CloudGuard Network Security for Virtual and Cloud WAN

Inline security and consistent policy enforcement across your cloud and hybrid WAN

Request a Demo Watch Video

Merging Security, Infrastructure, and Cost Savings

Whether you’re charting cloud strategy, building secure infrastructure, or defending against threats, CloudGuard Network Security has you covered. From seamless multi-cloud integration to real-time threat prevention, CloudGuard delivers the outcomes that matter most to every team.

Enterprise-Grade Security at Every Point

CloudGuard Network Security enforces real-time AI-powered threat prevention across your cloud WAN, hybrid connections, and east-west flows. From branch access to inter-cloud traffic, CloudGuard protects every layer with a proactive, inline defense that stops threats before they spread.

• Zero-Day Threat Prevention
  Block known and unknown threats in transit, including zero-days, malware, and evasive exploits with real-time AI-driven inspection and sandboxing.
• Lateral Movement Control Enforce adaptive segmentation to contain breaches and stop unauthorized access across cloud regions, VPCs, VNets, and SD-WAN-connected sites.
• Identity-Aware Access Enforcement Apply dynamic, least-privilege access rules using user identities, cloud roles, and service context instead of static IPs or subnets.
• Inline Protection at Every Edge Secure public-facing and internal WAN entry points with deep packet inspection, intrusion prevention, and application-aware controls.
• Autonomous Threat Response Trigger automated policy updates, host isolation, and containment actions across cloud and hybrid networks before manual response is required.

Read the White Paper

Key CloudGuard Network Security Features

Native Integration With Leading Providers

• Amazon Web Services (AWS Marketplace)
  Cloud WAN for global, segment-based traffic inspection.
  Gateway Load Balancer for scalable inline insertion.
  Tunnel-less Connect for BGP-based SD-WAN integration.
  Transit Gateway for centralized routing and enforcement.
  Direct Connect for secured hybrid WAN entry points.
• Microsoft Azure (Azure Marketplace)
  Virtual WAN for inter-VNet and hybrid traffic inspection.
  Routing Intent for automatic traffic steering through CloudGuard.
  ExpressRoute for secure on-prem connectivity.
  VPN Gateway for inspecting remote user and branch traffic.
  Managed Application for native deployment inside Virtual Hubs.
• Google Cloud Platform (GCP Marketplace)
  Network Connectivity Center for spoke-based traffic inspection.
  Cloud Router + BGP for dynamic route exchange.
  Managed Instance Groups for auto-scaling CloudGuard nodes.
  Interconnect / VPN for hybrid WAN security enforcement.
  Cloud Security Command Center for integrated threat visibility.

Protect any cloud, on every platform.

Deploying CloudGuard Network Security

Built to meet the needs of cloud infrastructure architects, platform engineers, and security operations teams, CloudGuard Network Security provides inline traffic inspection without disrupting routing, delivering scalable and secure connectivity across cloud and hybrid environments. CloudGuard supports dynamic scaling, deployment automation, and centralized policy enforcement across regions, clouds, and sites, giving teams the flexibility and control they need to standardize security in distributed networks.

• Azure
• AWS
• GCP
• Multi Cloud

Deployment in Azure

Embed CloudGuard Network Security directly into Azure Virtual WAN to secure inter-VNet, branch, and remote user traffic with full NGFW and threat prevention, delivered as a native Virtual Hub service – here’s how you get it:

• Deploy CloudGuard as a Microsoft-approved Managed Application directly into Virtual WAN hubs, enabling automatic traffic steering through the gateways without custom route tables or UDRs.
• Auto-scale CloudGuard clusters using Virtual Machine Scale Sets behind an Internal Load Balancer, with Azure-native health checks and seamless high availability.
• Maintain dynamic policy accuracy with CloudGuard Controller, which continuously syncs Azure resources such as VNets, subnets, tags, and load balancers into the rule base.
• Automate deployment, policy assignment, and ongoing management with Cloud Management Extension (CME), and forward logs to Microsoft Sentinel and Defender for Cloud for full visibility and response integration.

Deployment in AWS

Integrate CloudGuard Network Security into AWS Cloud WAN to inspect and protect traffic across regions, VPCs, and SD-WAN branches without disrupting native routing or scalability – here’s how you get it:

• Deploy CloudGuard gateways in dedicated VPCs, attach them to the AWS Cloud WAN Core Network, and leverage Service Insertion to automatically route and inspect all traffic between VPCs, SD-WAN branches, and internet gateways.
• Use Auto Scaling Groups behind Gateway Load Balancers to elastically scale CloudGuard clusters based on traffic demand, with complete visibility and health-check integration.
• Peer CloudGuard directly with Cloud WAN using Tunnel-less Connect for high-performance, encapsulation-free BGP routing between SD-WAN edge devices and AWS infrastructure.

Deployment in GCP

Insert CloudGuard Network Security into GCP’s Network Connectivity Center as a router appliance spoke, enabling centralized inspection across regions, VPCs, and hybrid connections for secure east-west and north-south traffic – here’s how:

• Deploy CloudGuard gateways as router appliance spokes within NCC hubs, using BGP peering with Cloud Router to dynamically exchange routes and steer traffic through the inspection path.
• Auto-scale CloudGuard using Managed Instance Groups behind an Internal Load Balancer, ensuring elastic performance and fault tolerance across regions.
• Changes in cloud infrastructure, such as new VPCs, subnets, instances, and tags, are automatically reflected within security policies to maintain consistent protection without manual updates.
• Enable full lifecycle automation, including provisioning, policy enforcement, scaling, and log export, to Google Cloud Security Command Center (CSCC) for centralized threat visibility.

Deployment in Multi-Cloud

CloudGuard Network Security integrates directly into the native WAN fabrics of AWS, Azure, and GCP to provide unified, inline threat prevention across clouds, regions, and hybrid environments – here’s how you get it:

• Deploy CloudGuard at the traffic inspection layer within each cloud’s WAN framework using native routing protocols and constructs to steer traffic through CloudGuard for inline inspection without manual route manipulation, connecting environments through physical or virtual WAN edge devices that integrate natively with each provider’s WAN routing domain. CloudGuard peering enables consistent security enforcement across these ingress points, supporting full traffic inspection across east-west, ingress, and egress paths.
   
  In environments where cloud-native WAN services are unavailable or limited, you can deploy CloudGuard in regional hub-and-spoke or transit architectures using standard routing and load-balancing constructs with WAN connectivity extended through interoperable overlays or network edge platforms for consistent policy enforcement and visibility across heterogeneous infrastructures.