Console
Start free

gcloud compute firewall-policies rules update

NAME
gcloud compute firewall-policies rules update - updates a Compute Engine firewall policy rule
SYNOPSIS
gcloud compute firewall-policies rules update PRIORITY --firewall-policy=FIREWALL_POLICY [--action=ACTION] [--description=DESCRIPTION] [--dest-address-groups=[DEST_ADDRESS_GROUPS,…]] [--dest-fqdns=[DEST_FQDNS,…]] [--dest-ip-ranges=[DEST_IP_RANGE,…]] [--dest-network-context=DEST_NETWORK_CONTEXT] [--dest-region-codes=[DEST_REGION_CODES,…]] [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]] [--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging] [--layer4-configs=[LAYER4_CONFIG,…]] [--new-priority=NEW_PRIORITY] [--organization=ORGANIZATION] [--security-profile-group=SECURITY_PROFILE_GROUP] [--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]] [--src-fqdns=[SOURCE_FQDNS,…]] [--src-ip-ranges=[SRC_IP_RANGE,…]] [--src-network-context=SRC_NETWORK_CONTEXT] [--src-networks=[SRC_NETWORKS,…]] [--src-region-codes=[SOURCE_REGION_CODES,…]] [--src-secure-tags=[SOURCE_SECURE_TAGS,…]] [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]] [--target-resources=[TARGET_RESOURCES,…]] [--target-secure-tags=[TARGET_SECURE_TAGS,…]] [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]] [--[no-]tls-inspect] [GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute firewall-policies rules update is used to update organization firewall policy rules.
EXAMPLES
To update a rule with priority ``10" in an organization firewall policy with ID ``123456789" to change the action to ``allow" and description to ``new-example-rule", run: 
gcloud compute firewall-policies rules update 10 --firewall-policy=123456789 --action=allow --description=new-example-rule
POSITIONAL ARGUMENTS
PRIORITY
Priority of the firewall policy rule to update.
REQUIRED FLAGS
--firewall-policy=FIREWALL_POLICY
Short name of the firewall policy into which the rule should be updated.
OPTIONAL FLAGS
--action=ACTION
Action to take if the request matches the match condition. ACTION must be one of: allow, deny, goto_next, apply_security_profile_group.
--description=DESCRIPTION
An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,…]
Destination address groups to match for this rule. Can only be specified if DIRECTION is egress.
--dest-fqdns=[DEST_FQDNS,…]
Destination FQDNs to match for this rule. Can only be specified if DIRECTION is egress.
--dest-ip-ranges=[DEST_IP_RANGE,…]
Destination IP ranges to match for this rule.
--dest-network-context=DEST_NETWORK_CONTEXT
Use this flag to indicate that the rule should match internet or non-internet traffic. It applies to destination traffic for egress rules. Valid values are INTERNET and NON_INTERNET. Use empty string to clear the field.
--dest-region-codes=[DEST_REGION_CODES,…]
Destination Region Code to match for this rule. Can only be specified if DIRECTION is egress. Cannot be specified when the source network context is NON_INTERNET.
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]
Destination Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is egress. Cannot be specified when source network context is NON_INTERNET. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
--[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect traffic. Use --disabled to enable and --no-disabled to disable.
--[no-]enable-logging
Use this flag to enable logging of connections that allowed or denied by this rule. Use --enable-logging to enable and --no-enable-logging to disable.
--layer4-configs=[LAYER4_CONFIG,…]
A list of destination protocols and ports to which the firewall rule will apply.
--new-priority=NEW_PRIORITY
New priority for the rule to update. Valid in [0, 65535].
--organization=ORGANIZATION
Organization which the organization firewall policy belongs to. Must be set if FIREWALL_POLICY is short name.
--security-profile-group=SECURITY_PROFILE_GROUP
An org-based security profile group to be used with apply_security_profile_group action. Allowed formats are: a) http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile> b) (//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile> c) <profile>. In case "c" gcloud CLI will create a reference matching format "a", but to make it work CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set. In order to set this property, please run the command gcloud config set api_endpoint_overrides/networksecurity https://<namespace>/.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]
Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.
--src-fqdns=[SOURCE_FQDNS,…]
Source FQDNs to match for this rule. Can only be specified if DIRECTION is ingress.
--src-ip-ranges=[SRC_IP_RANGE,…]
Source IP ranges to match for this rule.
--src-network-context=SRC_NETWORK_CONTEXT
Use this flag to indicate that the rule should match internet, non-internet traffic or traffic coming from the network specified by --src-network. It applies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the field.
--src-networks=[SRC_NETWORKS,…]
The source VPC networks to match for this rule. It can only be specified when --src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts full or partial URLs.
--src-region-codes=[SOURCE_REGION_CODES,…]
Source Region Code to match for this rule. Can only be specified if DIRECTION is ingress. Cannot be specified when the source network context is NON_INTERNET, VPC_NETWORK or INTRA_VPC.
--src-secure-tags=[SOURCE_SECURE_TAGS,…]
A list of instance secure tags indicating the set of instances on the network to which the rule applies if all other fields match. Either --src-ip-ranges or --src-secure-tags must be specified for ingress traffic. If both --src-ip-ranges and --src-secure-tags are specified, an inbound connection is allowed if either the range of the source matches --src-ip-ranges or the tag of the source matches --src-secure-tags. Secure Tags can be assigned to instances during instance creation.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]
Source Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is ingress. Cannot be specified when the source network context is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--target-resources=[TARGET_RESOURCES,…]
List of URLs of target resources to which the rule is applied.
--target-secure-tags=[TARGET_SECURE_TAGS,…]
An optional, list of target secure tags with a name of the format tagValues/ or full namespaced name
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]
List of target service accounts for the rule.
--[no-]tls-inspect
Use this flag to indicate whether TLS traffic should be inspected using the TLS inspection policy when the security profile group is applied. Default: no TLS inspection. Use --tls-inspect to enable and --no-tls-inspect to disable.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
These variants are also available: 
gcloud alpha compute firewall-policies rules update
 
gcloud beta compute firewall-policies rules update
 
gcloud preview compute firewall-policies rules update