gcloud compute network-firewall-policies rules update

NAME
gcloud compute network-firewall-policies rules update - updates a Compute Engine network firewall policy rule
SYNOPSIS
gcloud compute network-firewall-policies rules updatePRIORITY--firewall-policy=FIREWALL_POLICY[--action=ACTION][--description=DESCRIPTION][--dest-address-groups=[DEST_ADDRESS_GROUPS,…]][--dest-fqdns=[DEST_FQDNS,…]][--dest-ip-ranges=[DEST_IP_RANGE,…]][--dest-network-context=DEST_NETWORK_CONTEXT][--dest-region-codes=[DEST_REGION_CODES,…]][--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]][--direction=DIRECTION][--[no-]disabled][--[no-]enable-logging][--layer4-configs=[LAYER4_CONFIG,…]][--new-priority=NEW_PRIORITY][--security-profile-group=SECURITY_PROFILE_GROUP][--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]][--src-fqdns=[SOURCE_FQDNS,…]][--src-ip-ranges=[SRC_IP_RANGE,…]][--src-network-context=SRC_NETWORK_CONTEXT][--src-networks=[SRC_NETWORKS,…]][--src-region-codes=[SOURCE_REGION_CODES,…]][--src-secure-tags=[SOURCE_SECURE_TAGS,…]][--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]][--target-secure-tags=[TARGET_SECURE_TAGS,…]][--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]][--[no-]tls-inspect][--firewall-policy-region=FIREWALL_POLICY_REGION    |--global-firewall-policy][GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute network-firewall-policies rules update is used toupdate network firewall policy rules.
EXAMPLES
To update a rule with priority10 in aglobal network firewall policy with namemy-policy to change the action toallow and description tonew example rule, run:
gcloudcomputenetwork-firewall-policiesrulesupdate10--firewall-policy=my-policy--action=allow--description="new example rule"
POSITIONAL ARGUMENTS
PRIORITY
Priority of the rule to be updated. Valid in [0, 2147483547].
REQUIRED FLAGS
--firewall-policy=FIREWALL_POLICY
Firewall policy ID with which to update rule.
OPTIONAL FLAGS
--action=ACTION
Action to take if the request matches the match condition.ACTION must be one of:allow,deny,goto_next,apply_security_profile_group.
--description=DESCRIPTION
An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,…]
Destination address groups to match for this rule. Can only be specified ifDIRECTION is engress.
--dest-fqdns=[DEST_FQDNS,…]
Destination FQDNs to match for this rule. Can only be specified if DIRECTION isegress.
--dest-ip-ranges=[DEST_IP_RANGE,…]
Destination IP ranges to match for this rule.
--dest-network-context=DEST_NETWORK_CONTEXT
Use this flag to indicate that the rule should match internet or non-internettraffic. It applies to destination traffic for egress rules. Valid values areINTERNET and NON_INTERNET. Use empty string to clear the field.
--dest-region-codes=[DEST_REGION_CODES,…]
Destination Region Code to match for this rule. Can only be specified ifDIRECTION isegress.
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]
Destination Threat Intelligence lists to match for this rule. Can only bespecified if DIRECTION isegress. The available lists can be foundhere:https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply onincoming traffic.DIRECTION must be one of:INGRESS,EGRESS.
--[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect traffic. Use--disabled to enable and--no-disabled to disable.
--[no-]enable-logging
Use this flag to enable logging of connections that allowed or denied by thisrule. Use--enable-logging to enable and--no-enable-logging to disable.
--layer4-configs=[LAYER4_CONFIG,…]
A list of destination protocols and ports to which the firewall rule will apply.
--new-priority=NEW_PRIORITY
New priority for the rule to update. Valid in [0, 65535].
--security-profile-group=SECURITY_PROFILE_GROUP
A security profile group to be used with apply_security_profile_group action.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]
Source address groups to match for this rule. Can only be specified if DIRECTIONis ingress.
--src-fqdns=[SOURCE_FQDNS,…]
Source FQDNs to match for this rule. Can only be specified if DIRECTION isingress.
--src-ip-ranges=[SRC_IP_RANGE,…]
A list of IP address blocks that are allowed to make inbound connections thatmatch the firewall rule to the instances on the network. The IP address blocksmust be specified in CIDR format:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either--src-ip-ranges or --src-secure-tags must be specified for INGRESS traffic. Ifboth --src-ip-ranges and --src-secure-tags are specified, the rule matches ifeither the range of the source matches --src-ip-ranges or the secure tag of thesource matches --src-secure-tags.Multiple IP address blocks can be specified ifthey are separated by commas.
--src-network-context=SRC_NETWORK_CONTEXT
Use this flag to indicate that the rule should match internet, non-internettraffic or traffic coming from the network specified by --src-networks. Itapplies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKSand INTRA_VPC. Use empty string to clear the field.
--src-networks=[SRC_NETWORKS,…]
The source VPC networks to match for this rule. It can only be specified when--src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts fullor partial URLs.
--src-region-codes=[SOURCE_REGION_CODES,…]
Source Region Code to match for this rule. Can only be specified if DIRECTION isingress.
--src-secure-tags=[SOURCE_SECURE_TAGS,…]
A list of instance secure tags indicating the set of instances on the network towhich the rule applies if all other fields match. Either --src-ip-ranges or--src-secure-tags must be specified for ingress traffic. If both --src-ip-rangesand --src-secure-tags are specified, an inbound connection is allowed if eitherthe range of the source matches --src-ip-ranges or the tag of the source matches--src-secure-tags. Secure Tags can be assigned to instances during instancecreation.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]
Source Threat Intelligence lists to match for this rule. Can only be specifiedif DIRECTION isingress. The available lists can be found here:https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--target-secure-tags=[TARGET_SECURE_TAGS,…]
An optional, list of target secure tags with a name of the format tagValues/ orfull namespaced name
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]
List of target service accounts for the rule.
--[no-]tls-inspect
Use this flag to indicate whether TLS traffic should be inspected using the TLSinspection policy when the security profile group is applied. Default: no TLSinspection. Use--tls-inspect to enable and--no-tls-inspect to disable.
At most one of these can be specified:
--firewall-policy-region=FIREWALL_POLICY_REGION
Region of the firewall policy to operate on. Overrides the defaultcompute/region property value for this command invocation.
--global-firewall-policy
If set, the firewall policy is global.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
These variants are also available:
gcloudalphacomputenetwork-firewall-policiesrulesupdate
gcloudbetacomputenetwork-firewall-policiesrulesupdate

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.