← all projects

Check Point Cloud Firewall Manager

  • 2024 – Present
  • 638h
cloudsecurityautomationdevopsmulti-cloud

Built a comprehensive cloud firewall management platform bridging Check Point and AWS. Created a custom SDK surpassing Check Point's own, enabling programmatic rule management across Security Groups, NACLs, Network Firewall (stateless and stateful/Suricata), and Web ACLs. Automated network feed ingestion into AWS prefix lists. Built pipeline to pull rules from Check Point, translate to intermediate format, and deploy to AWS Network Firewall with named rules and variable mapping. Deployed on GCP CloudRun with automated triggers. Set up Headscale/Tailscale VPN mesh across AWS regions for secure connectivity. 638+ hours of development.

The problem

Enterprises that standardise on Check Point for security policy still have to enforce that intent across cloud-native firewalls — AWS security groups, AWS Network Firewall, GCP firewall rules — each with its own model and API. Keeping those in sync by hand is slow and error-prone, and policy drift is a real risk. The goal: treat Check Point as the source of truth and push a consistent policy out to multiple clouds automatically.

My role

I was architect and development lead on this client engagement, designing the multi-cloud abstraction and the Check Point → cloud synchronization pipeline. (The codebase is the client's, so it isn't linked here.)

The approach

A unified policy model — a neutral CommonRule — is translated per provider through a FirewallProvider abstraction, with direction/semantics mapped to each target. A FastAPI service accepts a policy plus a set of targets and fans the work out via Celery/Redis, one task per rule × target, so changes apply in parallel across many security groups with retries and per-task status tracking.

Architecture

  • Check Point SDK — a comprehensive client for the Check Point Management Web API (sessions, access rules, objects, network feeds, batch operations, change tracking).
  • Translation pipeline — reads a Check Point rulebase and converts it into the unified model, resolving actions and IP ranges and splitting ingress/egress.
  • AWS Network Firewall path — generates stateless and Suricata-format stateful rule groups and maps Check Point network feeds to AWS managed prefix lists referenced by the rules.
  • Providers — AWS (boto3: security-group ingress/egress create/edit/delete, tagging) and GCP (google-cloud-compute, with operation polling).
  • Drift detection — uses Check Point change/task APIs to reconcile a local rulebase view.
  • Discovery — inventories AWS/GCP VPCs, security groups, and related resources.
  • NL command layer — an experimental endpoint that parses natural-language firewall commands into validated API calls.

Deployment targeted containers on Cloud Run (Docker + Cloud Build), with a systemd-packaged agent variant and an AWS Lambda + API Gateway component for feed updates.

Outcomes

  • Built custom SDK surpassing Check Point's own for programmatic firewall rule management
  • Automated cross-platform rule translation from Check Point to AWS Network Firewall
  • Deployed multi-region VPN mesh using Headscale/Tailscale for secure connectivity
  • 638+ hours of sustained engineering on a single enterprise platform

Tech Stack

Python
AWS
GCP CloudRun
Docker
Terraform
Boto3
back to projects

Copyright © 2026 Nishant Tiwari All Rights Reserved