Deployment and Configuration of GCP Network Security Integration

Step 1: Install a Cloud Firewall Management Server

We recommend using Smart-1 Cloud (Check Point's Cloud Firewall Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. as a Service) to manage the Cloud Firewall Autoscaling Managed Instance Group (MIG).

For step-by-step instructions on enabling Cloud Management Extension (CME) in Smart-1 Cloud management, refer to Smart-1 Cloud Administration Guide> Using the settings > Cloud Management Extension (CME) Configuration.

Alternative deployment options for the Cloud Firewall Management Server include Google Cloud PlatformClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. Acronym: GCP., other cloud platforms, or on-premises installations.

To control Cloud Firewall Gateways, make sure the following requirements are met:

  • The Cloud Firewall Management Server can open connections to Cloud Firewall Gateways.

  • Cloud Firewall Gateways can open connections to the Cloud Firewall Management Server (for example, for sending logs).

Note - Verify that the Cloud Firewall Management Server can manage the Cloud Firewall Gateways (R81.20 and higher) according to sk113113 - Check Point Upgrade Path and Management Servers and Security Gateways Compatibility Maps > Management Servers and Security Gateways they can manage.

Autoscaling Cloud Firewall Gateways in the Security VPC can be deployed with or without a public IP address. The “management-nic” parameter in the Terraform main.tf file controls this setting.

Deployments without a public IP address must use one of these topologies:

  • Install the Cloud Firewall Management Server in the Management VPC.

  • Install the Cloud Firewall Management Server in a VPC peered with the Management VPC.

  • Install the Cloud Firewall Management Server on-premises and connect it to the Management VPC over Cloud Interconnect.

  • Install the Cloud Firewall Management Server on-premises and connect it to the Management VPC over a Cloud VPN.

To deploy the Cloud Firewall Management Server in GCPClosed See 'Google Cloud Platform'., go to the Check Point Cloud Firewall NGFW and Threat Prevention (BYOL).

Notes:

Important - We strongly recommend using Cloud Firewall App to complete steps 2-3 of the main flow.

The Cloud Firewall App is an automated deployment solution designed to streamline the installation and configuration of Cloud Firewall Gateways across multiple cloud environments. This application provides a simplified, wizard-driven interface that eliminates the need for extensive cloud expertise and Check Point product knowledge. For deployment and configuration instructions, see the Cloud Firewall App Administration Guide.

Step 2: Create a Google Cloud Platform (GCP) Service Account

The Cloud Firewall Management Server uses the GCP Service account to monitor the creation and status of the autoscaling Managed Instance Group. This lets the Cloud Firewall Management Server complete provisioning of these Cloud Firewall Gateways. You can create a new service account or use an existing one with the required roles.

To create a GCP service account:

  1. Create a Service account according to the instructions in the GCP's Create service accounts guide.

  2. On the new service account page in the GCP console, click Create new key > JSON (as the key type). A JSON file downloads to your computer.

    Note - This JSON file is later used as the credentials file in Deployment and Configuration of GCP Network Security Integration.

  3. Configure roles and permissions. Compute Engine \ Compute Viewer role is required for the CME.

The NSI solution uses Google Cloud service accounts for two distinct purposes:

1. Producer deployment (Terraform): Deploys the NSI producer infrastructure (Management and Security VPCs, Cloud Firewall Gateways, Internal Load Balancer, and Intercept Deployment resources).

2. Consumer onboarding (Manual): Connects consumer VPCs/projects to the producer inspection service by creating endpoint groups/associations and network firewall policies.

A service account with the following permissions is required for the Producer deployment:

Copy 
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.use
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.useReadOnly
compute.instanceGroups.use
compute.instances.setLabels
compute.networks.create
compute.networks.delete
compute.networks.setFirewallPolicy
compute.networks.use
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.use
compute.regionBackendServices.get
compute.subnetworks.create
compute.subnetworks.delete
compute.zones.list
networksecurity.interceptDeploymentGroups.create
networksecurity.interceptDeploymentGroups.delete
networksecurity.interceptDeploymentGroups.get
networksecurity.interceptDeploymentGroups.use
networksecurity.interceptDeployments.create
networksecurity.interceptDeployments.delete
networksecurity.interceptDeployments.get

A service account with the following permissions is required for the Consumer deployment:

Copy 
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.networks.setFirewallPolicy
networksecurity.interceptEndpointGroups.create
networksecurity.interceptEndpointGroups.delete
networksecurity.interceptEndpointGroups.get
networksecurity.interceptEndpointGroups.use
networksecurity.interceptEndpointGroupAssociations.create
networksecurity.interceptEndpointGroupAssociations.delete
networksecurity.interceptEndpointGroupAssociations.get

In addition, create a custom role with the following organization-level permissions for the Consumer deployment:

Copy 
networksecurity.securityProfiles.*
networksecurity.securityProfileGroups.*
networksecurity.operations.get

GCP Availability Zones

List the GCP Availability Zones where your servers to be protected are currently deployed in the Service VPC. Also include zones where new servers will be deployed.

This list is required for the solution deployment and to make sure the Packet Interception works. See the Cross-Zone Deployment section for more information.

Step 3: Deploy Cloud Firewall for GCP Network Security Integration via Terraform Registry

The Terraform Registry module deploys only the Producer side of the Network Security Integration (NSI) architecture.

After the producer infrastructure is deployed, consumer VPCs and organization-level inspection policies must be configured manually using gcloud commands.

Producer Side Resources

  • Check Point’s Managed Instance Group:

    • eth1 interface (without a public IP address) connects to the Security VPC

    • eth0 interface (with or without a public IP address) connects to the Management VPC

  • Management and Security VPCs and Subnets (existing VPCs can be used)

  • Internal Load Balancer

  • Intercept Deployment Group

  • Intercept Deployments and a Forwarding Rule to the Load Balancer (for each Availability Zone specified in the Terraform template)

Consumer Side Resources

  • Service VPC (exiting VPCs can be used)

  • Intercept Endpoint Association

  • Intercept Endpoint Group

  • Interception Network Firewall Policy and Rules

  • Security Profile Group

  • Intercept Security Profile

You can deploy into existing VPCs or create new VPCs during deployment.

Terraform Registry Deployment

  1. Deploy the Cloud Firewall for GCP Network Security Integration solution using our Terraform Registry template.

  2. Follow the general Terraform deployment instructions provided on the main GCP Provider page.

Cross-Zone Deployment

The Terraform template supports a cross-zone deployment model. Define the relevant zones using the intercept_deployment_zones parameter in the main.tf file.

Example:

intercept_deployment_zones = ["us-central1-a", "us-central1-b"]

This configuration deploys intercept instances in both us-central1-a and us-central1-b zones.

Important - To make sure that traffic is properly intercepted and inspected by Cloud Firewall Gateways, an Intercept Deployment - along with the corresponding Forwarding Rule to the Internal Load Balancer - must be deployed for each Availability Zone in the Security VPC.

If an Intercept Deployment is missing in a specific zone, traffic in that zone will bypass GCP Layer-7 policies and not be inspected, creating a security gap.

These deployments must align with the zones where your workloads operate.

Step 4: Consumer Deployment (manual configuration)

After deploying the NSI producer infrastructure with Terraform, configure your consumer VPC(s) to use the inspection service using gcloud commands.

Important - Do not use VPC firewall rules in consumer VPCs protected by NSI. VPC firewall rules have a higher enforcement priority than global network firewall policies, which can cause traffic to bypass inspection. Use Network Firewall Policies (configured in the steps below) instead of VPC firewall rules to ensure all traffic is properly inspected.

Prerequisites

Before proceeding with the consumer setup, make sure the Network Security API is enabled for your consumer project. Run this command:

gcloud services enable networksecurity.googleapis.com

Alternatively, you can enable this API manually via the GCP Console.

To deploy Consumer project, do these steps:

Step 1: Set Environment Variables

These environment variables will be used throughout the consumer setup process:

Value

Environment Value

Example

How to obtain
Producer Project ID $PRODUCER_PROJECT

my-producer-project

gcloud projects list

Consumer Project ID $CONSUMER_PROJECT

my-consumer-project

gcloud projects list

Organization ID

$ORG_ID

123456789012

gcloud projects describe $PRODUCER_PROJECT --format="value(parent.id)"

Prefix (from Terraform)

$PREFIX

chkp-tf-nsi

The prefix value used in your Terraform deployment.

Intercept Deployment Group

$INTERCEPT_DEPLOYMENT_GROUP

projects/my-producer-project/locations/global/interceptDeploymentGroups/chkp-tf-nsi-intercept-deployment-group

gcloud network-security intercept-deployment-groups list --project=$PRODUCER_PROJECT --location=global

or

construct: projects/$PRODUCER_PROJECT/locations/global/interceptDeploymentGroups/$PREFIX-intercept-deployment-group

Consumer VPC name $CONSUMER_VPC

my-workload-vpc

gcloud compute networks list --project=$CONSUMER_PROJECT

To set the environment variables, use these commands:

export PRODUCER_PROJECT="your-producer-project-id"

export CONSUMER_PROJECT="your-consumer-project-id"

export ORG_ID="your-organization-id"

export PREFIX="your-terraform-prefix"

export INTERCEPT_DEPLOYMENT_GROUP="projects/$PRODUCER_PROJECT/locations/global/interceptDeploymentGroups/$PREFIX-intercept-deployment-group"

export CONSUMER_VPC="your-consumer-vpc-name"

Step 2: Create an Intercept Endpoint Group

The Intercept Endpoint Group acts as a connection point between your consumer VPC and the producer's inspection service. The Intercept Endpoint Group references the Intercept Deployment Group created by the Terraform module in the producer project.

gcloud network-security intercept-endpoint-groups create consumer-intercept-epg \

--project=$CONSUMER_PROJECT \

--location=global \

--intercept-deployment-group=$INTERCEPT_DEPLOYMENT_GROUP

Alternatively, you can create the Intercept Endpoint Group manually via the GCP Console.

Step 3: Associate VPC with the Intercept Endpoint Group

This association links your consumer VPC to the Intercept Endpoint Group, making sure traffic from this VPC is intercepted and inspected.

gcloud network-security intercept-endpoint-group-associations create consumer-epg-association \

--project=$CONSUMER_PROJECT \

--location=global \

--network=$CONSUMER_VPC \

--intercept-endpoint-group=consumer-intercept-epg

Alternatively, you can create the Intercept Endpoint Group Association manually via the GCP Console.

Step 4: Create Security Profile

The Security Profile defines which traffic must be inspected. This custom intercept profile references the Intercept Endpoint Group to route traffic for inspection.

gcloud network-security security-profiles custom-intercept create consumer-security-profile \

--organization=$ORG_ID \

--location=global \

--intercept-endpoint-group=projects/$CONSUMER_PROJECT/locations/global/interceptEndpointGroups/consumer-intercept-epg

Alternatively, you can create the Security Profile manually via the GCP Console.

Step 5: Create Security Profile Group

The Security Profile Group bundles one or more security profiles together, allowing you to apply multiple security policiesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. as a single entity in firewall rules.

gcloud network-security security-profile-groups create consumer-security-profile-group \

--organization=$ORG_ID \

--location=global \

--custom-intercept-profile=organizations/$ORG_ID/locations/global/securityProfiles/consumer-security-profile

Alternatively, you can create the Security Profile Group manually via the GCP Console.

Step 6: Create Network Firewall Policy

The Network Firewall Policy is a global policy that contains the rules directing traffic to the Security Profile Group for inspection.

gcloud compute network-firewall-policies create consumer-firewall-policy \

--project=$CONSUMER_PROJECT \

--global

Alternatively, you can create the Network Firewall Policy and a rule manually via the GCP Console.

Step 7: Add Firewall Policy Rules

Create firewall rules that apply the Security Profile Group to traffic. These rules determine which traffic (ingress and/or egress) must be inspected.

Ingress Rule:

gcloud compute network-firewall-policies rules create 10 \

--project=$CONSUMER_PROJECT \

--action=apply_security_profile_group \

--firewall-policy=consumer-firewall-policy \

--global-firewall-policy \

--layer4-configs=all \

--src-ip-ranges=0.0.0.0/0 \

--dest-ip-ranges=0.0.0.0/0 \

--direction=INGRESS \

--security-profile-group=organizations/$ORG_ID/locations/global/securityProfileGroups/consumer-security-profile-group

Egress Rule:

gcloud compute network-firewall-policies rules create 11 \

--project=$CONSUMER_PROJECT \

--action=apply_security_profile_group \

--firewall-policy=consumer-firewall-policy \

--global-firewall-policy \

--layer4-configs=all \

--src-ip-ranges=0.0.0.0/0 \

--dest-ip-ranges=0.0.0.0/0 \

--direction=EGRESS \

--security-profile-group=organizations/$ORG_ID/locations/global/securityProfileGroups/consumer-security-profile-group

If you enabled IPv6 support on the producer side (ip_stack_type = "IPV4_IPV6"), add two additional firewall rules to make sure IPv6 traffic is inspected.

IPv6 Ingress Rule:

gcloud compute network-firewall-policies rules create 12 \

--project=$CONSUMER_PROJECT \

--action=apply_security_profile_group \

--firewall-policy=consumer-firewall-policy \

--global-firewall-policy \

--layer4-configs=all \

--src-ip-ranges=::/0 \

--dest-ip-ranges=::/0 \

--direction=INGRESS \

--security-profile-group=organizations/$ORG_ID/locations/global/securityProfileGroups/consumer-security-profile-group

IPv6 Egress Rule:

gcloud compute network-firewall-policies rules create 13 \

--project=$CONSUMER_PROJECT \

--action=apply_security_profile_group \

--firewall-policy=consumer-firewall-policy \

--global-firewall-policy \

--layer4-configs=all \

--src-ip-ranges=::/0 \

--dest-ip-ranges=::/0 \

--direction=EGRESS \

--security-profile-group=organizations/$ORG_ID/locations/global/securityProfileGroups/consumer-security-profile-group

Step 8: Associate Policy with VPC

Associate the Network Firewall Policy with your consumer VPC to activate traffic inspection. When associated, all traffic matching the firewall rules is sent to the Cloud Firewall Gateways for inspection.

Important - Traffic is intercepted and inspected after this step.

gcloud compute network-firewall-policies associations create \

--name=consumer-policy-association \

--global-firewall-policy \

--firewall-policy=consumer-firewall-policy \

--network=$CONSUMER_VPC \

--project=$CONSUMER_PROJECT

Connecting Multiple VPCs

A single Intercept Endpoint Group can protect multiple VPCs.

Option 1: Shared Firewall Policy

To connect additional VPCs with the same security policy, you must perform two actions for each VPC:

  1. Create endpoint association (see Step 3 above).

  2. Associate firewall policy (see Step 8 above).

All VPCs can share the same Endpoint Group, Security Profile, Security Profile Group, and Firewall Policy.

To add a second VPC, do these steps:

  1. Set the additional VPC name (VPC-2 in this example):

    export CONSUMER_VPC_2="your-second-vpc-name"

  2. Associate VPC-2 with the Intercept Endpoint Group:

    gcloud network-security intercept-endpoint-group-associations create vpc2-epg-association \

    --project=$CONSUMER_PROJECT \

    --location=global \

    --network=$CONSUMER_VPC_2 \

    --intercept-endpoint-group=consumer-intercept-epg

  3. Associate the Firewall Policy with VPC-2:

    gcloud compute network-firewall-policies associations create \

    --name=vpc2-policy-association \

    --global-firewall-policy \

    --firewall-policy=consumer-firewall-policy \

    --network=$CONSUMER_VPC_2 \

    --project=$CONSUMER_PROJECT

Option 2: Multiple Firewall Policies

If you need to apply different security policies to different VPCs, you can create multiple firewall policies and associate them with different VPCs. Each VPC can have its own firewall policy with custom rules while still using the same Intercept Endpoint Group.

To connect additional VPCs with different security policies, do these steps for each VPC:

  1. Create an endpoint association (see Step 3 above).

  2. Create a new firewall policy (see Step 6 above).

  3. Add firewall policy rules (see Step 7 above).

  4. Associate firewall policy with VPC (see Step 8 above).

To add VPC-2 with a different firewall policy, do these steps:

  1. Set the additional VPC name (VPC-2 in this example):

    export CONSUMER_VPC_2="your-second-vpc-name"

  2. Associate VPC-2 with the Intercept Endpoint Group:

    gcloud network-security intercept-endpoint-group-associations create vpc2-epg-association \

    --project=$CONSUMER_PROJECT \

    --location=global \

    --network=$CONSUMER_VPC_2 \

    --intercept-endpoint-group=consumer-intercept-epg

  3. Create a new firewall policy for VPC-2:

    gcloud compute network-firewall-policies create vpc2-firewall-policy \

    --project=$CONSUMER_PROJECT \

    --global

  4. Add custom rules to the VPC-2 firewall policy (Ingress):

    gcloud compute network-firewall-policies rules create 10 \

    --project=$CONSUMER_PROJECT \

    --action=apply_security_profile_group \

    --firewall-policy=vpc2-firewall-policy \

    --global-firewall-policy \

    --layer4-configs=all \

    --src-ip-ranges=0.0.0.0/0 \

    --dest-ip-ranges=0.0.0.0/0 \

    --direction=INGRESS \

    --security-profile-group=organizations/$ORG_ID/locations/global/securityProfileGroups/consumer-security-profile-group

  5. Associate the new firewall policy with VPC-2:

    gcloud compute network-firewall-policies associations create \

    --name=vpc2-policy-association \

    --global-firewall-policy \

    --firewall-policy=vpc2-firewall-policy \

    --network=$CONSUMER_VPC_2 \

    --project=$CONSUMER_PROJECT