{"componentChunkName":"component---src-templates-project-template-js","path":"/projects/check-point-cloud-firewall-manager","result":{"data":{"project":{"title":"Check Point Cloud Firewall Manager","slug":"check-point-cloud-firewall-manager","description":"Built a comprehensive cloud firewall management platform bridging Check Point and AWS. Created a custom SDK surpassing Check Point's own, enabling programmatic rule management across Security Groups, NACLs, Network Firewall (stateless and stateful/Suricata), and Web ACLs. Automated network feed ingestion into AWS prefix lists. Built pipeline to pull rules from Check Point, translate to intermediate format, and deploy to AWS Network Firewall with named rules and variable mapping. Deployed on GCP CloudRun with automated triggers. Set up Headscale/Tailscale VPN mesh across AWS regions for secure connectivity. 638+ hours of development.","caseStudy":"## The problem\n\nEnterprises that standardise on **Check Point** for security policy still have to enforce that\nintent across cloud-native firewalls — AWS security groups, AWS Network Firewall, GCP firewall\nrules — each with its own model and API. Keeping those in sync by hand is slow and error-prone,\nand policy drift is a real risk. The goal: treat Check Point as the source of truth and push a\nconsistent policy out to multiple clouds automatically.\n\n## My role\n\nI was **architect and development lead** on this client engagement, designing the multi-cloud\nabstraction and the Check Point → cloud synchronization pipeline. (The codebase is the client's,\nso it isn't linked here.)\n\n## The approach\n\nA unified policy model — a neutral `CommonRule` — is translated per provider through a\n`FirewallProvider` abstraction, with direction/semantics mapped to each target. A FastAPI\nservice accepts a policy plus a set of targets and **fans the work out via Celery/Redis**, one\ntask per rule × target, so changes apply in parallel across many security groups with retries\nand per-task status tracking.\n\n## Architecture\n\n- **Check Point SDK** — a comprehensive client for the Check Point Management Web API (sessions,\n  access rules, objects, network feeds, batch operations, change tracking).\n- **Translation pipeline** — reads a Check Point rulebase and converts it into the unified model,\n  resolving actions and IP ranges and splitting ingress/egress.\n- **AWS Network Firewall path** — generates stateless and **Suricata-format stateful** rule\n  groups and maps Check Point network feeds to AWS managed prefix lists referenced by the rules.\n- **Providers** — AWS (boto3: security-group ingress/egress create/edit/delete, tagging) and GCP\n  (google-cloud-compute, with operation polling).\n- **Drift detection** — uses Check Point change/task APIs to reconcile a local rulebase view.\n- **Discovery** — inventories AWS/GCP VPCs, security groups, and related resources.\n- **NL command layer** — an experimental endpoint that parses natural-language firewall commands\n  into validated API calls.\n\nDeployment targeted containers on Cloud Run (Docker + Cloud Build), with a systemd-packaged agent\nvariant and an AWS Lambda + API Gateway component for feed updates.\n","gallery":[],"date_start":"2024","date_end":null,"hours":638,"client":null,"tags":["cloud","security","automation","devops","multi-cloud"],"outcomes":["Built custom SDK surpassing Check Point's own for programmatic firewall rule management","Automated cross-platform rule translation from Check Point to AWS Network Firewall","Deployed multi-region VPN mesh using Headscale/Tailscale for secure connectivity","638+ hours of sustained engineering on a single enterprise platform"],"tech_stack":["Python","AWS","GCP CloudRun","Docker","Terraform","Boto3"],"links":[],"image":{"childImageSharp":{"fluid":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='400'%20height='229'%20viewBox='0%200%20400%20229'%20preserveAspectRatio='none'%3e%3cpath%20d='M0%20115v114h31a309%20309%200%200039-2c2-1%202-2%201-2v-2h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-2l1-2%201%201h3v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h4v1l1-2h1c1%200%202%200%201-1l1-2%201%201h3v-2l1-3%202-2-2-2h-2l-1-1v-1l-1%202-1%202c-2%200-2-1-2-6v-5h4c4%200%205%201%205%203l-1%203v2c2%201%202%201%202-1%200-4%203-6%206-3l2%202v-3c0-5%202-3%202%203l1%206v-6l1-6%201%206%201%206v-6c0-5%200-6%202-6l1%202%201%201c1-2%208-6%2010-6v1h3v-4h7v-4h7v-4h7v-2c-2%200%202-4%205-4%201-1%201-1-1-1-3%200-3%200-3-7v-8h5l7%201h2c5-2%207%200%207%208v7l1-7%201-5h2c3-2%204-2%204-1h3v-4h7v-4h7v-4h7v-4h7v-4h7v-4h7v-4h4v1l1-2h1c1%200%202%200%201-1l1-2%201%201h3v-4h7v-4h7v-4h7v-4h7v-4h7v-4h6c2-1%202%201%202%2094a4701%204701%200%20001-19V0H0v115m109-28l-1%2010v9h5c7%200%2011-2%2012-7%200-5-2-11-6-12h-10m95%201c-4%203-2%208%205%2010%203%201%204%204%201%204l-4-1c0-2-5-3-5-1%200%203%204%206%208%206%2010%200%2011-10%201-13-3-1-4-2-1-3l3%201c0%202%204%203%204%201l-1-3c-2-3-7-4-11-1m46%200l-1%202-1%201-1%202%201%202v3c0%205%201%208%205%208%202%200%203%200%203-2v-2l2%202c2%203%2011%202%2011-2h-4l-4-1%205-1c4%200%204%200%204-3-2-6-8-8-12-4l-2%201-1-3-2-2c0-2%200-2-3-1m-122%205c-4%205-2%2013%205%2013%202%200%206-3%206-4h-5l-2%201c-2-2-1-3%203-3s4%200%204-2c0-6-6-9-11-5m14-1l-1%2010c0%209%200%209%203%209%202%200%202%200%202-3%200-2%200-3%203-2%205%201%208-7%205-12-2-2-11-4-12-2m25%201c-6%204-3%2013%204%2013%203%200%207-3%207-5%201-8-6-12-11-8m12-1l2%207c2%206%203%207%202%208h-2l-1%202c0%203%206%203%207-1%203-5%206-16%206-17-2-1-4%201-6%205l-1%202-2-4c-1-3-5-4-5-2m39%200l3%207c2%207%202%207%200%208-4%201-3%204%201%204%203%200%204-1%207-8%203-10%204-12%201-12l-3%204-2%203-2-4c-1-3-5-4-5-2m17%201c-4%203-2%206%204%208l2%201h-8c0%204%208%205%2011%203s2-6-1-8l-2-1h2c4%200%204-1%201-3-3-3-7-2-9%200m-96%2040c0%205%202%207%202%202v-3l1%203c1%204%203%204%204%201l1-2v2c0%202%203%203%203%201h8l2%201%201-3%201-3%201%203%201%203%201-4c0-4%200-4-3-4l-4%201h-6c-2%201-2%201-2-1-1-4-3-3-4%201l-2%203-1-3c-2-6-4-5-4%202m50%201l1%204%201-3%201-3%201%203%201%203%203%202c3%203%207%200%207-6%200-3-1-4-3-4l-4%201h-2l-3-1c-3%200-3%200-3%204'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","aspectRatio":1.7543859649122806,"src":"/static/55d803348de5fd4951ab5dfd16f0836f/ee604/upwork-deploy.png","srcSet":"/static/55d803348de5fd4951ab5dfd16f0836f/69585/upwork-deploy.png 200w,\n/static/55d803348de5fd4951ab5dfd16f0836f/497c6/upwork-deploy.png 400w,\n/static/55d803348de5fd4951ab5dfd16f0836f/ee604/upwork-deploy.png 800w","srcWebp":"/static/55d803348de5fd4951ab5dfd16f0836f/58556/upwork-deploy.webp","srcSetWebp":"/static/55d803348de5fd4951ab5dfd16f0836f/61e93/upwork-deploy.webp 200w,\n/static/55d803348de5fd4951ab5dfd16f0836f/1f5c5/upwork-deploy.webp 400w,\n/static/55d803348de5fd4951ab5dfd16f0836f/58556/upwork-deploy.webp 800w","sizes":"(max-width: 800px) 100vw, 800px"}}},"stack_icons":[{"name":"Python","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/6d1ba/python.png","srcSet":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/6d1ba/python.png 1x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/a9c35/python.png 1.5x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/559c9/python.png 2x","srcWebp":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/f8bad/python.webp","srcSetWebp":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/f8bad/python.webp 1x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/f81b6/python.webp 1.5x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/804d1/python.webp 2x"}}}},{"name":"AWS","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M0%2012v12h25V12c0-7-1-9-1-6%200%207%200%207-2%205-2-1-2-1-1%201l-1%203-1%203c0%202-1%203-6%203-7%200-7%200-8-9-1-6%200-8%205-9%204%200%204%200%202-2L5%200H0v12'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":20,"height":20,"src":"/static/aeecd41e51f030856d95a6b2606de3da/dba72/aws-s3.png","srcSet":"/static/aeecd41e51f030856d95a6b2606de3da/dba72/aws-s3.png 1x","srcWebp":"/static/aeecd41e51f030856d95a6b2606de3da/e3c56/aws-s3.webp","srcSetWebp":"/static/aeecd41e51f030856d95a6b2606de3da/e3c56/aws-s3.webp 1x"}}}},{"name":"GCP CloudRun","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/11c8c3d5bb464ba2f088929c7c3857c2/6d1ba/gcloud.png","srcSet":"/static/11c8c3d5bb464ba2f088929c7c3857c2/6d1ba/gcloud.png 1x,\n/static/11c8c3d5bb464ba2f088929c7c3857c2/a9c35/gcloud.png 1.5x,\n/static/11c8c3d5bb464ba2f088929c7c3857c2/559c9/gcloud.png 2x","srcWebp":"/static/11c8c3d5bb464ba2f088929c7c3857c2/f8bad/gcloud.webp","srcSetWebp":"/static/11c8c3d5bb464ba2f088929c7c3857c2/f8bad/gcloud.webp 1x,\n/static/11c8c3d5bb464ba2f088929c7c3857c2/f81b6/gcloud.webp 1.5x,\n/static/11c8c3d5bb464ba2f088929c7c3857c2/804d1/gcloud.webp 2x"}}}},{"name":"Docker","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/56da43d828dc522662791d50808cbb00/6d1ba/docker.png","srcSet":"/static/56da43d828dc522662791d50808cbb00/6d1ba/docker.png 1x,\n/static/56da43d828dc522662791d50808cbb00/a9c35/docker.png 1.5x,\n/static/56da43d828dc522662791d50808cbb00/559c9/docker.png 2x","srcWebp":"/static/56da43d828dc522662791d50808cbb00/f8bad/docker.webp","srcSetWebp":"/static/56da43d828dc522662791d50808cbb00/f8bad/docker.webp 1x,\n/static/56da43d828dc522662791d50808cbb00/f81b6/docker.webp 1.5x,\n/static/56da43d828dc522662791d50808cbb00/804d1/docker.webp 2x"}}}},{"name":"Terraform","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/eea7a02c320f7f79a47022d745471610/6d1ba/terraform.png","srcSet":"/static/eea7a02c320f7f79a47022d745471610/6d1ba/terraform.png 1x,\n/static/eea7a02c320f7f79a47022d745471610/a9c35/terraform.png 1.5x,\n/static/eea7a02c320f7f79a47022d745471610/559c9/terraform.png 2x","srcWebp":"/static/eea7a02c320f7f79a47022d745471610/f8bad/terraform.webp","srcSetWebp":"/static/eea7a02c320f7f79a47022d745471610/f8bad/terraform.webp 1x,\n/static/eea7a02c320f7f79a47022d745471610/f81b6/terraform.webp 1.5x,\n/static/eea7a02c320f7f79a47022d745471610/804d1/terraform.webp 2x"}}}},{"name":"Boto3","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/50d899a226b9fd8c752fbb9c6957bbc3/6d1ba/boto3.png","srcSet":"/static/50d899a226b9fd8c752fbb9c6957bbc3/6d1ba/boto3.png 1x,\n/static/50d899a226b9fd8c752fbb9c6957bbc3/a9c35/boto3.png 1.5x,\n/static/50d899a226b9fd8c752fbb9c6957bbc3/559c9/boto3.png 2x","srcWebp":"/static/50d899a226b9fd8c752fbb9c6957bbc3/f8bad/boto3.webp","srcSetWebp":"/static/50d899a226b9fd8c752fbb9c6957bbc3/f8bad/boto3.webp 1x,\n/static/50d899a226b9fd8c752fbb9c6957bbc3/f81b6/boto3.webp 1.5x,\n/static/50d899a226b9fd8c752fbb9c6957bbc3/804d1/boto3.webp 2x"}}}}]}},"pageContext":{"slug":"check-point-cloud-firewall-manager"}},"staticQueryHashes":["3724428426"]}