Stay organized with collections
Save and categorize content based on your preferences.
You can use a single request from the Google Cloud CLI or
the Compute Engine API
to batch update all the firewall policy rules for hierarchical and
network firewall policies. This ensures the integrity of the firewall
policy's rule set. Using the batch updates, Cloud Next Generation Firewall
provides an efficient and manageable way for you to handle firewall policy
rule updates in your cloud environments.
Batch update of firewall policy rules has the following specifications:
The update process is atomic. This means that if an error occurs
while the rules are being imported, all changes are rolled back, and
your firewall policy rule remains in its previous state.
When you use the REST APIs to update firewall policy rules, the REST APIs
require a fingerprint for optimistic locking. For more information, see
Optimistic concurrency control.
To get the latest fingerprint, we recommend that you first make a get
request to the firewall policy. A get request to the firewall policy gets
the most recent version of the policy, which helps ensure that updates are
based on the most recent version of the policy. This helps prevent conflicts
if concurrent modifications are made to the policy.
When you use the REST API patch method, you can replace all existing
rules by providing a completely new list in your request.
If a firewall policy patch operation is in progress, you can't
modify rules using methods such as
addRule,
patchRule,
removeRule, or
cloneRules.
This helps ensure that there are no conflicting modifications during
the patch operation.
Configure batch update
The batch update process involves three key steps:
Export: export your current firewall policy rules.
Modify: make the required batch updates to the exported firewall policy
rules.
Import: import the modified file back into the firewall policy rules.
To configure the batch update to firewall policy rules, do the following:
Modify existing rules: change the attributes of the rules that you
want to update. These attributes include the action, description,
and match conditions against which incoming traffic is evaluated.
Delete rules: remove the entries for the firewall policy rules you want
to delete.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Overview\n\nYou can use a single request from the [Google Cloud CLI](/sdk/install) or\nthe [Compute Engine API](/compute/docs/reference/rest/v1/firewallPolicies#get)\nto batch update all the firewall policy rules for hierarchical and\nnetwork firewall policies. This ensures the integrity of the firewall\npolicy's rule set. Using the batch updates, Cloud Next Generation Firewall\nprovides an efficient and manageable way for you to handle firewall policy\nrule updates in your cloud environments.\n\nFor more information about how to configure batch update, see\n[Configure batch updates to firewall policy rules](/firewall/docs/configure-batch-updates).\n\nPermissions\n-----------\n\nMake sure that you have the following permissions to batch update the\nfirewall policy rules.\n\n- The `compute.firewallPolicies.get` permission to export the hierarchical firewall policy rules.\n- The `compute.firewallPolicies.update` permission to import the hierarchical firewall policy rules.\n- The `compute.firewallPolicies.get` permission to export the network firewall policy rules.\n- The `compute.regionFirewallPolicies.get` permission to export regional network firewall policy rules.\n- The `compute.firewallPolicies.update` permission to import the network firewall policy rules.\n- The `compute.regionFirewallPolicies.update` permission to import the regional network firewall policy rules.\n\nFor more information about the roles and permissions, see\n[Compute Engine roles](/iam/docs/understanding-roles#compute-engine-roles).\n\nSpecification\n-------------\n\nBatch update of firewall policy rules has the following specifications:\n\n- The update process is atomic. This means that if an error occurs\n while the rules are being imported, all changes are rolled back, and\n your firewall policy rule remains in its previous state.\n\n- When you use the REST APIs to update firewall policy rules, the REST APIs\n require a fingerprint for optimistic locking. For more information, see\n [Optimistic concurrency control](https://en.wikipedia.org/wiki/Optimistic_concurrency_control).\n To get the latest fingerprint, we recommend that you first make a `get`\n request to the firewall policy. A `get` request to the firewall policy gets\n the most recent version of the policy, which helps ensure that updates are\n based on the most recent version of the policy. This helps prevent conflicts\n if concurrent modifications are made to the policy.\n\n- When you use the REST API `patch` method, you can replace all existing\n rules by providing a completely new list in your request.\n\n- If a firewall policy `patch` operation is in progress, you can't\n modify rules using methods such as\n [`addRule`](/compute/docs/reference/rest/v1/firewallPolicies/addRule),\n [`patchRule`](/compute/docs/reference/rest/v1/firewallPolicies/patchRule),\n [`removeRule`](/compute/docs/reference/rest/v1/firewallPolicies/removeRule), or\n [`cloneRules`](/compute/docs/reference/rest/v1/firewallPolicies/cloneRules).\n This helps ensure that there are no conflicting modifications during\n the patch operation.\n\nConfigure batch update\n----------------------\n\nThe batch update process involves three key steps:\n\n1. **Export**: export your current firewall policy rules.\n2. **Modify**: make the required batch updates to the exported firewall policy rules.\n3. **Import**: import the modified file back into the firewall policy rules.\n\nTo configure the batch update to firewall policy rules, do the following:\n\n1. Export your firewall policy rules. For more information, see\n [Export firewall policy rule](/firewall/docs/configure-batch-updates#export-rules).\n\n2. Modify the exported file. You can perform the following steps to update\n the file:\n\n - **Add new rules** : make sure that each new rule adheres to the\n [`FirewallPolicyRule.yaml`](https://json-schema.org/draft-06/schema#) schema.\n\n - **Modify existing rules**: change the attributes of the rules that you\n want to update. These attributes include the action, description,\n and match conditions against which incoming traffic is evaluated.\n\n - **Delete rules**: remove the entries for the firewall policy rules you want\n to delete.\n\n For more information, see\n [Modify firewall policy rules](/firewall/docs/configure-batch-updates#modify-firewall-rules).\n3. Import the rules back into your firewall policy. For more information, see\n [Import firewall policy rules](/firewall/docs/configure-batch-updates#import-rules).\n\nWhat's next\n-----------\n\n- For an introduction to firewall rules, see [Firewall policy rules](/firewall/docs/firewall-policies-rule-details).\n- To learn how to configure batch updates to firewall policy rules, see [Configure batch updates for firewall policies](/firewall/configure-batch-updates)."]]
