CloudGuard Controller for Google Cloud Platform

The CloudGuard Controller integrates the Google Cloud Platform (GCP) with Check Point security.

The Check Point Data Center Server connects to the GCP and retrieves object data.

The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group.

Configuring Permissions for Google Cloud Platform

You must authenticate and connect to your Google Cloud Platform account to retrieve objects.

Authentication is done by GCP Service Account credentials.

The CloudGuard Controller retrieves objects from all projects, to which the Service Account has access.

You can use these authentication methods:

Authentication Method	Description
Service Account VM Instance Authentication	Use this option when the Security Management Server runs in a GCP VM instance, which runs as a service account with the required permissions.
Service Account Key Authentication	Use this option to authenticate with a Service Account private key file. Use the GCP web console to create a key for the service account, in a JSON format.

Authentication Method

Description

Service Account VM Instance Authentication

Use this option when the Security Management Server runs in a GCP VM instance, which runs as a service account with the required permissions.

Service Account Key Authentication

Use this option to authenticate with a Service Account private key file.

Use the GCP web console to create a key for the service account, in a JSON format.

Minimum permissions for the service account

The service account must have read permissions for all the relevant resources (example: viewer role).

Networks
Instances
Subnetworks

GCP APIs

You must enable the Cloud Resource Manager API for the project, to which the service account belongs.

The Compute Engine API must be enabled for all the projects, to which the Service Account has access.

This is made from the GCP API Library.

Connecting to a Google Cloud Platform Data Center

Step	Description
1	In SmartConsole, create a new Data Center object in one of these ways: In the top left corner, click Objects menu > More object types > Server > Data Center > New Google Cloud Platform. In the top right corner, click Objects Pane > New > More > Server > Data Center > Google Cloud Platform.
	In the Enter Object Name field, enter the desired name.
2	Select the applicable authentication method: Service Account Key Authentication Service Account VM Instance Authentication
3	If you choose Service Account Key Authentication, import the Service Account JSON file.
	Click Test Connection.
4	Click OK.
	Publish the session.

Google Cloud Platform Objects

Objects

Item	Description
VPC Networks	Your GCP VPC networks in the cloud.
Subnet	All the IP addresses from the network interfaces related to this subnet.
Instance	Virtual Machines instances.
Tags	Groups all the instances that have the same network tag.

Importing GCP objects

Use Projects or Tags to import GCP objects to your policy:

Import Option	Description
Projects	Import VPC networks, subnets or instances from another project to your Security Policy.
Tags	Import all instances that have a specific network tag.

Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with permissions to change network tags in GCP, may be able to change their access permissions.

Object Names

Object names are the same as those in the GCP console.

Instance and Subnet are named as follows:

Object	Object Name
Instance	`"<`Instance Name`> (<`Zone Name`>)"`
Subnet	`"<`Subnet Name`> (<`Region Name`>)"`

Imported Properties

Imported Property	Description
Name	Resource name as shown in the GCP console. User can edit the name after importing the object.
Name in server	Resource name as shown in the GCP console.
Type in server	Resource type.
IP	Associated private and public IP addresses.
Note	For instances, the list of VPC networks, to which the instance belongs.
URI	Object path.
Tags	Network tags that are attached to the object.