The CloudGuard Controller dynamically learns about objects and attributes in data centers, such as changes in subnets, security groups, virtual machines, IP addresses, and tags. After using the vendor’s API to establish a trust relationship with a datacenter, CloudGuard Controller regularly polls the connected environments for changes in objects and object attributes used in the Security Policy. Changes are automatically pushed to the security gateway.

There are two Authentication options avilable on the CloudGuard Controller for GCP

1. Service Account Key Authentication
   1. Create a key for the service account 

      https://cloud.google.com/iam/docs/creating-managing-service-accounts

   2. Export KEY  as JSON
   3. Assign IAM permissions

      The service account must have read permissions for all the relevant resources (example: viewer role).

      • Networks
      • Instances
      • Subnetworks
   4. Import the Service Account JSON file to Check Point CloudGuard Controller Object.

    2. Service Account VM Instance Authentication

1. Create a new service account or use the default “Compute Engine default service account"  https://cloud.google.com/iam/docs/creating-managing-service-accounts
2. Assign IAM permissions to the service account 

   The service account must have read permissions for all the relevant resources (example: viewer role).

   • Networks
   • Instances
   • Subnetworks
3. stop the VM
4. edit VM settings
5. select the service account :
6. 

For both options you will need to Activate 3 APIs.

You will find the APIs on the 

APIs & Services on the GCP console

Enable the ones who are marked in Red