Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
WiliRGasparetto
MVP Diamond
MVP Diamond

Part 1 How CloudGuard Controller R82.10 Builds Dynamic Security Context

Part 1: How CloudGuard Controller R82.10 Builds Dynamic Security Context

 

Executive Summary

 

Cloud environments do not become insecure only because a firewall fails to inspect traffic. They also become insecure when the context used by the firewall no longer represents the infrastructure it is protecting.

In AWS, Azure, GCP, Kubernetes, and private cloud environments, IP addresses, virtual machines, load balancers, tags, subnets, and security groups can change faster than a traditional change-management process can update firewall objects.

The CloudGuard Controller addresses this problem by running as a component of the Check Point Security Management Server, polling supported data-center APIs, evaluating imported objects and Data Center Query Objects, and sending updated object membership to Security Gateways.

This does not mean that the Controller automatically writes the security policy. The rulebase remains under administrative control. What changes dynamically is the set of IP addresses and attributes represented by the objects already used in that rulebase.

This distinction is fundamental:

> CloudGuard Controller does not automate security intent. It automates the translation of dynamic infrastructure context into enforceable gateway object membership.

This first part focuses on the Controller architecture, polling behavior, dynamic objects, query logic, and tag governance.

The technical baseline used for this article is the R82.10 CloudGuard Controller Administration Guide, published on June 23, 2026.

 

The Real Cloud Security Problem: Context Becomes Stale

 

A static firewall object works well when an application server has a long-lived IP address.

Cloud infrastructure rarely operates that way.

A production application can be affected by:

* Virtual-machine replacement
* Autoscaling events
* Load-balancer backend changes
* Kubernetes pod and service changes
* Subnet redesign
* Migration between accounts or subscriptions
* Changes to cloud tags
* Instance creation through Terraform or another CI/CD pipeline
* Disaster-recovery activation in another region

A rule based only on manually maintained IP addresses can become inaccurate immediately after one of these events.

Consider a traditional policy:


Source: 10.10.20.15
Destination: Shared-Database
Service: TCP/5432
Action: Accept

When the workload is replaced and receives `10.10.20.84`, the firewall does not inherently know that the new IP belongs to the same application role.

A cloud-aware policy can instead reference infrastructure context:


environment = production
application = payments
role = backend

The security intent remains stable while the infrastructure membership changes.

That is the operational problem the CloudGuard Controller is designed to solve.

 

First, Separate the Components

 

One reason CloudGuard architecture is frequently misunderstood is that several Check Point cloud-security components are discussed under the same portfolio name.

They have different responsibilities.

 

 
 

Captura de tela 2026-07-16 105934.png

 

The current CME documentation describes CME as a service that runs on a Security Management Server or Multi-Domain Security Management Server and continuously monitors supported Cloud Firewall deployments.

Its role includes cloud-native integration and automatic provisioning of autoscaling gateway solutions.

CloudGuard CNAPP, by contrast, is documented as a SaaS platform for unified cloud-native security across applications, workloads, networks, posture, and compliance.

It is managed through the Check Point cloud service rather than through the CloudGuard Controller process on the Security Management Server.

This article is about the CloudGuard Controller, not the entire CloudGuard portfolio.

 

What the CloudGuard Controller Actually Is

 

The CloudGuard Controller is a component of the Check Point Security Management Server.

It establishes a trusted relationship with a supported data center, uses the vendor API to poll the environment, learns changes to relevant objects and attributes, and sends applicable updates to Security Gateways.

According to the R82.10 documentation, the Controller can learn changes involving resources such as:

* Subnets
* Security groups
* Virtual machines
* IP addresses
* Tags
* Provider-specific cloud objects

The exact objects and properties available depend on the data-center connector.

AWS, Azure, GCP, Kubernetes, OCI, VMware, Nutanix, Proxmox, and other integrations do not expose identical object models.

Logical Architecture

imagem2.png

The Controller is therefore part of the  management and context-distribution plane.

It is not deployed inline in the traffic path.

 

Near Real Time Does Not Mean Instantaneous

 

The CloudGuard Controller documentation states that the Controller regularly polls connected environments.

This is a polling-based synchronization model, not a guarantee that every cloud event will be reflected on the gateway at the exact instant it occurs.

The default R82.10 configuration includes:

global.scannerInterval=30
autoUpdateIntervalInSeconds=30
enforcementUpdateIntervalTime=10

These values represent different stages of Controller processing:

 

* `global.scannerInterval` controls the default delay between successful data-center scans when a connector-specific value does not override it.
* `autoUpdateIntervalInSeconds` controls how frequently Management pulls imported object-property changes from the Controller.
* `enforcementUpdateIntervalTime` controls the delay between gateway update cycles.

 

These defaults must not be added together and interpreted as a deterministic enforcement SLA.

Actual propagation time also depends on:

* Cloud-provider API response time
* Number of connected data centers
* Number of discovered assets
* Number of affected gateways
* Controller and Management Server load
* Retry behavior
* Connectivity between Management and gateways
* Connector-specific settings

The correct architectural description is therefore:

> CloudGuard Controller provides periodic, near-real-time synchronization of cloud context—not instantaneous event-driven enforcement.

 

The Rulebase Is Controlled; Object Membership Is Dynamic

 

A frequent misunderstanding is that CloudGuard Controller automatically rewrites the security policy.

That is not the normal operating model.

The administrator must still:

1. Configure the Data Center Server.
2. Create or import the applicable Data Center Object, or create a Data Center Query Object.
3. Place the object in the applicable rule.
4. Publish the management session.
5. Install the policy on the Security Gateway.

After this initial policy installation, changes in the IP membership represented by the object can be updated dynamically.


Security intent: Administratively controlled
Rulebase structure: Administratively controlled
Services and actions: Administratively controlled
Object membership: Dynamically updated
Cloud asset lifecycle: Controlled by the cloud platform

For example, the following rule does not need to be rewritten every time a matching virtual machine is replaced:


Source:
DCQ-PRD-PAYMENTS-BACKEND

Destination:
DCQ-PRD-SHARED-DATABASES

Service:
PostgreSQL

Action:
Accept

Track:
Log

The rule remains fixed.

The Controller updates which IP addresses currently belong to the source and destination query objects.

However, a change to the rule itself still requires normal publishing and policy installation.

There is also an important exception: when a Data Center Query uses All Data Centers  and a new Data Center Server is later added, the documentation requires policy installation on gateways whose policy contains that query.

 

 Imported Data Center Objects Versus Data Center Query Objects

 

Both object types can represent dynamic infrastructure, but they solve different policy-design problems.

imagem 3.png

 

Data Center Query Objects are supported on Security Gateway versions R81 and higher.

They can be created before or after the associated Data Center Servers and can operate across multiple data centers.

The R82.10 guide also explicitly states that Data Center Objects and Data Center Query Objects can be used in:

* Access Control rules
* Threat Prevention rules
* HTTPS Inspection rules

Only regular Data Center Objects—not Data Center Queries—can be used in the Original Source and Original Destination columns of NAT rules.

 

How Data Center Query Logic Works

 

A Data Center Query can evaluate attributes such as:

* Type in Data Center
* Name in Data Center
* IP address
* Customer Tag

The logic model is:


Values inside one query rule = OR

Separate query rules = AND

The documentation uses a semicolon to separate OR values inside a query rule.

Conceptually:


Query Rule 1:
Type = Instance ; Load Balancer

AND

Query Rule 2:
Customer Tag = server_type=prod_app ; server_type=prod_db

This query represents:


(Type = Instance OR Type = Load Balancer)
AND
(Tag = server_type=prod_app OR Tag = server_type=prod_db)

All matching object IP addresses are then updated on the applicable Security Gateway.

Practical Multi-Cloud Example

 

Assume an organization uses AWS and Azure for the same payment platform.

The cloud team applies this taxonomy:

 

environment = production
application = payments
role = backend
owner = digital-banking

 

A possible Data Center Query design is:


Object name:
DCQ-PRD-PAYMENTS-BACKEND

Data Centers:
AWS-PRODUCTION
AZURE-PRODUCTION

Query Rule 1:
Type in Data Center = Instance ; Virtual Machine

Query Rule 2:
Customer Tag = environment=production

Query Rule 3:
Customer Tag = application=payments

Query Rule 4:
Customer Tag = role=backend

The exact Type values must be selected from the values exposed by each configured connector.

Object types are provider-specific, so an administrator should not assume that AWS, Azure, GCP, and Kubernetes use identical names.

Before using the query in production:

1. Publish the query.
2. Reopen the Query Rules section.
3. Use the preview function.
4. Verify every returned asset.
5. Add the query to the rulebase.
6. Install policy.
7. Test creation, replacement, removal, and retagging of a controlled workload.

A query that technically works but returns unintended assets is still a security-policy failure.

 

Tags Become Part of the Security Boundary

 

Once tags influence firewall membership, tags are no longer merely inventory metadata.

They become an authorization input.

For example, consider this rule:


Source:
application=payments
environment=production

Destination:
database-tier

Service:
PostgreSQL

Action:
Accept

A cloud administrator who can change an arbitrary workload to:



application=payments
environment=production

may indirectly cause that workload to match the firewall rule.

The Azure integration documentation explicitly warns that users who can change Azure resource tags can change their access permissions when those tags are used by security policy.

 

Required Governance Controls

Organizations using tag-based enforcement should implement:

* Cloud IAM restrictions on who can create and modify security-relevant tags
* Separate administrative permissions for descriptive and security-sensitive tags
* Mandatory tag schemas
* Controlled values instead of free-form values
* Infrastructure as Code for production tagging
* Pull-request or pipeline approval for security-relevant changes
* Cloud audit logging for tag modifications
* Alerts for unauthorized or unexpected tag changes
* Periodic reconciliation between CMDB, cloud inventory, and firewall query membership

A useful classification is:


Descriptive tags:
cost-center
business-owner
project-name

Operational tags:
backup-policy
patch-group
monitoring-profile

Security-sensitive tags:
environment
application
security-zone
data-classification
exposure
access-role

Security-sensitive tags should be protected with the same seriousness as firewall-object changes.

Check Point also recommends avoiding sensitive information such as employee names or email addresses in cloud tags, virtual-machine names, and related objects.

 

Important Tag-Matching Nuance in the R82.10 Documentation

 

The R82.10 Data Center Query section states that tag evaluation is case-insensitive and gives `KEY=VALUE` and `key=value` as matching examples.

However, the limitations section separately states that, for Azure, the CloudGuard Controller can treat tag keys and values with different case as separate entries in SmartConsole.

Because these two statements create an implementation ambiguity, the secure operational approach is:

1. Enforce a single tag-casing standard.
2. Avoid relying on case normalization.
3. Validate query results with the preview function.
4. Test the behavior against the installed R82.10 CloudGuard Controller self-updatable package.
5. Consult Check Point Support before designing policies that depend on case equivalence.

For example, do not allow all of the following in the same organization:


environment=production
Environment=Production
ENVIRONMENT=PRODUCTION
environment=Production

Select one canonical format:


environment=production

Conclusion

 

CloudGuard Controller enables security policies to reference dynamic cloud context instead of relying exclusively on static IP addresses.

However, the architecture only works safely when several principles are respected:

* The Controller, CME, CNAPP, and Cloud Firewall gateways must be treated as separate components.
* Synchronization must be described as polling-based and near real time.
* The rulebase remains administratively controlled.
* Imported objects and Query Objects have different capabilities and limitations.
* Query logic must be tested before production use.
* Tags that influence policy must be governed as security-sensitive authorization inputs.

In Part 2, we will examine how this context reaches Security Gateways, including Identity Awareness, Identity Web API, PDP/PEP Identity Sharing, TTL expiration, monitoring, troubleshooting, known limitations, implementation phases, and operational metrics.

 

Discussion

How is your organization using Data Center Objects or Data Center Query Objects today?

* Are your policies still tied mainly to static IP addresses?
* Are security-sensitive tags protected through cloud IAM?
* Do you validate query membership before policy installation?
* Have you standardized tag casing across AWS, Azure, and other cloud platforms?

(1)
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events