Patches a rule of the specified priority.

Scopes

You will need authorization for at least one of the following scopes to make a valid call:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/compute

If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform. You can set the scope for this method like this: compute1 --scope <scope> network-firewall-policies patch-rule ...

Required Scalar Arguments

  • <project> (string)
    • Project ID for this request.
  • <firewall-policy> (string)
    • Name of the firewall policy to update.

Required Request Value

The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.

For example, a structure like this:

FirewallPolicyRule:
  action: string
  description: string
  direction: string
  disabled: boolean
  enable-logging: boolean
  kind: string
  match:
    dest-address-groups: [string]
    dest-fqdns: [string]
    dest-ip-ranges: [string]
    dest-region-codes: [string]
    dest-threat-intelligences: [string]
    src-address-groups: [string]
    src-fqdns: [string]
    src-ip-ranges: [string]
    src-region-codes: [string]
    src-threat-intelligences: [string]
  priority: integer
  rule-name: string
  rule-tuple-count: integer
  security-profile-group: string
  target-resources: [string]
  target-service-accounts: [string]
  tls-inspect: boolean

can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.

  • -r . action=ipsum
    • The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next".
  • description=diam
    • An optional description for this resource.
  • direction=et
    • The direction in which this rule applies.
  • disabled=false
    • Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled.
  • enable-logging=true
    • Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules.
  • kind=et
    • [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules
  • match dest-address-groups=diam
    • Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10.
    • Each invocation of this argument appends the given value to the array.
  • dest-fqdns=nonumy
    • Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100.
    • Each invocation of this argument appends the given value to the array.
  • dest-ip-ranges=no
    • CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000.
    • Each invocation of this argument appends the given value to the array.
  • dest-region-codes=labore
    • Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000.
    • Each invocation of this argument appends the given value to the array.
  • dest-threat-intelligences=justo
    • Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination.
    • Each invocation of this argument appends the given value to the array.
  • src-address-groups=ut
    • Address groups which should be matched against the traffic source. Maximum number of source address groups is 10.
    • Each invocation of this argument appends the given value to the array.
  • src-fqdns=diam
    • Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100.
    • Each invocation of this argument appends the given value to the array.
  • src-ip-ranges=diam
    • CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000.
    • Each invocation of this argument appends the given value to the array.
  • src-region-codes=lorem
    • Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000.
    • Each invocation of this argument appends the given value to the array.

  • src-threat-intelligences=invidunt

    • Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source.
    • Each invocation of this argument appends the given value to the array.

  • .. priority=52

    • An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
  • rule-name=diam
    • An optional name for the rule. This field is not a unique identifier and can be updated.
  • rule-tuple-count=24
    • [Output Only] Calculation of the complexity of a single firewall policy rule.
  • security-profile-group=et
    • A fully-qualified URL of a SecurityProfile resource instance. Example: https://networksecurity.googleapis.com/v1/projects/{project}/locations/{location}/securityProfileGroups/my-security-profile-group Must be specified if action = 'apply_security_profile_group' and cannot be specified for other actions.
  • target-resources=sed
    • A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule.
    • Each invocation of this argument appends the given value to the array.
  • target-service-accounts=dolor
    • A list of service accounts indicating the sets of instances that are applied with this rule.
    • Each invocation of this argument appends the given value to the array.
  • tls-inspect=false
    • Boolean flag indicating if the traffic should be TLS decrypted. Can be set only if action = 'apply_security_profile_group' and cannot be set for other actions.

About Cursors

The cursor position is key to comfortably set complex nested structures. The following rules apply:

  • The cursor position is always set relative to the current one, unless the field name starts with the . character. Fields can be nested such as in -r f.s.o .
  • The cursor position is set relative to the top-level structure if it starts with ., e.g. -r .s.s
  • You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify -r struct.sub_struct=bar.
  • You can move the cursor one level up by using ... Each additional . moves it up one additional level. E.g. ... would go three levels up.

Optional Output Flags

The method's return value a JSON encoded structure, which will be written to standard output by default.

  • -o out
    • out specifies the destination to which to write the server's result to. It will be a JSON-encoded structure. The destination may be - to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.

Optional Method Properties

You may set the following properties to further configure the call. Please note that -p is followed by one or more key-value-pairs, and is called like this -p k1=v1 k2=v2 even though the listing below repeats the -p for completeness.

  • -p priority=integer

    • The priority of the rule to patch.

  • -p request-id=string

    • An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).

Optional General Properties

The following properties can configure any call, and are not specific to this method.

  • -p $-xgafv=string

    • V1 error format.

  • -p access-token=string

    • OAuth access token.

  • -p alt=string

    • Data format for response.

  • -p callback=string

    • JSONP

  • -p fields=string

    • Selector specifying which fields to include in a partial response.

  • -p key=string

    • API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.

  • -p oauth-token=string

    • OAuth 2.0 token for the current user.

  • -p pretty-print=boolean

    • Returns response with indentations and line breaks.

  • -p quota-user=string

    • Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.

  • -p upload-type=string

    • Legacy upload protocol for media (e.g. "media", "multipart").

  • -p upload-protocol=string

    • Upload protocol for media (e.g. "raw", "multipart").

  • -p user-ip=string

    • Legacy name for parameter that has been superseded by quotaUser.