Stay organized with collections
Save and categorize content based on your preferences.
A security profile group is a container for security profiles. A firewall
policy rule references a security profile group to enable Layer 7 inspection,
such as intrusion detection and prevention service,
on your network.
This document provides a detailed overview of security profile groups and
their capabilities.
Specifications
A security profile group is an organizational level resource.
You can add only one security profile
of type threat-prevention to a security profile group.
Each security profile group is uniquely identified by a URL with
the following elements:
Organization ID: ID of the organization.
Location: scope of the security profile group. Location is always
set to global.
Name: security profile group name in the following format:
A string 1-63 characters long
Includes only alphanumeric characters or hyphens (-)
Must not start with a number
To construct a unique URL identifier for a security profile group, use the
following format:
To perform Layer 7 inspection of the network traffic, a firewall policy rule
must contain the name of the security profile group to be used by the
firewall endpoint.
The firewall policy rule applies to incoming and outgoing traffic of the
Virtual Private Cloud (VPC) network. The matched traffic is redirected
to the firewall endpoint along with the configured security profile group name.
The firewall endpoint uses the security profile specified in the security
profile group to scan the packets for threats and apply configured actions.
Each security profile group must have an associated project ID. The associated
project is used for quotas and access restrictions on security
profile group resources. If you authenticate your service account by using the
gcloud auth activate-service-account command,
you can associate your service account with the security profile group.
To learn more about how to create a profile group,
see Create and manage security profile groups.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following security profile group actions:
Creating a security profile group in an organization
Modifying or deleting a security profile group
Viewing details of a security profile group
Viewing a list of security profile groups in an organization
Using a security profile group in a firewall policy rule
The following table describes the roles that are necessary for each step.
Ability
Necessary role
Create a security profile group
Security Profile Admin
role on the organization where the security profile group is created.
Modify a security profile group
Security Profile Admin
role on the organization where the security profile group is created.
View details about the security profile group in an organization
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eSecurity profile groups are containers for security profiles, enabling Layer 7 inspection on network traffic when referenced in a firewall policy rule.\u003c/p\u003e\n"],["\u003cp\u003eEach security profile group is uniquely identified by a URL that includes the organization ID, location (always global), and a name that follows specific formatting rules.\u003c/p\u003e\n"],["\u003cp\u003eFirewall policy rules must specify a security profile group with the \u003ccode\u003eapply_security_profile_group\u003c/code\u003e action to redirect traffic to the firewall endpoint for threat scanning.\u003c/p\u003e\n"],["\u003cp\u003eSecurity profile groups can only contain one \u003ccode\u003ethreat-prevention\u003c/code\u003e security profile and their access is governed by IAM roles, such as Security Profile Admin, compute network viewer and compute network user.\u003c/p\u003e\n"],["\u003cp\u003eEach security profile group is associated with a project ID for managing quotas and access restrictions.\u003c/p\u003e\n"]]],[],null,["# Security profile group overview\n\nA security profile group is a container for security profiles. A firewall\npolicy rule references a security profile group to enable Layer 7 inspection,\nsuch as [intrusion detection and prevention service](/firewall/docs/about-intrusion-prevention),\non your network.\n\nThis document provides a detailed overview of security profile groups and\ntheir capabilities.\n\nSpecifications\n--------------\n\n- A security profile group is an organizational level resource.\n\n- You can add only one [security profile](/firewall/docs/about-security-profiles)\n of type `threat-prevention` to a security profile group.\n\n- Each security profile group is uniquely identified by a URL with\n the following elements:\n\n - **Organization ID:** ID of the organization.\n - **Location:** scope of the security profile group. Location is always set to `global`.\n - **Name:** security profile group name in the following format:\n - A string 1-63 characters long\n - Includes only alphanumeric characters or hyphens (-)\n - Must not start with a number\n\n To construct a unique URL identifier for a security profile group, use the\n following format: \n\n organization/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/securityProfileGroups/\u003cvar translate=\"no\"\u003eSECURITY_PROFILE_GROUP_NAME\u003c/var\u003e\n\n For example, a `global` security profile group `example-security-profile-group` in\n organization `2345678432` has the following unique identifier: \n\n organization/2345678432/locations/global/securityProfileGroups/example-security-profile-group\n\n- To perform Layer 7 inspection of the network traffic, a firewall policy rule\n must contain the name of the security profile group to be used by the\n firewall endpoint.\n\n- Security profile groups apply to firewall policies only when you add a\n firewall policy rule with action `apply_security_profile_group`. You can\n configure security profile groups in\n [hierarchical firewall policy rules](/firewall/docs/using-firewall-policies#create-rules)\n and [global network firewall policy rules](/firewall/docs/use-network-firewall-policies#create-rules).\n\n- The firewall policy rule applies to incoming and outgoing traffic of the\n Virtual Private Cloud (VPC) network. The matched traffic is redirected\n to the firewall endpoint along with the configured security profile group name.\n The firewall endpoint uses the security profile specified in the security\n profile group to scan the packets for threats and apply configured actions.\n\n To learn more about how to configure threat prevention, see\n [Configure intrusion detection and prevention service](/firewall/docs/configure-intrusion-prevention).\n- Each security profile group must have an associated project ID. The associated\n project is used for quotas and access restrictions on security\n profile group resources. If you authenticate your service account by using the\n [`gcloud auth activate-service-account` command](/sdk/gcloud/reference/auth/activate-service-account),\n you can associate your service account with the security profile group.\n To learn more about how to create a profile group,\n see [Create and manage security profile groups](/firewall/docs/configure-security-profile-groups#create-security-profile-group).\n\nIdentity and Access Management roles\n------------------------------------\n\nIdentity and Access Management (IAM) roles govern the following security profile group actions:\n\n- Creating a security profile group in an organization\n- Modifying or deleting a security profile group\n- Viewing details of a security profile group\n- Viewing a list of security profile groups in an organization\n- Using a security profile group in a firewall policy rule\n\nThe following table describes the roles that are necessary for each step.\n\nWhat's next\n-----------\n\n- [Configure intrusion detection and prevention service](/firewall/docs/configure-intrusion-prevention)\n- [Create and manage security profile groups](/firewall/docs/configure-security-profile-groups)"]]
