compute Engine VM.

    Console

    1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

    2. In the project selector menu, select the project that contains the VM.

    3. Click the VM.

    4. For Network interfaces, click the name of the interface.

    5. In Network configuration analysissection, click the Firewallstab.

    6. To view the effective firewall rules, click Firewall rule viewtab.

    gcloud

    gcloud compute instances network-interfaces get-effective-firewalls INSTANCE_NAME 
\
    [--network-interface INTERFACE 
] \
    [--zone ZONE 
]

    Replace the following:

    • INSTANCE_NAME : the VM for which you want to view the effective rules; if no interface is specified, the command returns rules for the primary interface ( nic0 ).
    • INTERFACE : the VM interface for which you want to view the effective rules; the default value is nic0 .
    • ZONE : the zone of the VM; this line is optional if the chosen zone is already set as the default.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: