The CloudGuard Dome9 GSL Language

CloudGuard GSL is a syntax to define posture management rules, which can be included in rulesets in the CloudGuard Compliance Engine. GSL consists of a core language which is augmented by a set of functions that add domain specific functionality for different cloud providers (AWS, Azure, GCP, Kubernetes, and Terraform). These functions include IP addresses and networking, cloud entities such as instances, strings matching, date & time, etc.

Rule Syntax

A GSL rule has the form:

<Target> should <Condition>



Data Types

GSL has different syntax for strings (textual values) and for numericvalues


The core GSL syntax is enriched by internal functions that provide domain specific functionality in multiple areas such as: IP addresses, dates, string matching etc...


<property_name> <function_name> (<param1>,<param2>...)


  • property_name is the property/object we wish to operate on (similar to functions in object-oriented languages)

  • function_name is the name of the functions from the above list params the required parameters according to the type of the function, separated by

General Functions

Networking Functions - General

Networking Functions for AWS NACL and MS Azure NSG

AWS NACL and MS Azure NSGs have different firewall semantics.

The FW rules are ordered and may contain explicit 'DROP'. This makes the order of the rules critical.

These functions operate on a list of rules.

Resource Functions

These functions return values for properties of assets. In particular they can return secondary values for assets (for example, the value of a rule address for an SG assigned to an EC2 instance).


These functions are supported for Terraform plans only (this will be expanded for all platforms later).

Time Functions

See Also

Dome9 Cloud Security Posture Repository

Use the CloudGuard Dome9 GSL Builder

Create Custom Security Policies with Dome9 Governance Specification Language (GSL)