Google Cloud Security Command Center (CSCC)

You can configure your CloudGuard Network Security instances to send Threat Prevention events to the Google Cloud Security Command Center (CSCC).

CSCC is Google's platform used to manage security risks.

After the configuration is finished, the Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. assigns port 37227 to receive security events from the Security Gateways that it manages. It then sends the events to CSCC.

For more information, see the GCP CSCC documentation.

Prerequisites

Note - The Security Management Server must have outbound internet connectivity to send Google Cloud Security Command Center (CSCC) APIs.

Configuring CSCC on the Google Cloud Platform (GCP)

A service account is a non-human user that needs to authenticate and give access to data in Google's APIs link.

To create a service account:

  1. From your Google projects, log in to your Google account > go to IAM & admin > Service Accounts.

  2. Click Create Service Account.

  3. Select a name for the service account > click Create.

  4. Click Edit > Create Key.

    Create a private key in JSON format, and keep it.

  5. In the IAM field, add this role to your service account:

    Compute Viewer

  6. Click Save.

  7. Log in to your GCPClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. organization.

  8. In the IAM field, add these roles to the service account:

    Security Center Findings Editor

  9. Click Save.

Use these steps to allow CloudGuard Network to publish relevant findings to your GCP account:

  1. Log in to your organization > in the Security field, go to Security Command Center

  2. Click Add Security Source.

  3. Select Check Point CloudGuard Network Integration for Cloud SCC.

  4. To register, click Visit Check Point Software Technologies site.

  5. Select the GCP Service Account connected to the GCP project created in Step: 1 Create a Service Account.

  6. Copy the Source ID value. This value is for the configuration on CloudGuard Network.

Configuring CloudGuard Network to Send Events to CSCC

Use these steps to configure the Check Point Security Management Server to send findings to your Google CSCC account.

  1. Install the latest CME version. See Installing and Updating CME.

  2. Configure the CME service on the Security Management Server. See CME Structure and Configurations.

  3. Transfer the JSON file of the service account (created in Step: 1 Create a Service Account) to a directory on the Security Management Server.

  4. Connect to the command line on the Security Management Server.

  5. Log in to the Expert mode.

  6. Launch the CME menu:

    cme_menu

  7. Select the Cloud Security Control Center (CSCC) section:

    1. From the CME menu main page, select GCP.

    2. From the GCP Configuration tab, select Cloud Security Command Center (CSCC).

  8. Enable the Cloud Security Control Center (CSCC) feature:

    1. Select Configure CSCC for CloudGuard Network.

    2. Enter the requested parameters.

    3. Optional: Decide if to enable the feature immediately, or not.

Parameter Value Description

organization-id

1111s

The organization number that allows events to be sent to CSCC. For more information, see Creating and managing organizations.

project-id

My-project

The name of the project that you need to allow CSCC. For more information, see Locate the Project ID.

source-id

123456

The source ID that is assigned to CloudGuard Network.

You must copy this value from Select CloudGuard Network as a security source step.

service-account-key-path

"/home/admin/CSCC/s-a-key.json"

Parameter received in the GCP Configuration, (Step 1) – It allows CloudGuard Network to extract applicable security information from your instances.

Enabling CSCC on the Security Management Server

You can activate CSCC feature only after the configuration is complete.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select Cloud Security Control Center (CSCC).

    1. On the CME menu home page, select GCP.

    2. In the GCP Configuration tab, select Cloud Security Control Center (CSCC).

  5. Activate Cloud Security Control Center (CSCC) > select Enable CSCC.

Disabling CSCC on the Security Management Server

If you disable the feature it stops the Security Management Server from sending logs to GCP.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Cloud Security Control Center (CSCC) section.

    1. On the CME menu home page, select GCP.

    2. In the GCP Configuration tab, select Cloud Security Control Center (CSCC).

  5. Select Disable CSCC.

Viewing the CSCC Status

You can see the status of CSCC on the Security Management Server.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Cloud Security Control Center (CSCC) section.

    1. On the CME menu home page, select GCP.

    2. In the GCP Configuration tab, select Cloud Security Control Center (CSCC).

  5. Click Cloud Security Control Center (CSCC) > select Display CSCC.

Configuring Debug Mode

When Debug mode is activated, then detailed logs of the CME internal state are generated and saved to a file.

Note - The Debug mode is off by default.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Cloud Security Control Center (CSCC) section.

    1. On the CME menu home page, select GCP.

    2. On the GCP Configuration tab, select Cloud Security Control Center (CSCC).

  5. Select CSCCDebug Mode Configuration.

    • To activate debug mode, select Enable CSCC Mode Configuration.

    • To stop debug mode, select Disable CSCC Mode Configuration.

Additional Information about CloudGuard Network in CSCC

CloudGuard Network sends security events reported by these Software Blades:

The Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is displayed in the Category field.

Use these options to see more information:

  • External URL link that opens the related log in smart view.

  • Source Properties tab.

Log Exporter

As part of the configuration to send security events, the Log Exporter feature is used.

The cpwd adds and monitors a new Log Exporter instance with the name: EXPORTER.CME_LOG_REPORTER

For more information about the Log Exporter, see sk122323.

Limitations

  • This feature is for Check Point Security Management Server versions R80.40 and higher.

  • Multi-Domain Servers are not supported.

  • These scenarios are not supported:

    • Two or more GCP Instances with the same private IP addresses in the same project.

      In this case, one of the instances is displayed in the CSCC Finding.

    • On-Premises appliances with a source IP the same as the IP address of an instance in the configured GCP project.

      In this case, the resource name of the GCP instance is displayed in the Findings.

  • GCP Instance information is updated each 30 minutes.

  • Only compute instances are supported.

  • Only active states are reported.

  • The feature does not work with manual modifications.

    All the modifications must be done with the cme_menu.

  • For CME limitations, see sk157492.

  • For Log Exporter limitations, see sk122323.