Rulebase governance
Browse and manage Check Point rulebases with guardrails.
Give operators a controlled workspace for live packages, layers, inline layers, staged edits, optimistic concurrency, and edit locks.
Nyalma Cerberus
Firewall governance for self-hosted Check Point environments.
Give security teams one controlled place to browse live rulebases, delegate scoped changes, approve edits and install-policy actions, limit log visibility, and keep evidence together without moving firewall governance into a managed SaaS.
What it does
Govern rule access, changes, logs, and evidence from one self-hosted workspace.
Nyalma Cerberus keeps Check Point operations practical for large teams: admins retain control, delegated teams get bounded workflows, and log visibility can be limited with direct access filters.
Delegated access
Delegate changes by team, scope, package, layer, and field.
Use team scopes and field-level grants so application teams can request or perform only the changes they are allowed to make.
Approvals
Route risky or delegated changes through approval flows.
Keep direct admin edits and team-owned changes separated, with explicit approvers and auditable decisions.
Log access filters
Grant limited Check Point log access without global log visibility.
Assign direct user log filters so people can open the Logs workspace only for the traffic they are allowed to investigate.
Evidence
Connect rule changes to logs, watchlists, exports, and audit history.
Search rule activity, monitor URL/application/IP usage, export evidence, and keep tamper-evident audit history attached to operational decisions.
Self-hosted control
Run under your control, with no runtime portal dependency.
Install Nyalma Cerberus in the customer environment, import signed license material, and keep runtime validation local.
Core workflow
Read, delegate, approve, investigate, and prove what changed.
Read
Browse live Check Point rulebases with stable paging, selectors, object context, and permission checks.
Delegate
Expose only the teams, scopes, fields, objects, and log queries a user is allowed to use.
Approve
Route scoped changes through explicit approval flows before sensitive writes or policy installs happen.
Investigate
Use rule logs, limited log access filters, watchlists, exports, and audit trails to prove decisions.
Operational depth
Cerberus is designed for real firewall operations, not only request intake.
The value is in the guardrails around live Check Point work: scoped visibility, controlled object creation, explicit approval targets, install-policy boundaries, and evidence that survives audit review.
Check Point-aware
Built around packages, layers, NAT, HTTPS, threat, and inline rulebases.
Cerberus models the Check Point Management API instead of flattening everything into generic tickets. Operators select the real package and layer context before browsing or changing rules.
Scoped self-service
Let teams request changes and create allowed objects inside their namespace.
Team scopes, field access, object creation toggles, and namespace prefixes keep delegated work bounded while firewall administrators retain control.
Change control
Protect sensitive writes with approvals, locks, ETags, and install-policy guardrails.
Direct admin writes, staged team changes, publish actions, and install-policy jobs can be separated so high-impact operations stay reviewable.
Audit readiness
Keep operational evidence useful after the change window closes.
Log searches, per-user log access filters, watchlists, audit exports, legal holds, and audit integrity checks help teams explain what changed and why.