The CloudGuard Dome9 GSL Language

The CloudGuard Dome9 GSL (Governance Specification Language) is a syntax to define compliance rules, which can be included in rulesets in the Dome9 Compliance Engine. GSL consists of a core language which is augmented by a set of functions that add domain specific functionality for different cloud providers (AWS, Azure, and GCP). These functions include IP addresses and networking, cloud entities such as instances, strings matching, date & time, etc.

Rule Syntax

A GSL rule has the form:

<Target> should <Condition>



Data Types

GSL has different syntax for strings (textual values) and for numericvalues


The core GSL syntax is enriched by internal functions that provide domain specific functionality in multiple areas such as: IP addresses, dates, string matching etc...


<property_name> <function_name> (<param1>,<param2>...)


  • property_name is the property/object we wish to operate on (similar to functions in object-oriented languages)

  • function_name is the name of the functions from the above list params the required parameters according to the type of the function, separated by

General Functions

Networking Functions - General

Networking Functions for AWS NACL and MS Azure NSG

AWS NACL and MS Azure NSGs have different firewall semantics.

The FW rules are ordered and may contain explicit 'DROP'. This makes the order of the rules critical.

These functions operate on a list of rules.

Time Functions

See Also

Dome9 Cloud Security Posture Repository

Use the CloudGuard Dome9 GSL Builder

Create Custom Security Policies with Dome9 Governance Specification Language (GSL)