Solved: Change default learning period for all pods

Eve_Z · ‎2025-04-29

Hello everyone,

According to CloudGuard documentation: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/CloudGuard-PM-Admin-Guide/Doc...

CloudGuard CNAPP has an option to change the default profile learning period for Runtime Protection, but this option is available by pod.

If they are many pods, is there a way to change the default learning period for all pods at once?

Regards.

Eve_Z · ‎2025-05-13

Hello @the_rock,

Thanks for your reply. I tried some of the options but no success.

TAC confirmed that this option is currently available only for every individual pod, not in bulk.

View solution in original post

the_rock · ‎2025-05-01

Maybe confirm with TAC, but I ran it through AI and it gave 2 responses, so not sure if they really make a whole lot of sense, but here they are.

Andy

response 1:

Response 1

Yes, in CloudGuard (formerly Dome9) by Check Point, if you have many Kubernetes pods being monitored (likely via CloudGuard's CNAPP or Kubernetes posture management), and you're referring to changing the default learning period for runtime protection (behavioral learning) or CloudGuard AppSec, then:

✅ Short Answer:

You cannot globally set the default learning period for all pods at once directly via the GUI, but you can manage and automate this process via:

🛠️ Options to Apply Learning Period Changes at Scale

Using the CloudGuard API: CloudGuard exposes APIs that let you programmatically manage runtime security settings. You can write a script to:
- Iterate through all protected pods/namespaces
- Update their learning period (usually in days)
- Apply it consistently
Policy as Code (IaC integration): If you're deploying security posture policies using Terraform, Helm, or K8s manifests, you can manage learning profiles via configuration and redeploy consistently across clusters.
Global Runtime Profile Templates (if available in your version): Some Check Point CloudGuard configurations support profile templates, where you define default settings (e.g., learning period = 7 days), and assign them to multiple clusters/namespaces/pods.
Support-assisted bulk changes: If no option is exposed in your current CloudGuard tenant version, Check Point support may assist in backend-level changes for bulk runtime profile adjustments.

response 2:

Yes, in CloudGuard AppSec (previously known as CloudGuard WAAP) by Check Point, if you have many Kubernetes pods running the CloudGuard agent and you want to change the default learning period for all of them at once, the best way is to do it via a global configuration, not per-pod.

Here's how to change the default learning period for all pods at once:

Option 1: Use a ConfigMap (if deployed via Helm or manifests)

If you're deploying CloudGuard via Helm or Kubernetes manifests, the default learning period is usually configured through a ConfigMap or environment variable.

Look for a value like:

You can change this value globally and apply it across all pods by:

Updating the ConfigMap or Helm values file.
Re-deploying or rolling restart of the affected pods.

Option 2: Use Check Point CloudGuard Central Management (if applicable)

If you're managing your CloudGuard agents centrally (e.g., via Check Point Infinity Portal), you can:

Navigate to AppSec policies.
Locate the default learning period setting under the relevant policy or profile.
Change the learning period globally there.
This will automatically propagate to all agents/pods using that profile.

Option 3: Using Annotations or Labels (not typical for learning period)

In some advanced setups, annotations or labels might be used to override default behavior, but this is not standard for learning period configuration and is more suitable for exceptions or pod-level overrides.

Eve_Z · ‎2025-05-13