Console
    Contact Us Start free

    Subscribe to events from Check Point CloudGuard

    Check Point CloudGuard supports sending events to Eventarc for delivery to interested subscribers.

    The Check Point CloudGuardplatform provides you cloud-born security, with advanced threat prevention for all your assets and workloads – in your public, private, hybrid or multicloud environment – providing you unified security to automate security everywhere. Learn more about using Check Point CloudGuard .
    Check Point logo

    To subscribe to events from Check Point CloudGuard, complete the following steps:

    Before you begin

    1. Ensure that you have enabled the Eventarc and Eventarc Publishing APIs:

      Console

      Enable the APIs

      gcloud

       gcloud  
services  
 enable 
  
 \ 
  
eventarc.googleapis.com  
 \ 
  
eventarcpublishing.googleapis.com

    2. If you are enabling a customer-managed encryption key (CMEK) for a channel, enable the Cloud Key Management Service API.

      Console

      Enable the API

      gcloud

       gcloud  
services  
 enable 
  
cloudkms.googleapis.com

    Retrieve the provider name used by Check Point CloudGuard

    The provider name is required when creating and using a channel. You can list all Eventarc providers and retrieve their details, including supported event types, by running gcloud commands.

    For example, you can list all third-party providers in any location:

    gcloud  
eventarc  
providers  
list  
--filter = 
 'eventTypes.type!~^google*' 
  
--location = 
-

    The output includes something similar to the following:

    NAME: cloudguard
LOCATION: us-central1

    For details, see List event providers .

    Retrieve the events supported by Check Point CloudGuard

    An event type is needed when creating an Eventarc trigger. You can list Check Point CloudGuard's supported event types, by running a gcloud command:

    gcloud  
eventarc  
providers  
describe cloudguard 
 \ 
  
--location = 
 LOCATION

    Replace LOCATION with a supported Eventarc region .

    For example:

    gcloud eventarc providers describe cloudguard --location=us-central1

    The output is similar to the following:

    displayName: Check Point CloudGuard
eventTypes:
- type: cloudguard.v1.event
name: projects/project-id/locations/us-central1/providers/cloudguard
[...]

    Make note of the event type to use when creating an Eventarc trigger.

    Create a channel for Check Point CloudGuard events

    To subscribe to events from Check Point CloudGuard, you must create a channel:

    Console

    1. In the Google Cloud console, go to the Eventarc > Channelspage.

      Go to Channels

    2. Click Create channel.

    3. Select a Channel typeand Provider.

      For example, select Third-party > Check Point CloudGuard.

    4. In the Channel namefield, enter a name for the channel.

    5. In the Regionlist, select a supported Eventarc region .

    6. Optionally, select the Use a customer-managed encryption key (CMEK)checkbox and, in the CMEK encryption keylist, select a key ring that you have created for the region.

      For more information, see Use customer-managed encryption keys .

    7. Click Create.

    gcloud

    gcloud  
eventarc  
channels  
create  
 CHANNEL_NAME 
  
 \ 
  
--provider cloudguard 
 \ 
  
--project  
 PROJECT_ID 
  
 \ 
  
--location  
 LOCATION

    Replace the following:

    • CHANNEL_NAME : a name for the channel

    • PROJECT_ID : your Google Cloud project ID

      You can find your project ID on the Welcome page of the Google Cloud console.

    • LOCATION : a supported Eventarc region

    You can optionally use a --crypto-key flag to specify a fully qualified Cloud KMS key name in the format projects/ PROJECT_NAME /locations/ LOCATION /keyRings/ RING_NAME /cryptoKeys/ KEY_NAME .

    For more information, see Use customer-managed encryption keys .

    For details, see Create a channel .

    Retrieve specific details to convey to Check Point CloudGuard

    After creating a channel, you can retrieve specific details to convey to Check Point CloudGuard:

    Console

    1. In the Google Cloud console, go to the Eventarc > Channelspage.

      Go to Channels

    2. From the list of channels, click a channel to view its details.

      The channel status should be Pending .

    3. Copy the Channel full name and Activation token value. Both will be needed later to convey to Check Point CloudGuard and activate the channel.

    gcloud

    gcloud  
eventarc  
channels  
describe  
 CHANNEL_NAME 
  
 \ 
  
--project  
 PROJECT_ID 
  
 \ 
  
--location  
 LOCATION

    The output is similar to the following:

     activationToken: aS7dXs1b79AcXsf 
createTime: '2021-11-15T15:20:31.582356065Z' name: projects/project-id/locations/us-central1/channels/cloudguard-channel 
provider: projects/project-id/locations/us-central1/providers/cloudguard
pubsubTopic: projects/project-id/topics/eventarc-channel-us-central1-cloudguard-channel-077
state: PENDING
uid: c6703a91-ccd3-4c32-a729-967393f23a29
updateTime: '2021-11-15T15:21:03.689597653Z'

    Note that the channel is in a PENDING state. To activate the channel, you must provide the activationToken value and the channel name to Check Point CloudGuard.

    Learn more about the channel state .

    Create an API key in Check Point CloudGuard

    Before activating the channel, you must create an API key in Check Point CloudGuard.

    1. Log into the Check Point CloudGuard console .

    2. Select Settings > Credentials.

    3. Click Create API Key.

      The New API key createddialog opens.

    4. Before closing the dialog, save the IDand Secretdata. Once the dialog is closed, the data is not accessible.

       USERNAME 
 = 
 API_KEY_ID 
 PASSWORD 
 = 
 API_KEY_SECRET

      Replace the following:

      • API_KEY_ID : the ID of the API key.
      • API_KEY_SECRET : the secret of the API key.

      For more information, see Credentials .

    5. Click OK.

    Deploy an event receiver

    To test the configuration, deploy an event receiver—in this case, a Workflows workflow that logs received events—and create an Eventarc trigger that routes events from Check Point CloudGuard to the event receiver. You must use a service account that has been granted the appropriate roles to access your Google Cloud project resources.

    1. Enable the Workflows and Workflow Executions APIs:

      Console

      Enable the APIs

      gcloud

       gcloud  
services  
 enable 
  
 \ 
  
workflows.googleapis.com  
 \ 
  
workflowexecutions.googleapis.com

    2. Create a service account and grant it the roles/logging.logWriter and roles/workflows.invoker roles:

      Console

      1. In the Google Cloud console, go to the Service Accountspage.

        Go to Service Accounts

      2. Select your project.

      3. In the Service account namefield, enter a name. The Google Cloud console fills in the Service account IDfield based on this name. Optionally, add a description.

      4. Click Create and continue.

      5. In the Select a rolelist, select Logging > Logs Writer.

      6. Click Add another role and select Workflows > Workflows Invoker.

      7. Click Continue.

      8. To finish creating the service account, click Done.

      gcloud

       gcloud  
iam  
service-accounts  
create  
 MY_SERVICE_ACCOUNT 
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--role = 
 "roles/workflows.invoker" 
  
 \ 
  
--member = 
 "serviceAccount: MY_SERVICE_ACCOUNT 
@ PROJECT_ID 
.iam.gserviceaccount.com" 
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--role = 
 "roles/logging.logWriter" 
  
 \ 
  
--member = 
 "serviceAccount: MY_SERVICE_ACCOUNT 
@ PROJECT_ID 
.iam.gserviceaccount.com"

      Replace MY_SERVICE_ACCOUNT with a name for your service account.

      For more information about how to control access to Workflows resources, see Use IAM to control access .

    3. Create and deploy a workflow that logs a received event:

      Console

      1. In the Google Cloud console, go to the Workflowspage.

        Go to Workflows

      2. Click Create.

      3. Name your workflow logEventsWorkflow .

      4. Choose a supported Workflows region ; for example, us-central1.

      5. Select the Service accountyou previously created.

      6. Click Next.

      7. In the workflow editor, enter the following definition for your workflow:

          main 
 : 
  
 params 
 : 
  
 [ 
 event 
 ] 
  
 steps 
 : 
  
 - 
  
 logStep 
 : 
  
 call 
 : 
  
 sys.log 
  
 args 
 : 
  
 data 
 : 
  
 ${event}

      8. Click Deploy.

      gcloud

      1. Open a terminal or Cloud Shell .
      2. In your home directory, create a new file called logEventsWorkflow.yaml .

      3. Copy and paste the following into the new file and save it:

          main 
 : 
  
 params 
 : 
  
 [ 
 event 
 ] 
  
 steps 
 : 
  
 - 
  
 logStep 
 : 
  
 call 
 : 
  
 sys.log 
  
 args 
 : 
  
 data 
 : 
  
 ${event}

      4. Deploy the workflow:

         gcloud  
workflows  
deploy  
logEventsWorkflow  
 \ 
  
--source = 
logEventsWorkflow.yaml  
 \ 
  
--location  
 LOCATION

        Replace LOCATION with a supported Workflows region ; for example, us-central1 .

    4. Create an Eventarc trigger to route events from Check Point CloudGuard to the target workflow:

      Console

      1. In the Google Cloud console, go to the Eventarc > Triggerspage.

        Go to Triggers

      2. Click Create trigger.

      3. Type a Trigger name.

        This is the ID of the trigger and it must start with a letter. For example, my-event-channel-trigger .

      4. Select a Trigger typeand Event provider.

        This is the partner service that is the source of events. For example, select Third-party > Check Point CloudGuard.

      5. Select the appropriate Channel.

      6. Select an Event.

        For example: cloudguard.v1.event

      7. Optionally, in the Filterssection, specify an appropriate attribute and value.

      8. Select the Service accountyou previously created to invoke your workflow.

      9. For the Event destination, select Workflows, and then select the workflow you previously created.

      10. Click Create.

      gcloud

       gcloud  
eventarc  
triggers  
create  
 TRIGGER 
  
 \ 
  
--location = 
 LOCATION 
  
 \ 
  
--destination-workflow = 
logEventsWorkflow  
 \ 
  
--event-filters = 
 type 
 = 
cloudguard.v1.event  
 \ 
  
--channel = 
 CHANNEL_NAME 
  
 \ 
  
--project = 
 PROJECT_ID 
  
 \ 
  
--service-account = 
 " MY_SERVICE_ACCOUNT 
@ PROJECT_ID 
.iam.gserviceaccount.com"

      Replace TRIGGER with the ID of the trigger or a fully qualified identifier. For example, my-event-channel-trigger .

      For more information, see Create a trigger for a third-party provider .

    Configure the integration to support event routing

    Configure the integration to support the routing of events from Check Point CloudGuard. You can do this through Check Point CloudGuard's API using an API request tool or by making curl calls.

    1. Convey the Eventarc channel full name and activation token to Check Point CloudGuard. For example:

       CHANNEL_NAME 
 = 
 CHANNEL_FULL_NAME 
 TOKEN 
 = 
 ACTIVATION_TOKEN 
curl  
-v  
--request  
POST  
 \ 
  
--url  
https://api.dome9.com/v2/Compliance/ContinuousComplianceNotification/eventarcChannelConnection  
 \ 
  
-u  
 $USERNAME 
: $PASSWORD 
  
 \ 
  
--header  
 'accept: application/json' 
  
 \ 
  
--header  
 'content-type: application/json' 
  
 \ 
  
--data  
@-  
 << EOF 
 { 
 "activationToken": "$TOKEN", 
 "channelFullName": "$CHANNEL_NAME" 
 } 
 EOF

      Replace the following:

      • CHANNEL_FULL_NAME : the channel name, including the Google Cloud project ID and location of the resource. For example:

        projects/ PROJECT_ID 
/locations/ LOCATION 
/channels/ CHANNEL_NAME

      • ACTIVATION_TOKEN : the token is valid for 24 hours after the channel's creation. After 24 hours, the channel becomes INACTIVE.

      If the curl command is successful, the output is similar to the following, and a channel connection ID is returned:

      HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 38
...
Connection #0 to host api.dome9.com left intact
" af094362-37da-4a42-ac73-882738406a45 
"

    2. Save the channel connection ID (for example, af094362-37da-4a42-ac73-882738406a45 ) to use when setting up a notification handler:

       CHANNEL_CONNECTION_ID 
 = 
 CHANNEL_CONNECTION_ID

    3. If you run the gcloud eventarc channels describe CHANNEL_NAME command again, the channel state should now be ACTIVE . For example:

      createTime: '2022-07-13T11:05:09.714896959Z'
name: projects/eventarc-test-project/locations/us-central1/channels/test-cloudguard
provider: projects/eventarc-test-project/locations/us-central1/providers/cloudguard
pubsubTopic: projects/eventarc-test-project/topics/eventarc-channel-us-central1-test-cloudguard-430
state: ACTIVE

    4. Set up a notification handler to watch for specific access events in Check Point CloudGuard and forward notification of these events to Eventarc. For example:

       NOTIFICATION_NAME 
 = 
 NOTIFICATION_NAME 
curl  
-v  
--request  
POST  
 \ 
  
--url  
https://api.dome9.com/v2/Compliance/ContinuousComplianceNotification  
 \ 
  
--header  
 'accept: application/json' 
  
 \ 
  
--header  
 'content-type: application/json' 
  
 \ 
  
-u  
 $USERNAME 
: $PASSWORD 
  
 \ 
  
--data  
@-  
 << EOF 
 { 
 "changeDetection": { 
 "eventarcData": { 
 "channelConnectionId": "$CHANNEL_CONNECTION_ID" 
 }, 
 "eventarcIntegrationState": "Enabled" 
 }, 
 "name": "$NOTIFICATION_NAME" 
 } 
 EOF

      Replace NOTIFICATION_NAME with a unique name to identify the notification.

      The output from the curl command is similar to the following:

      HTTP/1.1 201 Created
Date: Thu, 13 Jul 2022 11:48:36 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 887

    5. Log into the Check Point CloudGuard console .

    6. Select Posture management > Continuous posture.

    7. Select the checkbox for the GCP CloudGuard Best Practicesruleset and click Edit.

    8. Select the notification you previously configured and then click Save.

    Test the routing of events

    You can now test the entire configuration by accessing Check Point CloudGuard to trigger an event, and ensuring that the event from Check Point CloudGuard is routed to the workflow event receiver which logs the received event.

    1. Create a Google Cloud resource to simulate a violation of the Check Point CloudGuard ruleset; for example, create a public Cloud Storage bucket.

    2. Log into the Check Point CloudGuard console .

    3. Select Posture management > Continuous posture.

    4. Select the GCP CloudGuard Best Practicesruleset and click Run Assessment.

      The assessment detects that the Cloud Storage bucket is public and generates an event for Eventarc. Note that the event generation might take some time.

    5. To verify that a workflow execution was triggered by the received event, list the last five executions:

       gcloud  
workflows  
executions  
list  
 ${ 
 MY_WORKFLOW 
 } 
  
--limit = 
 5

      The output is similar to the following, listing a NAME and STATE equal to SUCCEEDED for each workflow execution.

       NAME: projects/1051295516635/locations/us-central1/workflows/logEventsWorkflow/executions/674b5783-deec-4d1b-be1d-b067f7b32971
STATE: SUCCEEDED
START_TIME: 2022-07-13T22:01:06.314980819Z
END_TIME: 2022-07-13T22:01:06.637825944Z

    6. Every time a workflow executes a single run of the logic contained in a workflow's definition, it automatically triggers at least two execution logs: one at the start of an execution and one at the end. To view the logs do the following:

      1. In the Google Cloud console, go to the Workflowspage:

        Go to Workflows

      2. To access a workflow's Detailspage, click the workflow's name.

      3. To view the execution details, in the Executionstab, click a specific Execution ID.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: