HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_compute_security-policies_rules_update.1
.TH "GCLOUD_COMPUTE_SECURITY\-POLICIES_RULES_UPDATE" 1



.SH "NAME"
.HP
gcloud compute security\-policies rules update \- update a Compute Engine security policy rule



.SH "SYNOPSIS"
.HP
\f5gcloud compute security\-policies rules update\fR \fIPRIORITY\fR [\fB\-\-action\fR=\fIACTION\fR] [\fB\-\-ban\-duration\-sec\fR=\fIBAN_DURATION_SEC\fR] [\fB\-\-ban\-threshold\-count\fR=\fIBAN_THRESHOLD_COUNT\fR] [\fB\-\-ban\-threshold\-interval\-sec\fR=\fIBAN_THRESHOLD_INTERVAL_SEC\fR] [\fB\-\-conform\-action\fR=\fICONFORM_ACTION\fR] [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-enforce\-on\-key\fR=\fIENFORCE_ON_KEY\fR] [\fB\-\-enforce\-on\-key\-configs\fR=[[\fIall\fR],[\fIip\fR],[\fIxff\-ip\fR],[\fIhttp\-cookie\fR=\fIHTTP_COOKIE\fR],[\fIhttp\-header\fR=\fIHTTP_HEADER\fR],[\fIhttp\-path\fR],[\fIsni\fR],[\fIregion\-code\fR],[\fItls\-ja3\-fingerprint\fR],[\fIuser\-ip\fR],[\fItls\-ja4\-fingerprint\fR]],[...]] [\fB\-\-enforce\-on\-key\-name\fR=\fIENFORCE_ON_KEY_NAME\fR] [\fB\-\-exceed\-action\fR=\fIEXCEED_ACTION\fR] [\fB\-\-exceed\-redirect\-target\fR=\fIEXCEED_REDIRECT_TARGET\fR] [\fB\-\-exceed\-redirect\-type\fR=\fIEXCEED_REDIRECT_TYPE\fR] [\fB\-\-[no\-]preview\fR] [\fB\-\-rate\-limit\-threshold\-count\fR=\fIRATE_LIMIT_THRESHOLD_COUNT\fR] [\fB\-\-rate\-limit\-threshold\-interval\-sec\fR=\fIRATE_LIMIT_THRESHOLD_INTERVAL_SEC\fR] [\fB\-\-recaptcha\-action\-site\-keys\fR=[\fISITE_KEY\fR,...]] [\fB\-\-recaptcha\-session\-site\-keys\fR=[\fISITE_KEY\fR,...]] [\fB\-\-redirect\-target\fR=\fIREDIRECT_TARGET\fR] [\fB\-\-redirect\-type\fR=\fIREDIRECT_TYPE\fR] [\fB\-\-region\fR=\fIREGION\fR] [\fB\-\-request\-headers\-to\-add\fR=[\fIREQUEST_HEADERS_TO_ADD\fR,...]] [\fB\-\-security\-policy\fR=\fISECURITY_POLICY\fR] [\fB\-\-expression\fR=\fIEXPRESSION\fR\ \fB\-\-network\-dest\-ip\-ranges\fR=[\fIDEST_IP_RANGE\fR,...]\ \fB\-\-network\-dest\-ports\fR=[\fIDEST_PORT\fR,...]\ \fB\-\-network\-ip\-protocols\fR=[\fIIP_PROTOCOL\fR,...]\ \fB\-\-network\-src\-asns\fR=[\fISRC_ASN\fR,...]\ \fB\-\-network\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]\ \fB\-\-network\-src\-ports\fR=[\fISRC_PORT\fR,...]\ \fB\-\-network\-src\-region\-codes\fR=[\fISRC_REGION_CODE\fR,...]\ \fB\-\-network\-user\-defined\-fields\fR=[\fINAME\fR;\fIVALUE\fR:\fIVALUE\fR:...,...]\ \fB\-\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fBgcloud compute security\-policies rules update\fR is used to update security
policy rules.



.SH "EXAMPLES"

To update the description and IP ranges of a rule at priority 1000, run:

.RS 2m
$ gcloud compute security\-policies rules update 1000 \e
    \-\-security\-policy=my\-policy \-\-description="block 1.2.3.4/32" \e
    \-\-src\-ip\-ranges=1.2.3.4/32
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIPRIORITY\fR

The priority of the rule to update. Rules are evaluated in order from highest
priority to lowest priority where 0 is the highest priority and 2147483647 is
the lowest priority.


.RE
.sp

.SH "FLAGS"

.RS 2m
.TP 2m
\fB\-\-action\fR=\fIACTION\fR

The action to take if the request matches the match condition. \fIACTION\fR must
be one of:

.RS 2m
.TP 2m
\fBallow\fR
Allows the request from HTTP(S) Load Balancing.
.TP 2m
\fBdeny\fR
Denies the request from TCP/SSL Proxy and Network Load Balancing.
.TP 2m
\fBdeny\-403\fR
Denies the request from HTTP(S) Load Balancing, with an HTTP response status
code of 403.
.TP 2m
\fBdeny\-404\fR
Denies the request from HTTP(S) Load Balancing, with an HTTP response status
code of 404.
.TP 2m
\fBdeny\-502\fR
Denies the request from HTTP(S) Load Balancing, with an HTTP response status
code of 502.
.TP 2m
\fBrate\-based\-ban\fR
Enforces rate\-based ban action from HTTP(S) Load Balancing, based on rate limit
options.
.TP 2m
\fBredirect\fR
Redirects the request from HTTP(S) Load Balancing, based on redirect options.
.TP 2m
\fBredirect\-to\-recaptcha\fR
(DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for reCAPTCHA
Enterprise assessment. This flag choice is deprecated. Use \-\-action=redirect
and \-\-redirect\-type=google\-recaptcha instead.
.TP 2m
\fBthrottle\fR
Enforces throttle action from HTTP(S) Load Balancing, based on rate limit
options.
.RE
.sp


.TP 2m
\fB\-\-ban\-duration\-sec\fR=\fIBAN_DURATION_SEC\fR

Can only be specified if the action for the rule is
\f5\fIrate\-based\-ban\fR\fR. If specified, determines the time (in seconds) the
traffic will continue to be banned by the rate limit after the rate falls below
the threshold.

.TP 2m
\fB\-\-ban\-threshold\-count\fR=\fIBAN_THRESHOLD_COUNT\fR

Number of HTTP(S) requests for calculating the threshold for banning requests.
Can only be specified if the action for the rule is
\f5\fIrate\-based\-ban\fR\fR. If specified, the key will be banned for the
configured \f5\fIBAN_DURATION_SEC\fR\fR when the number of requests that exceed
the \f5\fIRATE_LIMIT_THRESHOLD_COUNT\fR\fR also exceed this
\f5\fIBAN_THRESHOLD_COUNT\fR\fR.

.TP 2m
\fB\-\-ban\-threshold\-interval\-sec\fR=\fIBAN_THRESHOLD_INTERVAL_SEC\fR

Interval over which the threshold for banning requests is computed. Can only be
specified if the action for the rule is \f5\fIrate\-based\-ban\fR\fR. If
specified, the key will be banned for the configured
\f5\fIBAN_DURATION_SEC\fR\fR when the number of requests that exceed the
\f5\fIRATE_LIMIT_THRESHOLD_COUNT\fR\fR also exceed this
\f5\fIBAN_THRESHOLD_COUNT\fR\fR.

.TP 2m
\fB\-\-conform\-action\fR=\fICONFORM_ACTION\fR

Action to take when requests are under the given threshold. When requests are
throttled, this is also the action for all requests which are not dropped.
\fICONFORM_ACTION\fR must be (only one value is supported): \fBallow\fR.

.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR

An optional, textual description for the rule.

.TP 2m
\fB\-\-enforce\-on\-key\fR=\fIENFORCE_ON_KEY\fR

Different key types available to enforce the rate limit threshold limit on:
.RS 2m
.IP "\(em" 2m
\f5\fIip\fR\fR: each client IP address has this limit enforced separately
.IP "\(em" 2m
\f5\fIall\fR\fR: a single limit is applied to all requests matching this rule
.IP "\(em" 2m
\f5\fIhttp\-header\fR\fR: key type takes the value of the HTTP header configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIxff\-ip\fR\fR: takes the original IP address specified in the
X\-Forwarded\-For header as the key
.IP "\(em" 2m
\f5\fIhttp\-cookie\fR\fR: key type takes the value of the HTTP cookie configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIhttp\-path\fR\fR: key type takes the value of the URL path in the request
.IP "\(em" 2m
\f5\fIsni\fR\fR: key type takes the value of the server name indication from the
TLS session of the HTTPS request
.IP "\(em" 2m
\f5\fIregion\-code\fR\fR: key type takes the value of the region code from which
the request originates
.IP "\(em" 2m
\f5\fItls\-ja3\-fingerprint\fR\fR: key type takes the value of JA3 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.IP "\(em" 2m
\f5\fIuser\-ip\fR\fR: key type takes the IP address of the originating client,
which is resolved based on user\-ip\-request\-headers configured with the
security policy
.IP "\(em" 2m
\f5\fItls\-ja4\-fingerprint\fR\fR: key type takes the value of JA4 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.RE
.sp

\fIENFORCE_ON_KEY\fR must be one of: \fBip\fR, \fBall\fR, \fBhttp\-header\fR,
\fBxff\-ip\fR, \fBhttp\-cookie\fR, \fBhttp\-path\fR, \fBsni\fR,
\fBregion\-code\fR, \fBtls\-ja3\-fingerprint\fR, \fBuser\-ip\fR,
\fBtls\-ja4\-fingerprint\fR.

.TP 2m
\fB\-\-enforce\-on\-key\-configs\fR=[[\fIall\fR],[\fIip\fR],[\fIxff\-ip\fR],[\fIhttp\-cookie\fR=\fIHTTP_COOKIE\fR],[\fIhttp\-header\fR=\fIHTTP_HEADER\fR],[\fIhttp\-path\fR],[\fIsni\fR],[\fIregion\-code\fR],[\fItls\-ja3\-fingerprint\fR],[\fIuser\-ip\fR],[\fItls\-ja4\-fingerprint\fR]],[...]

Specify up to 3 key type/name pairs to rate limit. Valid key types are:

.RS 2m
.IP "\(em" 2m
\f5\fIip\fR\fR: each client IP address has this limit enforced separately
.IP "\(em" 2m
\f5\fIall\fR\fR: a single limit is applied to all requests matching this rule
.IP "\(em" 2m
\f5\fIhttp\-header\fR\fR: key type takes the value of the HTTP header configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIxff\-ip\fR\fR: takes the original IP address specified in the
X\-Forwarded\-For header as the key
.IP "\(em" 2m
\f5\fIhttp\-cookie\fR\fR: key type takes the value of the HTTP cookie configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIhttp\-path\fR\fR: key type takes the value of the URL path in the request
.IP "\(em" 2m
\f5\fIsni\fR\fR: key type takes the value of the server name indication from the
TLS session of the HTTPS request
.IP "\(em" 2m
\f5\fIregion\-code\fR\fR: key type takes the value of the region code from which
the request originates
.IP "\(em" 2m
\f5\fItls\-ja3\-fingerprint\fR\fR: key type takes the value of JA3 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.IP "\(em" 2m
\f5\fIuser\-ip\fR\fR: key type takes the IP address of the originating client,
which is resolved based on user\-ip\-request\-headers configured with the
security policy
.IP "\(em" 2m
\f5\fItls\-ja4\-fingerprint\fR\fR: key type takes the value of JA4 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.RE
.sp

Key names are only applicable to the following key types:
.RS 2m
.IP "\(em" 2m
http\-header: The name of the HTTP header whose value is taken as the key value.
.IP "\(em" 2m
http\-cookie: The name of the HTTP cookie whose value is taken as the key value.
.RE
.sp

.TP 2m
\fB\-\-enforce\-on\-key\-name\fR=\fIENFORCE_ON_KEY_NAME\fR

Determines the key name for the rate limit key. Applicable only for the
following rate limit key types:
.RS 2m
.IP "\(em" 2m
http\-header: The name of the HTTP header whose value is taken as the key value.
.IP "\(em" 2m
http\-cookie: The name of the HTTP cookie whose value is taken as the key value.
.RE
.sp

.TP 2m
\fB\-\-exceed\-action\fR=\fIEXCEED_ACTION\fR

Action to take when requests are above the given threshold. When a request is
denied, return the specified HTTP response code. When a request is redirected,
use the redirect options based on \-\-exceed\-redirect\-type and
\-\-exceed\-redirect\-target below. \fIEXCEED_ACTION\fR must be one of:
\fBdeny\-403\fR, \fBdeny\-404\fR, \fBdeny\-429\fR, \fBdeny\-502\fR, \fBdeny\fR,
\fBredirect\fR.

.TP 2m
\fB\-\-exceed\-redirect\-target\fR=\fIEXCEED_REDIRECT_TARGET\fR

URL target for the redirect action that is configured as the exceed action when
the redirect type is \f5\fIexternal\-302\fR\fR.

.TP 2m
\fB\-\-exceed\-redirect\-type\fR=\fIEXCEED_REDIRECT_TYPE\fR

Type for the redirect action that is configured as the exceed action.
\fIEXCEED_REDIRECT_TYPE\fR must be one of: \fBgoogle\-recaptcha\fR,
\fBexternal\-302\fR.

.TP 2m
\fB\-\-[no\-]preview\fR

If specified, the action will not be enforced. Use \fB\-\-preview\fR to enable
and \fB\-\-no\-preview\fR to disable.

.TP 2m
\fB\-\-rate\-limit\-threshold\-count\fR=\fIRATE_LIMIT_THRESHOLD_COUNT\fR

Number of HTTP(S) requests for calculating the threshold for rate limiting
requests.

.TP 2m
\fB\-\-rate\-limit\-threshold\-interval\-sec\fR=\fIRATE_LIMIT_THRESHOLD_INTERVAL_SEC\fR

Interval over which the threshold for rate limiting requests is computed.

.TP 2m
\fB\-\-recaptcha\-action\-site\-keys\fR=[\fISITE_KEY\fR,...]

A comma\-separated list of site keys to be used during the validation of
reCAPTCHA action\-tokens. The provided site keys need to be created from the
reCAPTCHA API under the same project where the security policy is created.

.TP 2m
\fB\-\-recaptcha\-session\-site\-keys\fR=[\fISITE_KEY\fR,...]

A comma\-separated list of site keys to be used during the validation of
reCAPTCHA session\-tokens. The provided site keys need to be created from the
reCAPTCHA API under the same project where the security policy is created.

.TP 2m
\fB\-\-redirect\-target\fR=\fIREDIRECT_TARGET\fR

URL target for the redirect action. Must be specified if the redirect type is
\f5\fIexternal\-302\fR\fR. Cannot be specified if the redirect type is
\f5\fIgoogle\-recaptcha\fR\fR.

.TP 2m
\fB\-\-redirect\-type\fR=\fIREDIRECT_TYPE\fR

Type for the redirect action. Default to \f5\fIexternal\-302\fR\fR if
unspecified while \-\-redirect\-target is given. \fIREDIRECT_TYPE\fR must be one
of: \fBgoogle\-recaptcha\fR, \fBexternal\-302\fR.

.TP 2m
\fB\-\-region\fR=\fIREGION\fR

Region of the security policy to update. If not specified, you might be prompted
to select a region (interactive mode only).

A list of regions can be fetched by running:

.RS 2m
$ gcloud compute regions list
.RE

Overrides the default \fBcompute/region\fR property value for this command
invocation.

.TP 2m
\fB\-\-request\-headers\-to\-add\fR=[\fIREQUEST_HEADERS_TO_ADD\fR,...]

A comma\-separated list of header names and header values to add to requests
that match this rule.

.TP 2m
\fB\-\-security\-policy\fR=\fISECURITY_POLICY\fR

The security policy that this rule belongs to.

.TP 2m

Security policy rule matcher.


.RS 2m
.TP 2m
\fB\-\-expression\fR=\fIEXPRESSION\fR

The Cloud Armor rules language expression to match for this rule.

.TP 2m
\fB\-\-network\-dest\-ip\-ranges\fR=[\fIDEST_IP_RANGE\fR,...]

The destination IPs/IP ranges to match for this rule. To match all IPs specify
*.

.TP 2m
\fB\-\-network\-dest\-ports\fR=[\fIDEST_PORT\fR,...]

The destination ports to match for this rule. Each element can be an 16\-bit
unsigned decimal number (e.g. "80") or range (e.g."0\-1023"), To match all
destination ports specify *.

.TP 2m
\fB\-\-network\-ip\-protocols\fR=[\fIIP_PROTOCOL\fR,...]

The IP protocols to match for this rule. Each element can be an 8\-bit unsigned
decimal number (e.g. "6"), range (e.g."253\-254"), or one of the following
protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp". To match
all protocols specify *.

.TP 2m
\fB\-\-network\-src\-asns\fR=[\fISRC_ASN\fR,...]

BGP Autonomous System Number associated with the source IP address to match for
this rule.

.TP 2m
\fB\-\-network\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]

The source IPs/IP ranges to match for this rule. To match all IPs specify *.

.TP 2m
\fB\-\-network\-src\-ports\fR=[\fISRC_PORT\fR,...]

The source ports to match for this rule. Each element can be an 16\-bit unsigned
decimal number (e.g. "80") or range (e.g."0\-1023"), To match all source ports
specify *.

.TP 2m
\fB\-\-network\-src\-region\-codes\fR=[\fISRC_REGION_CODE\fR,...]

The two letter ISO 3166\-1 alpha\-2 country code associated with the source IP
address to match for this rule. To match all region codes specify *.

.TP 2m
\fB\-\-network\-user\-defined\-fields\fR=[\fINAME\fR;\fIVALUE\fR:\fIVALUE\fR:...,...]

Each element names a defined field and lists the matching values for that field.

.TP 2m
\fB\-\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]

The source IPs/IP ranges to match for this rule. To match all IPs specify *.


.RE
.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

These variants are also available:

.RS 2m
$ gcloud alpha compute security\-policies rules update
.RE

.RS 2m
$ gcloud beta compute security\-policies rules update
.RE
@ Telegram