As of January 2026, Check Point has formally introduced support for Google Cloud Network Security Integration (NSI), marking a significant step forward in how enterprise-grade firewalls can be deployed in cloud-native environments. The integration enables organizations to run Check Point CloudGuard Network Security firewalls directly within Google Cloud’s traffic path—without redesigning network routes or disrupting live workloads.
Instead of forcing traffic detours or complex architectural
changes, NSI allows security inspection to occur transparently and efficiently,
aligning firewall enforcement with modern cloud networking principles.
How the Integration Works
Native Packet Interception
Google Cloud’s built-in packet interception capabilities are
used to divert selected traffic streams to CloudGuard gateways for
inspection—without altering existing routing tables or subnet designs.
GENEVE-Based Traffic Delivery
Traffic is encapsulated using GENEVE (Generic Network
Virtualization Encapsulation), ensuring secure transport to the firewall while
maintaining the original packet metadata, including source and destination IP
addresses.
Universal Traffic Coverage
The solution enforces security policies across all traffic
directions—whether it’s inbound or outbound internet traffic, inter-VPC
communication, or east-west traffic within the same VPC.
Selective Inspection via Five-Tuple Matching
Traffic steering is driven by granular five-tuple parameters
(source IP, destination IP, source port, destination port, protocol), ensuring
that only relevant flows are inspected. This minimizes unnecessary processing
and helps control operational costs.
Operational and Strategic Advantages
Centralized Visibility and Control
All security policies, threat events, and logs are managed
through the Check Point Management Console, giving security teams unified
visibility across on-prem, hybrid, and multi-cloud environments.
Automation-Ready by Design
The integration supports Infrastructure as Code (IaC)
workflows, enabling automated deployments and updates using tools such as
Terraform and Ansible—well aligned with DevOps and CI/CD pipelines.
Cloud-Aware Security Policies
CloudGuard dynamically integrates with Google Cloud constructs
like labels, tags, and native objects. As workloads scale or shift, policies
adapt automatically, removing the need for constant manual reconfiguration.
Optimized for Performance and Uptime
By avoiding traffic hair-pinning and network
re-architecture, the NSI-based approach delivers strong security enforcement
without the latency or downtime typically associated with legacy firewall
deployments.
Licensing, Deployment, and Requirements
Available via Google Cloud Marketplace
CloudGuard Network Security can be deployed directly from
the marketplace, with flexible licensing options including Pay-As-You-Go (PAYG)
pricing based on vCPU consumption.
Management Prerequisites
Organizations must run a Check Point Security Management
Server version R81.20 or later to manage NSI-enabled CloudGuard deployments.
By Aaradhay Sharma
No comments:
Post a Comment