CloudGuard Controller for Google Cloud Platform (GCP)

The CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. integrates the Google Cloud Platform (GCP Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more.) with Check Point security.

Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use of a NTP server is recommended. Time synchronization issues can cause polling information from the cloud to fail.

Configuring Permissions for Google Cloud Platform

You must authenticate and connect to your Google Cloud Platform account to retrieve objects.

Authentication is done by GCP Service Account credentials.

The CloudGuard Controller retrieves objects from all projects, to which the Service Account has access.

You can use these authentication methods

Authentication Method	Description
Service Account VM Instance Authentication	Uses the Service Account VM Instance to authenticate. This option requires the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to be deployed in a GCP, and run as a Service Account with the required permissions.
Service Account Key Authentication	Uses the Service Account private key file to authenticate. Use the GCP web console to create a Service Account Key JSON file.

Authentication Method

Description

Service Account VM Instance Authentication

Uses the Service Account VM Instance to authenticate.

This option requires the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to be deployed in a GCP, and run as a Service Account with the required permissions.

Service Account Key Authentication

Uses the Service Account private key file to authenticate.

Use the GCP web console to create a Service Account Key JSON file.

Minimum permissions for the service account

The service account must have read permissions for all the relevant resources (example: viewer role).

Networks
Instances
Subnetworks

Google Cloud Platform APIs

You must enable the Cloud Resource Manager API for the project to which the service account belongs.

The Compute Engine API must be enabled for all the projects to which the Service Account has access.

This is made from the GCP API Library.

Connecting to a Google Cloud Platform Data Center with SmartConsole

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways: In the top left corner, click Objects menu > More object types > Server > Data Center > New Google Cloud Platform. In the top right corner, click Objects Pane > New > More > Server > Data Center > Google Cloud Platform.
2	In the Enter Object Name field, enter the applicable name.
3	Select the applicable authentication method: Service Account Key Authentication Service Account VM Instance Authentication
4	If you choose Service Account Key Authentication, import the Service Account JSON file.
5	Click Test Connection.
6	Click OK.
7	Publish the SmartConsole session.
8	Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Connecting to a Google Cloud Platform Data Center Server with Management API

Go to Management API Reference > Click on see arguments per Data Center Server type and select Google Cloud Platform.

Connecting to a Google Cloud Platform Data Center Server with Terraform

See checkpoint_management_gcp_data_center_server.

Google Cloud Platform Objects and Properties

GCP Imported Objects

Object	Description
VPC Networks	Your GCP VPC networks in the cloud
Subnet	All the IP addresses from the network interfaces related to this subnet
Instance	Virtual Machines instances
Tags	Groups all the instances that have the same network tag

GCP Import Options

Use Projects or Tags to import GCP objects to your policy:

Option	Description
Projects	Import VPC networks, subnets or instances from another project to your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.
Tags	Import all instances that have a specific network tag

Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with permissions to change network tags in GCP can change their access permissions.

GCP Object Names

Object names are the same as those in the GCP console.

Instance and Subnet use the following names:

Object	Object Name
Instance	`"<Instance Name> (<Zone Name>)"`
Subnet	`"<Subnet Name> (<Region Name>)"`

GCP Imported Properties

Property	Description
Name	Resource name as shown in the GCP console. User can edit the name after importing the object.
Name in server	Resource name as shown in the GCP console
Type in server	Resource type
IP	Associated private and public IP addresses
Note	For instances, the list of VPC networks to which the instance belongs
URI	Object path
Tags	Network tags attached to the object