mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 10:35:03 +00:00
177 lines
7.5 KiB
Text
177 lines
7.5 KiB
Text
NAME
|
|
gcloud compute network-firewall-policies rules update - updates a Compute
|
|
Engine network firewall policy rule
|
|
|
|
SYNOPSIS
|
|
gcloud compute network-firewall-policies rules update PRIORITY
|
|
--firewall-policy=FIREWALL_POLICY [--action=ACTION]
|
|
[--description=DESCRIPTION]
|
|
[--dest-address-groups=[DEST_ADDRESS_GROUPS,...]]
|
|
[--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
|
|
[--dest-region-codes=[DEST_REGION_CODES,...]]
|
|
[--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]]
|
|
[--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging]
|
|
[--layer4-configs=[LAYER4_CONFIG,...]] [--new-priority=NEW_PRIORITY]
|
|
[--security-profile-group=SECURITY_PROFILE_GROUP]
|
|
[--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]]
|
|
[--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]]
|
|
[--src-region-codes=[SOURCE_REGION_CODES,...]]
|
|
[--src-secure-tags=[SOURCE_SECURE_TAGS,...]]
|
|
[--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]]
|
|
[--target-secure-tags=[TARGET_SECURE_TAGS,...]]
|
|
[--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
|
|
[--[no-]tls-inspect]
|
|
[--firewall-policy-region=FIREWALL_POLICY_REGION
|
|
| --global-firewall-policy] [GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
gcloud compute network-firewall-policies rules update is used to update
|
|
network firewall policy rules.
|
|
|
|
EXAMPLES
|
|
To update a rule with priority 10 in a global network firewall policy with
|
|
name my-policy to change the action to allow and description to new example
|
|
rule, run:
|
|
|
|
$ gcloud compute network-firewall-policies rules update 10 \
|
|
--firewall-policy=my-policy --action=allow \
|
|
--description="new example rule"
|
|
|
|
POSITIONAL ARGUMENTS
|
|
PRIORITY
|
|
Priority of the rule to be updated. Valid in [0, 65535].
|
|
|
|
REQUIRED FLAGS
|
|
--firewall-policy=FIREWALL_POLICY
|
|
Firewall policy ID with which to update rule.
|
|
|
|
OPTIONAL FLAGS
|
|
--action=ACTION
|
|
Action to take if the request matches the match condition. ACTION must
|
|
be one of: allow, deny, goto_next, apply_security_profile_group.
|
|
|
|
--description=DESCRIPTION
|
|
An optional, textual description for the rule.
|
|
|
|
--dest-address-groups=[DEST_ADDRESS_GROUPS,...]
|
|
Destination address groups to match for this rule. Can only be
|
|
specified if DIRECTION is engress.
|
|
|
|
--dest-fqdns=[DEST_FQDNS,...]
|
|
Destination FQDNs to match for this rule. Can only be specified if
|
|
DIRECTION is egress.
|
|
|
|
--dest-ip-ranges=[DEST_IP_RANGE,...]
|
|
Destination IP ranges to match for this rule.
|
|
|
|
--dest-region-codes=[DEST_REGION_CODES,...]
|
|
Destination Region Code to match for this rule. Can only be specified
|
|
if DIRECTION is egress.
|
|
|
|
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
|
|
Destination Threat Intelligence lists to match for this rule. Can only
|
|
be specified if DIRECTION is egress. The available lists can be found
|
|
here:
|
|
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
|
|
|
|
--direction=DIRECTION
|
|
Direction of the traffic the rule is applied. The default is to apply
|
|
on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
|
|
|
|
--[no-]disabled
|
|
Use this flag to disable the rule. Disabled rules will not affect
|
|
traffic. Use --disabled to enable and --no-disabled to disable.
|
|
|
|
--[no-]enable-logging
|
|
Use this flag to enable logging of connections that allowed or denied
|
|
by this rule. Use --enable-logging to enable and --no-enable-logging to
|
|
disable.
|
|
|
|
--layer4-configs=[LAYER4_CONFIG,...]
|
|
A list of destination protocols and ports to which the firewall rule
|
|
will apply.
|
|
|
|
--new-priority=NEW_PRIORITY
|
|
New priority for the rule to update. Valid in [0, 65535].
|
|
|
|
--security-profile-group=SECURITY_PROFILE_GROUP
|
|
A security profile group to be used with apply_security_profile_group
|
|
action.
|
|
|
|
--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
|
|
Source address groups to match for this rule. Can only be specified if
|
|
DIRECTION is ingress.
|
|
|
|
--src-fqdns=[SOURCE_FQDNS,...]
|
|
Source FQDNs to match for this rule. Can only be specified if DIRECTION
|
|
is ingress.
|
|
|
|
--src-ip-ranges=[SRC_IP_RANGE,...]
|
|
A list of IP address blocks that are allowed to make inbound
|
|
connections that match the firewall rule to the instances on the
|
|
network. The IP address blocks must be specified in CIDR format:
|
|
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either
|
|
--src-ip-ranges or --src-secure-tags must be specified for INGRESS
|
|
traffic. If both --src-ip-ranges and --src-secure-tags are specified,
|
|
the rule matches if either the range of the source matches
|
|
--src-ip-ranges or the secure tag of the source matches
|
|
--src-secure-tags.Multiple IP address blocks can be specified if they
|
|
are separated by commas.
|
|
|
|
--src-region-codes=[SOURCE_REGION_CODES,...]
|
|
Source Region Code to match for this rule. Can only be specified if
|
|
DIRECTION is ingress.
|
|
|
|
--src-secure-tags=[SOURCE_SECURE_TAGS,...]
|
|
A list of instance secure tags indicating the set of instances on the
|
|
network to which the rule applies if all other fields match. Either
|
|
--src-ip-ranges or --src-secure-tags must be specified for ingress
|
|
traffic. If both --src-ip-ranges and --src-secure-tags are specified,
|
|
an inbound connection is allowed if either the range of the source
|
|
matches --src-ip-ranges or the tag of the source matches
|
|
--src-secure-tags. Secure Tags can be assigned to instances during
|
|
instance creation.
|
|
|
|
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
|
|
Source Threat Intelligence lists to match for this rule. Can only be
|
|
specified if DIRECTION is ingress. The available lists can be found
|
|
here:
|
|
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
|
|
|
|
--target-secure-tags=[TARGET_SECURE_TAGS,...]
|
|
An optional, list of target secure tags with a name of the format
|
|
tagValues/ or full namespaced name
|
|
|
|
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
|
|
List of target service accounts for the rule.
|
|
|
|
--[no-]tls-inspect
|
|
Use this flag to indicate whether TLS traffic should be inspected using
|
|
the TLS inspection policy when the security profile group is applied.
|
|
Default: no TLS inspection. Use --tls-inspect to enable and
|
|
--no-tls-inspect to disable.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--firewall-policy-region=FIREWALL_POLICY_REGION
|
|
Region of the firewall policy to operate on. Overrides the default
|
|
compute/region property value for this command invocation.
|
|
|
|
--global-firewall-policy
|
|
If set, the firewall policy is global.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
These variants are also available:
|
|
|
|
$ gcloud alpha compute network-firewall-policies rules update
|
|
|
|
$ gcloud beta compute network-firewall-policies rules update
|
|
|