Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Use hierarchical firewall policies and rules

This page assumes that you are familiar with the concepts described in the Hierarchical firewall policies overview. To see examples of hierarchical firewall policy implementations, see Hierarchical firewall policy examples.

Limitations

Hierarchical firewall policy rules don't support using network tags to define targets. You must use a target Virtual Private Cloud (VPC) network or target service account instead.
Firewall policies can be applied at the folder and the organization level, but not at the VPC network level. Regular VPC firewall rules are supported for VPC networks.
Only one firewall policy can be associated to a resource (folder or organization), although the virtual machine (VM) instances in a folder can inherit rules from the entire hierarchy of resources above the VM.
Firewall Rules Logging is supported for allow and deny rules but not for goto_next rules.
IPv6 Hop-by-Hop protocol isn't supported in firewall rules.

Firewall policy tasks

This section describes how to create and manage hierarchical firewall policies.

To check the progress of an operation that results from a task listed in this section, make sure that your IAM principal has the following permissions or roles in addition to the permissions or roles required for each task.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the organization

Create a firewall policy

When you create a hierarchical firewall policy, you can set its parent to either the organization or a folder within the organization. After creating the policy, you can associate the policy with the organization or a folder in the organization.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.create

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the organization or folder where you want to create the policy
Compute Security Admin (roles/compute.securityAdmin) on the organization or folder where you want to create the policy

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or a folder within your organization.
Click Create firewall policy.
In the Policy name field, enter a name for the policy.
Optional: If you want to create rules for your policy, click Continue.
In the Add rules section, click Create firewall rule. For more information about creating firewall rules, see the following:
- Create an ingress rule for VM targets
- Create an egress rule for VM targets
Optional: If you want to associate the policy with a resource, click Continue.
In the Associate policy with resources section, click Add.

For more information, see Associate a policy with the organization or folder.
Click Create.

gcloud

Run these commands to create a hierarchical firewall policy whose parent is an organization:

gcloud compute firewall-policies create \
    --organization ORG_ID \
    --short-name SHORT_NAME

Run these commands to create a hierarchical firewall policy whose parent is a folder within an organization:

gcloud compute firewall-policies create \
    --folder FOLDER_ID \
    --short-name SHORT_NAME

Replace the following:

ORG_ID: your organization's ID

Specify an organization ID to create a policy whose parent is an organization. The policy can be associated with the organization or a folder within the organization.
SHORT_NAME: a name for the policy

A policy created by using the Google Cloud CLI has two names: a system-generated name and a short name provided by you. When using the gcloud CLI to update an existing policy, you can provide either the system-generated name or the short name and the organization ID. When using the API to update the policy, you must provide the system-generated name.
FOLDER_ID: the ID of a folder

Specify a folder ID to create a policy whose parent is a folder. The policy can be associated with the organization that contains the folder or any folder within that organization.

Associate a policy with the organization or folder

When you associate a hierarchical firewall policy with an organization or folder in an organization, the firewall policy's rules—except for disabled rules and subject to each rule's target—apply to resources in VPC networks in projects of the associated organization or folder.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.use
compute.organizations.setFirewallPolicy

Roles

Compute Organization Resource Admin (roles/compute.orgSecurityResourceAdmin) on the organization or folder to which the firewall policy should apply
And one of the following roles:
- Compute Network Admin (roles/compute.networkAdmin) on the firewall policy or organization or folder that contains the firewall policy
- Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the firewall policy or organization or folder that contains the firewall policy
- Compute Organization Firewall Policy User (roles/compute.orgFirewallPolicyUser ) on the firewall policy or organization or folder that contains the firewall policy
- Compute Organization Security Policy Admin (roles/compute.orgSecurityPolicyAdmin) on the firewall policy or organization or folder that contains the firewall policy
- Compute Organization Security Policy User (roles/compute.orgSecurityPolicyUser) on the firewall policy or organization or folder that contains the firewall policy
- Compute Security Admin (roles/compute.securityAdmin) on the firewall policy or organization or folder that contains the firewall policy

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains your policy.
Click your policy.
Click the Associations tab.
Click Add Association.
Select the organization root or select folders within the organization.
Click Add.

gcloud

By default, if you attempt to insert an association to an organization or folder that already has an association, the method fails. If you specify the --replace-association-on-target flag, the existing association is deleted at the same time that the new association is created. This prevents the resource from being without a policy during the transition.

gcloud compute firewall-policies associations create \
    --firewall-policy POLICY_NAME \
    --organization ORG_ID \
    [ --folder FOLDER_ID ] \
    [ --name ASSOCIATION_NAME ] \
    [ --replace-association-on-target ]

Replace the following:

POLICY_NAME: either the short name or the system-generated name of the policy
ORG_ID: your organization's ID
FOLDER_ID: if you are associating the policy with a folder, specify it here; omit if you are associating the policy to the organization level
ASSOCIATION_NAME: an optional name for the association; if unspecified, the name is set to "organization ORG_ID" or "folder FOLDER_ID"

Move a policy from one resource to another

Moving a policy only changes the parent of the policy. Changing the parent of the policy might change which IAM principals can create and update rules in the policy and which IAM principals can create future associations.

Moving a policy doesn't change any existing policy associations or the evaluation of rules in the policy.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.move

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on both the new parent (organization or folder) resource and the previous parent resource or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on both the new parent (organization or folder) resource and the previous parent resource or the policy itself

Console

Use the Google Cloud CLI for this procedure.

gcloud

Run these commands to move the hierarchical firewall policy to an organization:

gcloud compute firewall-policies move POLICY_NAME \
    --organization ORG_ID

Run these commands to move the hierarchical firewall policy to a folder in an organization:

gcloud compute firewall-policies move POLICY_NAME \
    --folder FOLDER_ID

Replace the following:

POLICY_NAME: either the short name or the system-generated name of the policy that you are moving
ORG_ID: the organization ID to which the policy is moved
FOLDER_ID: the folder ID to which the policy is moved

Update a policy description

The only policy field that can be updated is the Description field.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.update

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or on the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click Edit.
Modify the description.
Click Save.

gcloud

gcloud compute firewall-policies update POLICY_NAME \
    --description DESCRIPTION \
    --organization ORG_ID

List policies

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.list

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Organization Firewall Policy User (roles/compute.orgFirewallPolicyUser) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.

For an organization, the Firewall policies associated with this organization section shows the associated policies. The Firewall policies located in this organization section lists policies that are owned by the organization.

For a folder, the Firewall policies associated with this folder or inherited by this folder section shows the policies associated or inherited by the folder. The Firewall policies located in this folder section lists policies that are owned by the folder.

Note: The policies owned by a resource (organization or folder) might not be associated with that resource, but are available to be associated with that or other resources.

gcloud

gcloud compute firewall-policies list \
    [--organization ORG_ID | --folder FOLDER_ID]

Describe a policy

You can view details about a hierarchical firewall policy, including the policy rules and associated rule attributes. All these rule attributes are counted as part of the rule attribute quota. For more information, see "Rule attributes per hierarchical firewall policy" in the Per firewall policy table.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.get

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Organization Firewall Policy User (roles/compute.orgFirewallPolicyUser) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click your policy.

gcloud

gcloud compute firewall-policies describe POLICY_NAME \
    --organization ORG_ID

Delete a policy

Before you can delete a hierarchical firewall policy, you must delete all of its associations.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.delete

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click the policy that you want to delete.
Click the Associations tab.
Select all associations.
Click Remove association.
After all associations are removed, click Delete.

gcloud

Use the following command to delete the policy:

gcloud compute firewall-policies delete POLICY_NAME \
    --organization ORG_ID

List associations for a resource

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.organizations.listAssociations

Roles

Compute Organization Resource Admin (roles/compute.orgSecurityResourceAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
For the selected resource (organization or folder), a list of associated and inherited policies appears.

gcloud

gcloud compute firewall-policies associations list \
    [--organization ORG_ID | --folder FOLDER_ID]

Delete an association

If you need to change the hierarchical firewall policy that's associated with an organization or folder, we recommend that you associate a new policy instead of deleting an existing associated policy. You can associate a new policy in one step, which helps to ensure that a hierarchical firewall policy is always associated with the organization or folder.

To delete an association between a hierarchical firewall policy and an organization or folder, follow the steps mentioned in this section. Rules in the hierarchical firewall policy don't apply to new connections after its association is deleted.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.organizations.setFirewallPolicy

Roles

Compute Organization Resource Admin (roles/compute.orgSecurityResourceAdmin) on the parent (organization or folder) resource with which the policy is associated

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click the Associations tab.
Select the association that you want to delete.
Click Remove association.

gcloud

gcloud compute firewall-policies associations delete ASSOCIATION_NAME \
    --firewall-policy POLICY_NAME \
    --organization ORG_ID

Firewall policy rule tasks

This section describes how to create and manage hierarchical firewall policy rules.

Create an ingress rule for VM targets

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.update

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the firewall policy or organization or folder that contains the policy
Compute Security Admin (roles/compute.securityAdmin) on the firewall policy or organization or folder that contains the policy

This section describes how to create an ingress rule that applies to network interfaces of Compute Engine instances.

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector list, select a organization or folder that contains a hierarchical firewall policy.
If necessary, in the Hierarchy index section, select a child folder.
In the Firewall policies section, click the name of a hierarchical firewall policy in which you want to create a rule.
In the Firewall rules section, click Create firewall rule and specify the following configuration parameters:
1. Priority: the numeric evaluation order of the rule.
  
  The rules are evaluated from highest to lowest priority where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100, 200, 300) so that you can create new rules between the existing rules later.
2. Description: provide an optional description.
3. Direction of traffic: select Ingress.
4. Action on match: select one of the following:
  - Allow: to permit connections that match the rule parameters.
  - Deny: to block connections that match the rule parameters.
  - Go to next: to continue the firewall rule evaluation process.
  - Apply security profile group: sends the packets to a firewall endpoint or intercept endpoint group based on the Purpose you select.
    - To send packets to a Cloud NGFW firewall endpoint, select Cloud NGFW Enterprise, then select a Security profile group. To enable TLS inspection of the packets, select Enable TLS inspection.
    - To send packets to a Network Security Integration intercept endpoint group for in-band integration, select NSI In-Band, then select a Security profile group.
5. Logs: select On to enable firewall rules logging or Off to disable firewall rules logging for this rule.
6. Target networks: optionally, to make the firewall policy apply to targets in specific VPC networks, click Add network, and then select the Project and the Network.
7. Target: select one of the following:
  - Apply to all: Cloud NGFW uses the broadest instance targets.
  - Service accounts: narrows the broadest instance targets to the network interfaces of VM instances that use the service account that you specify in Target service account.
  - Secure tags: narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values that you specify. Click Select scope for tags and select the organization or project that contains the tag values to match. To add more tag values, click Add tag.
8. Source network type: specify a network type:
  - To skip filtering inbound traffic by network type, select All network types.
  - To filter inbound traffic to a specific network type, select Specific network type, and then select a network type:
    - Internet: inbound traffic must match the Internet network type for ingress packets.
    - Non-internet: inbound traffic must match the Non-internet network type for ingress packets.
    - Intra VPC: inbound traffic must match the Criteria for intra-VPC network type.
    - VPC networks: inbound traffic must match the Criteria for VPC networks type. You must select at least one VPC network:
      - Select current project: lets you add one or more VPC network from the project that contains the firewall policy.
      - Manually enter network: lets you manually enter a project and VPC network.
      - Select project: lets you select a project from which you can select a VPC network.
9. Source filters: specify additional source parameters. Some source parameters can't be used together, and your choice of source network type limits which source parameters you can use. For more information, see Sources for ingress rules and Ingress rule source combinations.
  - To filter inbound traffic by source IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP ranges field. Use 0.0.0.0/0 for any IPv4 source.
  - To filter inbound traffic by source IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 ranges field. Use ::/0 for any IPv6 source.
  - To filter inbound traffic by source secure tag values, select Select scope for tags in the Secure tags section. Then, provide tag keys and tag values. To add more tag values, click Add tag.
  - To filter inbound traffic by source FQDN, enter FQDNs in the FQDNs field. For more information, see FQDN objects.
  - To filter inbound traffic by source geolocation, select one or more locations from the Geolocations field. For more information, see Geolocation objects.
  - To filter inbound traffic by source address group, select one or more address groups from the Address groups field. For more information, see Address groups for firewall policies.
10. Destination: specify optional destination parameters. For more information, see Destinations for ingress rules.
  - To skip filtering inbound traffic by destination IP address, select None.
  - To filter inbound traffic to by destination IP address, select IPv4 or IPv6 and then enter one or more CIDRs using the same format used for source IPv4 ranges or source IPv6 ranges.
11. Protocols and ports: specify the protocols and destination ports for traffic to match the rule. For more information, see Protocols and ports.
12. Enforcement: specify whether the firewall rule is enforced or not:
  - Enabled: creates the rule and begins enforcing the rule on new connections.
  - Disabled: creates the rule but doesn't enforce the rule on new connections.
Click Create.

gcloud

gcloud compute firewall-policies rules create PRIORITY \
    --firewall-policy=POLICY_NAME \
    --organization=ORG_ID | --folder=FOLDER_ID \
    --description=DESCRIPTION \
    --direction=INGRESS \
    --action=ACTION \
    [--enable-logging | --no-enable-logging] \
    [--disabled | --no-disabled] \
    --target-type=INSTANCES \
    [--target-resources=TARGET_NETWORKS] \
    [--target-secure-tags=TARGET_SECURE_TAGS] \
    [--target-service-accounts=TARGET_SERVICE_ACCOUNTS] \
    [--layer4-configs=LAYER_4_CONFIGS] \
    [--src-network-type=SRC_NETWORK_TYPE] \
    [--src-networks=SRC_VPC_NETWORKS] \
    [--src-ip-ranges=SRC_IP_RANGES] \
    [--src-address-groups=SRC_ADDRESS_GROUPS] \
    [--src-fqdns=SRC_DOMAIN_NAMES] \
    [--src-secure-tags=SRC_SECURE_TAGS] \
    [--src-region-codes=SRC_COUNTRY_CODES] \
    [--src-threat-intelligence=SRC_THREAT_LIST_NAMES] \
    [--dest-ip-ranges=DEST_IP_RANGES]

Replace the following:

PRIORITY: the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100, 200, 300) so that you can create new rules between the existing rules later.
POLICY_NAME: the name of the hierarchical firewall policy in which you want to create the rule.
ORG_ID: the organization ID that contains the hierarchical firewall policy, if its parent is an organization.
FOLDER_ID: the folder ID that contains the hierarchical firewall policy, if its parent is a folder.
DESCRIPTION: an optional description for the new rule.
ACTION: specify one of the following actions:
- allow: allows connections that match the rule.
- deny: denies connections that match the rule.
- goto_next: continues the firewall rule evaluation process.
- apply_security_profile_group: sends the packets to a firewall endpoint or intercept endpoint group.
  - When the action is apply_security_profile_group, you must include --security-profile-group SECURITY_PROFILE_GROUP, where SECURITY_PROFILE_GROUP is the name of a security profile group.
  - The security profile group's security profile can reference either a Cloud NGFW firewall endpoint or a Network Security Integration intercept endpoint group for in-band integration.
  - If the security profile group's security profile references a Cloud NGFW firewall endpoint, include either --tls-inspect or --no-tls-inspect to enable or disable TLS inspection.
The --enable-logging and --no-enable-logging flags enable or disable Firewall Rules Logging.
The --disabled and --no-disabled flags control whether the rule is disabled (not enforced) or enabled (enforced).
Specify a target:
- If you omit the --target-resources, --target-secure-tags, and --target-service-accounts flags, Cloud NGFW uses the broadest instance targets.
- TARGET_NETWORKS: a comma-separated list of VPC networks specified by their network resource URLs in the form https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME.
- TARGET_SECURE_TAGS: a comma-separated list of secure tag values that narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values.
- TARGET_SERVICE_ACCOUNTS: a comma-separated list of service accounts that narrows the broadest instance targets to the network interfaces of VM instances that use one of the service accounts.
LAYER_4_CONFIGS: a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:
- An IP protocol name (tcp) or IANA IP protocol number (17) without any destination port.
- An IP protocol name and destination port separated by a colon (tcp:80).
- An IP protocol name and destination port range separated by a colon using a dash to separate the beginning and ending destination ports (tcp:5000-6000). For more information, see Protocols and ports.
Specify a source for the ingress rule. For more information, Ingress rule source combinations:
- SRC_NETWORK_TYPE: defines a source network types to be used in conjunction with another supported source parameter to produce a source combination. Valid values when --target-type=INSTANCES are: INTERNET, NON_INTERNET, VPC_NETWORKS, or INTRA_VPC. For more information, see Network types.
- SRC_VPC_NETWORKS: a comma-separated list of VPC networks specified by their URL identifiers. Specify this flag only when the --src-network-type is VPC_NETWORKS.
- SRC_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
- SRC_ADDRESS_GROUPS: a comma-separated list of address groups specified by their unique URL identifiers. Address groups in the list must contain all IPv4 addresses or all IPv6 addresses, not a combination of both.
- SRC_DOMAIN_NAMES: a comma-separated list of FQDN objects specified in the domain name format.
- SRC_SECURE_TAGS: a comma-separated list of Tags. You cannot use the --src-secure-tags flag if the --src-network-type is INTERNET.
- SRC_COUNTRY_CODES: a comma-separated list of two-letter country codes. For more information, see Geolocation objects. You cannot use the --src-region-codes flag if the --src-network-type is NON_INTERNET, VPC_NETWORKS, or INTRA_VPC.
Optionally, specify a destination for the ingress rule:
- DEST_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.

Create an egress rule for VM targets

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.update

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the firewall policy or organization or folder that contains the policy
Compute Security Admin (roles/compute.securityAdmin) on the firewall policy or organization or folder that contains the policy

The following directions show how to create an egress rule. Egress rules only apply to targets that are network interfaces of Compute Engine instances.

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector list, select a organization or folder that contains a hierarchical firewall policy.
If necessary, in the Hierarchy index section, select a child folder.
In the Firewall policies section, click the name of a hierarchical firewall policy in which you want to create a rule.
In the Firewall rules section, click Create firewall rule and specify the following configuration parameters:
1. Priority: the numeric evaluation order of the rule.
  
  The rules are evaluated from highest to lowest priority where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100, 200, 300) so that you can create new rules between the existing rules later.
2. Description: provide an optional description.
3. Direction of traffic: select Egress.
4. Action on match: select one of the following:
  - Allow: to permit connections that match the rule parameters.
  - Deny: to block connections that match the rule parameters.
  - Go to next: to continue the firewall rule evaluation process.
  - Apply security profile group: sends the packets to a firewall endpoint or intercept endpoint group based on the Purpose you select.
    - To send packets to a Cloud NGFW firewall endpoint, select Cloud NGFW Enterprise, then select a Security profile group. To enable TLS inspection of the packets, select Enable TLS inspection.
    - To send packets to a Network Security Integration intercept endpoint group for in-band integration, select NSI In-Band, then select a Security profile group.
5. Logs: select On to enable firewall rules logging or Off to disable firewall rules logging for this rule.
6. Target networks: optionally, to make the firewall policy apply to targets in specific VPC networks, click Add network, and then select the Project and the Network.
7. Target: select one of the following:
  - Apply to all: Cloud NGFW uses the broadest instance targets.
  - Service accounts: narrows the broadest instance targets to the network interfaces of VM instances that use the service account that you specify in Target service account.
  - Secure tags: narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values that you specify. Click Select scope for tags and select the organization or project that contains the tag values to match. To add more tag values, click Add tag.
8. Destination network type: specify a network type:
  - To skip filtering outgoing traffic by network type, select All network types.
  - To filter outgoing traffic to a specific network type, select Specific network type, and then select a network type:
    - Internet: outgoing traffic must match the Internet network type for egress packets.
    - Non-internet: outgoing traffic must match the Non-internet network type for egress packets.
9. Destination filters: specify additional destination parameters. Some destination parameters can't be used together, and your choice of destination network type limits which destination filters you can use. For more information, see Destinations for egress rules and Egress rule destination combinations.
  - To filter outgoing traffic by destination IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP ranges field. Use 0.0.0.0/0 for any IPv4 destination.
  - To filter outgoing traffic by destination IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 ranges field. Use ::/0 for any IPv6 destination.
  - To filter outgoing traffic by destination FQDN, enter FQDNs in the FQDNs field. For more information, see FQDN objects.
  - To filter outgoing traffic by destination geolocation, select one or more locations from the Geolocations field. For more information, see Geolocation objects.
  - To filter outgoing traffic by destination address group, select one or more address groups from the Address groups field. For more information, see Address groups for firewall policies.
10. Source: specify optional source parameters. For more information, see Sources for egress rules.
  - To skip filtering outgoing traffic by source IP address, select None.
  - To filter outgoing traffic to by source IP address, select IPv4 or IPv6 and then enter one or more CIDRs using the same format used for destination IPv4 ranges or destination IPv6 ranges.
11. Protocols and ports: specify the protocols and destination ports for traffic to match the rule. For more information, see Protocols and ports.
12. Enforcement: specify whether the firewall rule is enforced or not:
  - Enabled: creates the rule and begins enforcing the rule on new connections.
  - Disabled: creates the rule but doesn't enforce the rule on new connections.
Click Create.

gcloud

gcloud compute firewall-policies rules create PRIORITY \
    --firewall-policy=POLICY_NAME \
    --organization=ORG_ID | --folder=FOLDER_ID \
    --description=DESCRIPTION \
    --direction=EGRESS \
    --action=ACTION \
    [--enable-logging | --no-enable-logging] \
    [--disabled | --no-disabled] \
    --target-type=INSTANCES \
    [--target-resources=TARGET_NETWORKS] \
    [--target-secure-tags=TARGET_SECURE_TAGS] \
    [--target-service-accounts=TARGET_SERVICE_ACCOUNTS] \
    [--layer4-configs=LAYER_4_CONFIGS] \
    [--dest-network-type=DEST_NETWORK_TYPE] \
    [--dest-ip-ranges=DEST_IP_RANGES] \
    [--dest-address-groups=DEST_ADDRESS_GROUPS] \
    [--dest-fqdns=DEST_DOMAIN_NAMES] \
    [--dest-region-codes=DEST_COUNTRY_CODES] \
    [--dest-threat-intelligence=DEST_THREAT_LIST_NAMES] \
    [--src-ip-ranges=SRC_IP_RANGES]

Replace the following:

PRIORITY: the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100, 200, 300) so that you can create new rules between the existing rules later.
POLICY_NAME: the name of the hierarchical firewall policy in which you want to create the rule.
ORG_ID: the organization ID that contains the hierarchical firewall policy, if its parent is an organization.
FOLDER_ID: the folder ID that contains the hierarchical firewall policy, if its parent is a folder.
DESCRIPTION: an optional description for the new rule.
ACTION: specify one of the following actions:
- allow: allows connections that match the rule.
- deny: denies connections that match the rule.
- goto_next: continues the firewall rule evaluation process.
- apply_security_profile_group: sends the packets to a firewall endpoint or intercept endpoint group.
  - When the action is apply_security_profile_group, you must include --security-profile-group SECURITY_PROFILE_GROUP, where SECURITY_PROFILE_GROUP is the name of a security profile group.
  - The security profile group's security profile can reference either a Cloud NGFW firewall endpoint or a Network Security Integration intercept endpoint group for in-band integration.
  - If the security profile group's security profile references a Cloud NGFW firewall endpoint, include either --tls-inspect or --no-tls-inspect to enable or disable TLS inspection.
The --enable-logging and --no-enable-logging flags enable or disable Firewall Rules Logging.
The --disabled and --no-disabled flags control whether the rule is disabled (not enforced) or enabled (enforced).
Specify a target:
- If you omit the --target-resources, --target-secure-tags, and --target-service-accounts flags, Cloud NGFW uses the broadest instance targets.
- TARGET_NETWORKS: a comma-separated list of VPC networks specified by their network resource URLs in the form https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME.
- TARGET_SECURE_TAGS: a comma-separated list of secure tag values that narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values.
- TARGET_SERVICE_ACCOUNTS: a comma-separated list of service accounts that narrows the broadest instance targets to the network interfaces of VM instances that use one of the service accounts.
LAYER_4_CONFIGS: a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:
- An IP protocol name (tcp) or IANA IP protocol number (17) without any destination port.
- An IP protocol name and destination port separated by a colon (tcp:80).
- An IP protocol name and destination port range separated by a colon using a dash to separate the beginning and ending destination ports (tcp:5000-6000). For more information, see Protocols and ports.
Specify a destination for the egress rule. For more information, Egress rule destination combinations:
- DEST_NETWORK_TYPE: defines a destination network types to be used in conjunction with another supported destination parameter to produce a destination combination. Valid values are INTERNET and NON_INTERNET. For more information, see Network types.
- DEST_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
- DEST_ADDRESS_GROUPS: a comma-separated list of address groups specified by their unique URL identifiers.
- DEST_DOMAIN_NAMES: a comma-separated list of FQDN objects specified in the domain name format.
- DEST_COUNTRY_CODES: a comma-separated list of two-letter country codes. For more information, see Geolocation objects.
Optionally, specify a source for the egress rule:
- SRC_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.

List all rules in a policy

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.get

Roles

Compute Network Admin (roles/compute.networkAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Organization Firewall Policy User (roles/compute.orgFirewallPolicyUser) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click your policy. Rules are listed on the Firewall rules tab.

gcloud

gcloud compute firewall-policies list-rules POLICY_NAME \
    --organization=ORG_ID

Replace the following:

POLICY_NAME: the name of the hierarchical firewall policy that contains the rule.
ORG_ID: the organization ID that contains the hierarchical firewall policy.

Describe a rule

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.get

Roles

Compute Network Admin (roles/compute.networkAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Organization Firewall Policy User (roles/compute.orgFirewallPolicyUser) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click your policy.
Click the priority of the rule.

gcloud

gcloud compute firewall-policies rules describe PRIORITY \
    --firewall-policy=POLICY_NAME \
    --organization=ORG_ID

Replace the following:

POLICY_NAME: the name of the hierarchical firewall policy that contains the new rule.
ORG_ID: the organization ID that contains the hierarchical firewall policy.

Update a rule

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.update

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select the organization or folder that contains the hierarchical firewall policy.
Click the name of the hierarchical firewall policy that contains the rule to update.
Click the priority of the rule.
Click Edit.
Modify the firewall rule fields that you want to change. For descriptions about each field, see one of the following:
- Create an ingress rule for VM targets
- Create an egress rule for VM targets
Click Save.

gcloud

gcloud compute firewall-policies rules update PRIORITY \
    --firewall-policy=POLICY_NAME \
    --organization ORG_ID \
    [...other flags that you want to modify...]

Replace the following:

PRIORITY: the priority number that uniquely identifies the rule.
POLICY_NAME: the name of the policy that contains the rule.
ORG_ID: the organization ID that contains the hierarchical firewall policy.

Supply the flags that you want to modify. For flag descriptions, see one of the following:

Create an ingress rule for VM targets
Create an egress rule for VM targets

Clone rules from one policy to another

Remove all rules from the target policy and replace them with the rules in the source policy.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.copyRules

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click the policy that you want to copy rules from.
Click Clone at the top of the screen.
Provide the name of a target policy.
If you want to associate the new policy immediately, click Continue to open the Associate policy with resources section.
Click Clone.

gcloud

gcloud compute firewall-policies clone-rules POLICY_NAME \
    --source-firewall-policy=SOURCE_POLICY \
    --organization=ORG_ID \

Replace the following:

POLICY_NAME: the policy to receive the copied rules
SOURCE_POLICY: the policy to copy the rules from; must be the URL of the resource
ORG_ID: the organization ID that contains the hierarchical firewall policy.

Delete a rule

Deleting a rule from a policy causes the rule to no longer apply to new connections to or from the rule's target.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.firewallPolicies.update

Roles

Compute Organization Firewall Policy Admin (roles/compute.orgFirewallPolicyAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself
Compute Security Admin (roles/compute.securityAdmin) on the parent (organization or folder) resource that contains the policy or the policy itself

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your organization ID or the folder that contains the policy.
Click your policy.
Select the rule that you want to delete.
Click Delete.

gcloud

gcloud compute firewall-policies rules delete PRIORITY \
    --firewall-policy=POLICY_NAME \
    --organization=ORG_ID

Replace the following:

PRIORITY: the priority of the rule that you want to delete from the policy.
POLICY_NAME: the name of the hierarchical firewall policy that contains the rule.
ORG_ID: the organization ID that contains the hierarchical firewall policy.

Get effective firewall rules for a network

You can view all hierarchical firewall policy rules, VPC firewall rules, and global network firewall policy rules that apply to all regions of a VPC network.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls

Roles

Compute Network Admin (roles/compute.networkAdmin) on the project containing the network or
Compute Network User (roles/compute.networkUser) on the project containing the network or
Compute Network Viewer (roles/compute.networkViewer) on the project containing the network or
Compute Security Admin (roles/compute.securityAdmin) on the project containing the network or
Compute Viewer (roles/compute.viewer) on the project containing the network

Console

In the Cloud de Confiance console, go to the VPC networks page.

Go to VPC networks
Click the network you want to view firewall policy rules for.
Click Firewalls.
Expand each firewall policy to view the rules that apply to this network.

gcloud

gcloud compute networks get-effective-firewalls NETWORK_NAME

Replace NETWORK_NAME with the network for which you want to view the effective rules.

You can also view effective firewall rules for a network from the Firewall page.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.organizations.listAssociations on the network
Optional: resourcemanager.folders.get and resourcemanager.organizations.get to view information in the Inherited from and Located at columns

Roles

To view firewall rules:

compute.orgSecurityResourceAdmin
compute.viewer

Optional: To view information in the Inherited from and Located at columns:

browser
resourcemanager.organizationAdmin

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
The firewall policies are listed in the Firewall policies inherited by this project section.
Click each firewall policy to view the rules that apply to this network.

Get effective firewall rules for a VM interface

You can view all firewall rules—from all applicable firewall policies and VPC firewall rules—that apply to a network interface of a Compute Engine VM.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.instances.getEffectiveFirewalls

Roles

Compute Instance Admin (roles/compute.instanceAdmin) on the project containing the VM instance or
Instance Group Manager Service Agent (roles/compute.instanceGroupManagerServiceAgent) on the project containing the VM instance or
Compute Security Admin (roles/compute.securityAdmin) on the project containing the VM instance or
Compute Viewer (roles/compute.viewer) on the project containing the VM instance

Console

In the Cloud de Confiance console, go to the VM instances page.

Go to VM instances
In the project selector menu, select the project that contains the VM.
Click the VM.
For Network interfaces, click the interface.
Effective firewall rules appear in the Firewalls tab available in the Network configuration analysis section.

gcloud

gcloud compute instances network-interfaces get-effective-firewalls INSTANCE_NAME \
    [--network-interface INTERFACE] \
    [--zone ZONE]

Replace the following:

INSTANCE_NAME: the VM for which you want to view the effective rules; if no interface is specified, the command returns rules for the primary interface (nic0).
INTERFACE: the VM interface for which you want to view the effective rules; the default value is nic0.
ZONE: the zone of the VM; this line is optional if the chosen zone is already set as the default.

Troubleshooting

This section contains explanations for error messages that you might encounter.

FirewallPolicy may not specify a name. One will be provided.

You cannot specify a policy name. Hierarchical firewall policy "names" are numerical IDs generated by Cloud de Confiance by S3NS when the policy is created. However, you can specify a friendlier short name that acts as an alias in many contexts.
FirewallPolicy may not specify associations on creation.

Associations can only be created after hierarchical firewall policies are created.
Can't move firewall policy to a different organization.

Hierarchical firewall policy moves must stay within the same organization.
The attachment already has an association. Please set the option of replacing existing association to true if you want to replace the old one.

If a resource is already attached with a hierarchical firewall policy, the attachment operation fails unless the option of replacing the existing associations is set to true.
Can't have rules with the same priorities.

Priorities of rules are required to be unique within a hierarchical firewall policy.
Direction must be specified for a firewall policy rule.

When creating hierarchical firewall policy rules by sending REST requests directly, the direction of the rule must be specified. When using the Google Cloud CLI and no direction is specified, the default is INGRESS.
Can't specify enable_logging on a goto_next rule.

Firewall Logging isn't allowed for rules with goto_next action because goto_next actions are used to represent the evaluation order of different firewall policies and aren't terminal actions—for example, ALLOW or DENY.
Must specify at least one destination on Firewall policy rule.

The layer4Configs flag in the firewall policy rule must specify at least one protocol or protocol and destination port.

For more information about troubleshooting firewall policy rules, see VPC firewall rules troubleshooting.