Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor a folder within your organization.

3. ClickCreate firewall policy.

4. In thePolicy name field, enter a name for the policy.

5. Optional: If you want to create rules for your policy, clickContinue.

6. In theAdd rules section, clickCreate firewall rule. For moreinformation about creating firewall rules, see the following:

   • Create an ingress rule for VMtargets
   • Create an egress rule for VM targets

7. Optional: If you want to associate the policy with a resource, clickContinue.

8. In theAssociate policy with resources section, clickAdd.

   For more information, seeAssociate a policy with the organization or folder.

9. ClickCreate.

gcloud

Run these commands to create a hierarchical firewall policy whose parent is an organization:

gcloud compute firewall-policies create \    --organizationORG_ID \    --short-nameSHORT_NAME

Run these commands to create a hierarchical firewall policy whose parent is a folder within anorganization:

gcloud compute firewall-policies create \    --folderFOLDER_ID \    --short-nameSHORT_NAME

Replace the following:

• ORG_ID: your organization's ID

  Specify an organization ID to create a policy whose parent is anorganization. The policy can be associated with the organization ora folder within the organization.

• SHORT_NAME: a name for the policy

  A policy created by using the Google Cloud CLI has twonames: a system-generated name and a short name provided by you. Whenusing the gcloud CLI to update an existing policy, you canprovide either the system-generated name or the short name and theorganization ID. When using the API to update the policy, you mustprovide the system-generated name.

• FOLDER_ID: the ID of a folder

  Specify a folder ID to create a policy whose parent is a folder.The policy can be associated with the organization that contains the folderor any folder within that organization.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains your policy.

3. Click your policy.

4. Click theAssociations tab.

5. ClickAdd Association.

6. Select the organization root or select folders within theorganization.

7. ClickAdd.

gcloud

By default, if you attempt to insert an association to an organizationor folder that already has an association, the method fails. If youspecify the--replace-association-on-target flag, the existing associationis deleted at the same time that the new association is created. Thisprevents the resource from being without a policy during the transition.

gcloud compute firewall-policies associations create \    --firewall-policyPOLICY_NAME \    --organizationORG_ID \    [ --folderFOLDER_ID ] \    [ --nameASSOCIATION_NAME ] \    [ --replace-association-on-target ]

Replace the following:

• POLICY_NAME: either the short name or thesystem-generated name of the policy
• ORG_ID: your organization's ID
• FOLDER_ID: if you are associating the policy with a folder,specify it here; omit if you are associating the policy to theorganization level
• ASSOCIATION_NAME: an optional name for the association; ifunspecified, the name is set to "organizationORG_ID" or"folderFOLDER_ID"

Console

Use the Google Cloud CLI for this procedure.

gcloud

Run these commands to move the hierarchical firewall policy to an organization:

gcloud compute firewall-policies movePOLICY_NAME \    --organizationORG_ID

Run these commands to move the hierarchical firewall policy to a folder in an organization:

gcloud compute firewall-policies movePOLICY_NAME \    --folderFOLDER_ID

Replace the following:

• POLICY_NAME: either the short name or thesystem-generated name of the policy that you are moving
• ORG_ID: the organization ID to which the policy is moved
• FOLDER_ID: the folder ID to which the policy is moved

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click your policy.

4. ClickEdit.

5. Modify the description.

6. ClickSave.

gcloud

gcloud compute firewall-policies updatePOLICY_NAME \    --descriptionDESCRIPTION \    --organizationORG_ID

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

   For an organization, theFirewall policies associated with this organizationsection shows the associated policies. TheFirewall policies located in this organization section lists policiesthat areowned by the organization.

   For a folder, theFirewall policies associated with this folder or inherited by this foldersection shows the policies associated or inherited by the folder. TheFirewall policies located in this folder section lists policies thatareowned by the folder.

   Note: The policies owned by a resource (organization or folder) mightnot be associated with that resource, but are available to be associatedwith that or other resources.

gcloud

gcloud compute firewall-policies list \    [--organizationORG_ID | --folderFOLDER_ID]

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click your policy.

gcloud

gcloud compute firewall-policies describePOLICY_NAME \    --organizationORG_ID

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click the policy that you want to delete.

4. Click theAssociations tab.

5. Select all associations.

6. ClickRemove association.

7. After all associations are removed, clickDelete.

gcloud

Use the following command to delete the policy:

gcloud compute firewall-policies deletePOLICY_NAME \    --organizationORG_ID

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. For the selected resource (organization or folder), a list of associatedand inherited policies appears.

gcloud

gcloud compute firewall-policies associations list \    [--organizationORG_ID | --folderFOLDER_ID]

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click your policy.

4. Click theAssociations tab.

5. Select the association that you want to delete.

6. ClickRemove association.

gcloud

gcloud compute firewall-policies associations deleteASSOCIATION_NAME \    --firewall-policyPOLICY_NAME \    --organizationORG_ID

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector list, select a organization or folder that contains ahierarchical firewall policy.

3. If necessary, in theHierarchy index section, select a child folder.

4. In theFirewall policies section, click the name of a hierarchical firewall policyin which you want to create a rule.

5. In theFirewall rules section, clickCreate firewall rule andspecify the following configuration parameters:

   1. Priority: the numeric evaluation order of the rule.

      The rules are evaluated from highest to lowest priority where0is the highest priority. Priorities must be unique for each rule.We recommend that you separate rule priority values by more thanjust a difference of one (for example,100,200,300) sothat you can create new rules between the existing rules later.

   2. Description: provide an optional description.

   3. Direction of traffic: selectIngress.

   4. Action on match: select one of the following:

      • Allow: to permit connections that match the rule parameters.
      • Deny: to block connections that match the rule parameters.
      • Go to next: to continue thefirewall rule evaluationprocess.
      • Apply security profile group: sends the packets to afirewall endpoint orintercept endpointgroupbased on thePurpose you select.
        • To send packets to a Cloud NGFW firewall endpoint,selectCloud NGFW Enterprise, then select aSecurityprofile group. To enable TLS inspection of the packets,selectEnable TLS inspection.
        • To send packets to a Network Security Integration interceptendpoint group for in-band integration, selectNSI In-Band,then select aSecurity profile group.

   5. Logs: selectOn to enable firewall rules logging orOffto disable firewall rules logging for this rule.

   6. Target networks: optionally, to make the firewall policy apply totargets in specific VPC networks, clickAdd network,and then select theProject and theNetwork.

   7. Target: select one of the following:

      • Apply to all: Cloud NGFW uses thebroadest instancetargets.
      • Service accounts: narrows the broadestinstance targets to the network interfaces of VM instances that use theservice account that you specify inTarget service account.
      • Secure tags: narrows the broadest instance targets to the networkinterfaces of VM instances that are bound to at least one of thesecuretag values that you specify. ClickSelect scope for tags and select the organization or project that containsthe tag values to match. To add more tag values, clickAdd tag.

   8. Source network type: specify anetwork type:

      • To skip filtering inbound traffic by network type, selectAll network types.
      • To filter inbound traffic to a specific network type, selectSpecific network type, and then select a network type:
        • Internet: inbound traffic must match theInternetnetwork type for ingresspackets.
        • Non-internet: inbound traffic must match theNon-internet network type for ingresspackets.
        • Intra VPC: inbound traffic must match theCriteria for intra-VPCnetwork type.
        • VPC networks: inbound traffic must matchtheCriteria for VPC networkstype.You must select at least one VPC network:
          • Select current project: lets you add one or moreVPC network from the project that containsthe firewall policy.
          • Manually enter network: lets you manually enter aproject and VPC network.
          • Select project: lets you select a project from whichyou can select a VPC network.

   9. Source filters: specify additional source parameters. Some sourceparameters can't be used together, and your choice of sourcenetwork type limits which source parameters you can use. Formore information, seeSources for ingressrulesandIngress rule sourcecombinations.

      • To filter inbound traffic by source IPv4 ranges, selectIPv4,and then enter the CIDR blocks in theIP ranges field. Use0.0.0.0/0 for any IPv4 source.
      • To filter inbound traffic by source IPv6 ranges, selectIPv6,and then enter the CIDR blocks into theIPv6 ranges field. Use::/0 for any IPv6 source.
      • To filter inbound traffic by source secure tag values, selectSelect scope for tags in theSecure tags section. Then,provide tag keys and tag values. To add more tag values, clickAdd tag.
      • To filter inbound traffic by source FQDN, enter FQDNs in theFQDNs field. For more information, seeFQDNobjects.
      • To filter inbound traffic by source geolocation, select one or morelocations from theGeolocations field. For more information,seeGeolocationobjects.
      • To filter inbound traffic by source address group, select one ormore address groups from theAddress groups field. For moreinformation, seeAddress groups for firewallpolicies.
      • To filter inbound traffic by source Google Threat Intelligence lists,select one or more Google Threat Intelligence lists from theGoogle CloudThreat Intelligence field. For more information, seeGoogle Threat Intelligence for firewall policy rules.

   10. Destination: specify optional destination parameters. For moreinformation, seeDestinations for ingressrules.

       • To skip filtering inbound traffic by destination IP address, selectNone.
       • To filter inbound traffic to by destination IP address, selectIPv4 orIPv6 and then enter one or more CIDRs using thesame format used for source IPv4 ranges or source IPv6 ranges.

   11. Protocols and ports: specify the protocols and destination portsfor traffic to match the rule. For more information, seeProtocolsandports.

   12. Enforcement: specify whether the firewall rule is enforced ornot:

       • Enabled: creates the rule and begins enforcing the rule on newconnections.
       • Disabled: creates the rule but doesn't enforce the rule on newconnections.

6. ClickCreate.

gcloud

gcloud compute firewall-policies rules createPRIORITY \    --firewall-policy=POLICY_NAME \    --organization=ORG_ID | --folder=FOLDER_ID \    --description=DESCRIPTION \    --direction=INGRESS \    --action=ACTION \    [--enable-logging | --no-enable-logging] \    [--disabled | --no-disabled] \    [--target-resources=TARGET_NETWORKS] \
    [--target-secure-tags=TARGET_SECURE_TAGS] \
    [--target-service-accounts=TARGET_SERVICE_ACCOUNTS] \    [--layer4-configs=LAYER_4_CONFIGS] \    [--src-network-type=SRC_NETWORK_TYPE] \
    [--src-networks=SRC_VPC_NETWORKS] \    [--src-ip-ranges=SRC_IP_RANGES] \
    [--src-address-groups=SRC_ADDRESS_GROUPS] \
    [--src-fqdns=SRC_DOMAIN_NAMES] \
    [--src-secure-tags=SRC_SECURE_TAGS] \
    [--src-region-codes=SRC_COUNTRY_CODES] \
    [--src-threat-intelligence=SRC_THREAT_LIST_NAMES] \    [--dest-ip-ranges=DEST_IP_RANGES]

Replace the following:

• PRIORITY: the numeric evaluation order of the rule withinthe policy. The rules are evaluated from highest to lowest priority, where0is the highest priority. Priorities must be unique for each rule. We recommendthat you separate rule priority values by more than just a difference of one(for example,100,200,300) so that you can create new rules betweenthe existing rules later.
• POLICY_NAME: the name of the hierarchical firewall policy in whichyou want to create the rule.
• ORG_ID: the organization ID that contains thehierarchical firewall policy, if its parent is an organization.
• FOLDER_ID: the folder ID that contains thehierarchical firewall policy, if its parent is a folder.
• DESCRIPTION: an optional description for the new rule.
• ACTION: specify one of the following actions:
  • allow: allows connections that match the rule.
  • deny: denies connections that match the rule.
  • goto_next: continues thefirewall rule evaluationprocess.
  • apply_security_profile_group: sends the packets to afirewall endpoint orintercept endpointgroup.
    • When the action isapply_security_profile_group, you mustinclude--security-profile-groupSECURITY_PROFILE_GROUP, whereSECURITY_PROFILE_GROUP is the name of asecurityprofile group.
    • The security profile group's security profile can reference either aCloud NGFW firewall endpoint or aNetwork Security Integration intercept endpoint group for in-bandintegration.
    • If the security profile group's security profile references aCloud NGFW firewall endpoint, include either--tls-inspector--no-tls-inspect to enable or disable TLS inspection.
• The--enable-logging and--no-enable-logging flags enable or disableVPC firewall rules logging.
• The--disabled and--no-disabled flags control whether the rule isdisabled (not enforced) or enabled (enforced).
• Specify atarget:
  • If you omit the--target-resources,--target-secure-tags, and--target-service-accounts flags, Cloud NGFW uses thebroadest instancetargets.
  • TARGET_NETWORKS: a comma-separated list ofVPC networks specified by their network resource URLs in theformhttps://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME.The--target-resources flag can be used by itselfor in combination with one other target flag. For more information, seeSpecific target combinations.
  • TARGET_SECURE_TAGS: a comma-separated list ofsecuretag values that narrows the broadestinstance targets to the network interfaces of VM instances that are bound toat least one of the secure tag values.
  • TARGET_SERVICE_ACCOUNTS: a comma-separated list of serviceaccounts that narrows the broadest instance targets to the network interfacesof VM instances that use one of the service accounts.
• LAYER_4_CONFIGS: a comma-separated list of Layer 4configs. Each Layer 4 config can be one of the following:
  • An IP protocol name (tcp) or IANA IP protocol number (17) withoutany destination port.
  • An IP protocol name and destination port separated by a colon(tcp:80).
  • An IP protocol name and destination port range separated by a colonusing a dash to separate the beginning and ending destination ports(tcp:5000-6000).For more information, seeProtocols andports.
• Specify asource for the ingressrule.For more information,Ingress rule sourcecombinations:
  • SRC_NETWORK_TYPE: defines a source network types to be usedin conjunction with another supported source parameter to produce a sourcecombination. Valid values when--target-type=INSTANCES are:INTERNET,NON_INTERNET,VPC_NETWORKS, orINTRA_VPC. For more information, seeNetwork types.
  • SRC_VPC_NETWORKS: a comma-separated list ofVPC networks specified by their URL identifiers. Specify thisflag only when the--src-network-type isVPC_NETWORKS.
  • SRC_IP_RANGES: a comma-separated list of IP address rangesin CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6CIDRs, not a combination of both.
  • SRC_ADDRESS_GROUPS: a comma-separated list of addressgroups specified by theirunique URLidentifiers.Address groups in the list must contain all IPv4 addresses or all IPv6addresses, not a combination of both.
  • SRC_DOMAIN_NAMES: a comma-separated list of FQDN objectsspecified in thedomain nameformat.
  • SRC_SECURE_TAGS: a comma-separated list ofTags. You cannot use the--src-secure-tags flag if the--src-network-type isINTERNET.
  • SRC_COUNTRY_CODES: a comma-separated list of two-lettercountry codes. For more information, seeGeolocationobjects.You cannot use the--src-region-codes flag if the--src-network-type isNON_INTERNET,VPC_NETWORKS, orINTRA_VPC.
  • SRC_THREAT_LIST_NAMES: a comma-separated list of names ofGoogle Threat Intelligence lists. For more information, seeGoogle Threat Intelligence forfirewall policyrules.You cannot use the--src-threat-intelligence flag if the--src-network-type isNON_INTERNET,VPC_NETWORKS, orINTRA_VPC.
• Optionally, specify adestination for the ingressrule:
  • DEST_IP_RANGES: a comma-separated list of IP address rangesin CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6CIDRs, not a combination of both.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector list, select a organization or folder that contains ahierarchical firewall policy.

3. If necessary, in theHierarchy index section, select a child folder.

4. In theFirewall policies section, click the name of a hierarchical firewall policyin which you want to create a rule.

5. In theFirewall rules section, clickCreate firewall rule andspecify the following configuration parameters:

   1. Priority: the numeric evaluation order of the rule.

      The rules are evaluated from highest to lowest priority where0is the highest priority. Priorities must be unique for each rule.We recommend that you separate rule priority values by more thanjust a difference of one (for example,100,200,300) sothat you can create new rules between the existing rules later.

   2. Description: provide an optional description.

   3. Direction of traffic: selectEgress.

   4. Action on match: select one of the following:

      • Allow: to permit connections that match the rule parameters.
      • Deny: to block connections that match the rule parameters.
      • Go to next: to continue thefirewall rule evaluationprocess.
      • Apply security profile group: sends the packets to afirewall endpoint orintercept endpointgroupbased on thePurpose you select.
        • To send packets to a Cloud NGFW firewall endpoint,selectCloud NGFW Enterprise, then select aSecurityprofile group. To enable TLS inspection of the packets,selectEnable TLS inspection.
        • To send packets to a Network Security Integration interceptendpoint group for in-band integration, selectNSI In-Band,then select aSecurity profile group.

   5. Logs: selectOn to enable firewall rules logging orOffto disable firewall rules logging for this rule.

   6. Target networks: optionally, to make the firewall policy apply totargets in specific VPC networks, clickAdd network,and then select theProject and theNetwork.

   7. Target: select one of the following:

      • Apply to all: Cloud NGFW uses thebroadest instancetargets.
      • Service accounts: narrows the broadestinstance targets to the network interfaces of VM instances that use theservice account that you specify inTarget service account.
      • Secure tags: narrows the broadest instance targets to the networkinterfaces of VM instances that are bound to at least one of thesecuretag values that you specify. ClickSelect scope for tags and select the organization or project that containsthe tag values to match. To add more tag values, clickAdd tag.

   8. Destination network type: specify anetwork type:

      • To skip filtering outgoing traffic by network type, selectAll network types.
      • To filter outgoing traffic to a specific network type, selectSpecific network type, and then select anetwork type:
        • Internet: outgoing traffic must match theInternetnetwork type for egresspackets.
        • Non-internet: outgoing traffic must match theNon-internet network type for egresspackets.

   9. Destination filters: specify additional destination parameters. Somedestination parameters can't be used together, and your choice of destinationnetwork type limits which destination filters you can use. For moreinformation, seeDestinations for egressrules andEgress rule destinationcombinations.

      • To filter outgoing traffic by destination IPv4 ranges, selectIPv4, andthen enter the CIDR blocks in theIP ranges field. Use0.0.0.0/0 for anyIPv4 destination.
      • To filter outgoing traffic by destination IPv6 ranges, selectIPv6, andthen enter the CIDR blocks into theIPv6 ranges field. Use::/0 for anyIPv6 destination.
      • To filter outgoing traffic by destination FQDN, enter FQDNs in theFQDNsfield. For more information, seeFQDNobjects.
      • To filter outgoing traffic by destination geolocation, select one or morelocations from theGeolocations field. For more information, seeGeolocationobjects.
      • To filter outgoing traffic by destination address group, select one or moreaddress groups from theAddress groups field. For more information, seeAddress groups for firewallpolicies.
      • To filter outgoing traffic by destination Google Threat Intelligence lists, select oneor more Google Threat Intelligence lists from theGoogle Cloud Threat Intelligencefield. For more information, seeGoogle Threat Intelligence for firewall policyrules.

   10. Source: specify optional source parameters. For more information, seeSources for egressrules.

       • To skip filtering outgoing traffic by source IP address, selectNone.
       • To filter outgoing traffic to by source IP address, selectIPv4 orIPv6 and then enter one or more CIDRs using the same format used fordestination IPv4 ranges or destination IPv6 ranges.

   11. Protocols and ports: specify the protocols and destination portsfor traffic to match the rule. For more information, seeProtocolsandports.

   12. Enforcement: specify whether the firewall rule is enforced ornot:

       • Enabled: creates the rule and begins enforcing the rule on newconnections.
       • Disabled: creates the rule but doesn't enforce the rule on newconnections.

6. ClickCreate.

gcloud

gcloud compute firewall-policies rules createPRIORITY \    --firewall-policy=POLICY_NAME \    --organization=ORG_ID | --folder=FOLDER_ID \    --description=DESCRIPTION \    --direction=EGRESS \    --action=ACTION \    [--enable-logging | --no-enable-logging] \    [--disabled | --no-disabled] \    [--target-resources=TARGET_NETWORKS] \
    [--target-secure-tags=TARGET_SECURE_TAGS] \
    [--target-service-accounts=TARGET_SERVICE_ACCOUNTS] \    [--layer4-configs=LAYER_4_CONFIGS] \    [--dest-network-type=DEST_NETWORK_TYPE] \    [--dest-ip-ranges=DEST_IP_RANGES] \
    [--dest-address-groups=DEST_ADDRESS_GROUPS] \
    [--dest-fqdns=DEST_DOMAIN_NAMES] \
    [--dest-region-codes=DEST_COUNTRY_CODES] \
    [--dest-threat-intelligence=DEST_THREAT_LIST_NAMES] \    [--src-ip-ranges=SRC_IP_RANGES]

Replace the following:

• PRIORITY: the numeric evaluation order of the rule withinthe policy. The rules are evaluated from highest to lowest priority, where0is the highest priority. Priorities must be unique for each rule. We recommendthat you separate rule priority values by more than just a difference of one(for example,100,200,300) so that you can create new rules betweenthe existing rules later.
• POLICY_NAME: the name of the hierarchical firewall policy in whichyou want to create the rule.
• ORG_ID: the organization ID that contains thehierarchical firewall policy, if its parent is an organization.
• FOLDER_ID: the folder ID that contains thehierarchical firewall policy, if its parent is a folder.
• DESCRIPTION: an optional description for the new rule.
• ACTION: specify one of the following actions:
  • allow: allows connections that match the rule.
  • deny: denies connections that match the rule.
  • goto_next: continues thefirewall rule evaluationprocess.
  • apply_security_profile_group: sends the packets to afirewall endpoint orintercept endpointgroup.
    • When the action isapply_security_profile_group, you mustinclude--security-profile-groupSECURITY_PROFILE_GROUP, whereSECURITY_PROFILE_GROUP is the name of asecurityprofile group.
    • The security profile group's security profile can reference either aCloud NGFW firewall endpoint or aNetwork Security Integration intercept endpoint group for in-bandintegration.
    • If the security profile group's security profile references aCloud NGFW firewall endpoint, include either--tls-inspector--no-tls-inspect to enable or disable TLS inspection.
• The--enable-logging and--no-enable-logging flags enable or disableVPC firewall rules logging.
• The--disabled and--no-disabled flags control whether the rule isdisabled (not enforced) or enabled (enforced).
• Specify atarget:
  • If you omit the--target-resources,--target-secure-tags, and--target-service-accounts flags, Cloud NGFW uses thebroadest instancetargets.
  • TARGET_NETWORKS: a comma-separated list ofVPC networks specified by their network resource URLs in theformhttps://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME.The--target-resources flag can be used by itselfor in combination with one other target flag. For more information, seeSpecific target combinations.
  • TARGET_SECURE_TAGS: a comma-separated list ofsecuretag values that narrows the broadestinstance targets to the network interfaces of VM instances that are bound toat least one of the secure tag values.
  • TARGET_SERVICE_ACCOUNTS: a comma-separated list of serviceaccounts that narrows the broadest instance targets to the network interfacesof VM instances that use one of the service accounts.
• LAYER_4_CONFIGS: a comma-separated list of Layer 4configs. Each Layer 4 config can be one of the following:
  • An IP protocol name (tcp) or IANA IP protocol number (17) withoutany destination port.
  • An IP protocol name and destination port separated by a colon(tcp:80).
  • An IP protocol name and destination port range separated by a colonusing a dash to separate the beginning and ending destination ports(tcp:5000-6000).For more information, seeProtocols andports.
• Specify adestination for the egressrule.For more information,Egress rule destinationcombinations:
  • DEST_NETWORK_TYPE: defines a destination network types to beused in conjunction with another supported destination parameter to produce adestination combination. Valid values areINTERNET andNON_INTERNET. Formore information, seeNetwork types.
  • DEST_IP_RANGES: a comma-separated list of IP address rangesin CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6CIDRs, not a combination of both.
  • DEST_ADDRESS_GROUPS: a comma-separated list of addressgroups specified by theirunique URLidentifiers.
  • DEST_DOMAIN_NAMES: a comma-separated list of FQDN objectsspecified in thedomain nameformat.
  • DEST_COUNTRY_CODES: a comma-separated list of two-lettercountry codes. For more information, seeGeolocationobjects.
  • DEST_THREAT_LIST_NAMES: a comma-separated list of names ofGoogle Threat Intelligence lists. For more information, seeGoogle Threat Intelligence forfirewall policyrules.
• Optionally, specify asource for the egressrule:
  • SRC_IP_RANGES: a comma-separated list of IP address rangesin CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6CIDRs, not a combination of both.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click your policy. Rules are listed on theFirewall rules tab.

gcloud

gcloud compute firewall-policies list-rulesPOLICY_NAME \    --organization=ORG_ID

Replace the following:

• POLICY_NAME: the name of the hierarchical firewallpolicy that contains the rule.
• ORG_ID: the organization ID that contains thehierarchical firewall policy.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click your policy.

4. Click the priority of the rule.

gcloud

gcloud compute firewall-policies rules describePRIORITY \    --firewall-policy=POLICY_NAME \    --organization=ORG_ID

Replace the following:

• POLICY_NAME: the name of the hierarchical firewallpolicy that contains the new rule.
• ORG_ID: the organization ID that contains thehierarchical firewall policy.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select the organization or folder thatcontains the hierarchical firewall policy.

3. Click the name of the hierarchical firewall policy that contains therule to update.

4. Click the priority of the rule.

5. ClickEdit.

6. Modify the firewall rule fields that you want to change. For descriptionsabout each field, see one of the following:

   • Create an ingress rule for VMtargets
   • Create an egress rule for VM targets

7. ClickSave.

gcloud

gcloud compute firewall-policies rules updatePRIORITY \    --firewall-policy=POLICY_NAME \    --organizationORG_ID \    [...other flags that you want to modify...]

Replace the following:

• PRIORITY: the priority number that uniquely identifiesthe rule.
• POLICY_NAME: the name of the policy that contains therule.
• ORG_ID: the organization ID that contains thehierarchical firewall policy.

Supply the flags that you want to modify. For flag descriptions, see one ofthe following:

• Create an ingress rule for VM targets
• Create an egress rule for VM targets

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click the policy that you want to copy rules from.

4. ClickClone at the top of the screen.

5. Provide the name of a target policy.

6. If you want to associate the new policy immediately, clickContinue to open theAssociate policy with resources section.

7. ClickClone.

gcloud

gcloud compute firewall-policies clone-rulesPOLICY_NAME \    --source-firewall-policy=SOURCE_POLICY \    --organization=ORG_ID \

Replace the following:

• POLICY_NAME: the policy to receive the copied rules
• SOURCE_POLICY: the policy to copy the rules from; mustbe the URL of the resource
• ORG_ID: the organization ID that contains thehierarchical firewall policy.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. In the project selector menu, select your organization IDor the folder that contains the policy.

3. Click your policy.

4. Select the rule that you want to delete.

5. ClickDelete.

gcloud

gcloud compute firewall-policies rules deletePRIORITY \    --firewall-policy=POLICY_NAME \    --organization=ORG_ID

Replace the following:

• PRIORITY: the priority of the rule that you want todelete from the policy.
• POLICY_NAME: the name of the hierarchical firewallpolicy that contains the rule.
• ORG_ID: the organization ID that contains thehierarchical firewall policy.

Console

1. In the Google Cloud console, go to theVPC networks page.

   Go to VPC networks

2. Click the network you want to view firewall policy rules for.

3. ClickFirewalls.

4. Expand each firewall policy to view the rules that apply to this network.

gcloud

gcloud compute networks get-effective-firewallsNETWORK_NAME

ReplaceNETWORK_NAME with the network for which you wantto view the effective rules.

Console

1. In the Google Cloud console, go to theFirewall policies page.

   Go to Firewall policies

2. The firewall policies are listed in theFirewall policies inherited bythis project section.

3. Click each firewall policy to view the rules that apply to this network.

Console

1. In the Google Cloud console, go to theVM instances page.

   Go to VM instances

2. In the project selector menu, select the project that containsthe VM.

3. Click the VM.

4. ForNetwork interfaces, click the interface.

5. Effective firewall rules appear in theFirewalls tab available intheNetwork configuration analysis section.

gcloud

gcloud compute instances network-interfaces get-effective-firewallsINSTANCE_NAME \    [--network-interfaceINTERFACE] \    [--zoneZONE]

Replace the following:

• INSTANCE_NAME: the VM for which you want to view theeffective rules; if no interface is specified, the command returns rulesfor the primary interface (nic0).
• INTERFACE: the VM interface for which you want to viewthe effective rules; the default value isnic0.
• ZONE: the zone of the VM; this line is optional if thechosen zone is already set as the default.