topic Re: Disable Local firewall rules management on Spark Management GW // Firewalls rules and VPN migrat in Spark Firewall (SMB)

Disable Local firewall rules management on Spark Management GW // Firewalls rules and VPN migration

israelsc — Tue, 02 Dec 2025 23:58:11 GMT

Hello everyone!

I have some questions about local firewall rules management when you manage a Quantum Spark Gateway with Spark Management (SMP) and questions about firewall rules migration-

I know that you can enable a "remote" management for firewall rules since Spark Management Portal to send these policies to the Spark Gateway and when you fetch configurations on Gateway, the Gateway deploy the new firewall rules on the rulebase.The problem I see here is that if you have admin credentials or a user with write permissions for the Quantum Spark Gateway, the administrator can modify or create their own firewall rules locally on the appliance.
Is it possible for firewall rules to be managed exclusively from the Spark Management Portal and block the creation of local rules? I understand that the Gateway works as “Locally Managed + Cloud Services,” but is there any way to block local management of firewall rules?

The second question is about migrating firewall rules from an on-premises Security Management Server to Spark Management Portal.
The current environment is a Management Server with a Gaia R81.20 HA Cluster and 100+ Remote Quantum Sparks communicated through a Star Community VPN.
The firewall rules for this VPN are managed through a Policy Package and, as the central and remote firewalls are managed by the same Management Server, the VPN Certificate are issued by the ICA on the Management Server.
Is there a way to migrate the firewall rules from the Management Server Policy Package to Spark Management?
Same question for VPN certificates issued by the Management Server ICA: is it possible to migrate them to Spark Management?

I know these questions can be addressed with our SE, but at the same time, I would like to know if anyone has the answers to these questions, if anyone has had a similar experience, or if anyone could help me get oriented previously.

Greetings!

Re: Disable Local firewall rules management on Spark Management GW // Firewalls rules and VPN migrat

PhoneBoy — Thu, 04 Dec 2025 21:07:51 GMT

If the device is managed with a Smart-1 (either Cloud or on-premise), then you will not be able to create local firewall rules.
SMP does not block local rule creation.

There is also no automated way to convert between on-premise (or Cloud) Smart-1 and Spark management (local or SMP).

Re: Disable Local firewall rules management on Spark Management GW // Firewalls rules and VPN migrat

yahavb — Tue, 09 Dec 2025 09:13:26 GMT

Hi,

The access policy feature from Spark Management is unique and is by design co-managed with the local appliance. This means that the even if the policy is managed by Spark Management, it is not locked for editing on the local web UI. To ensure some admins will not be able to create rules, should be achieved with using specified roles. Consider looking into the self-serve portal feature that provides a web UI with only a small set of capabilities.

Regarding the migration of access rules from Smart-1, it is not possible at this time, moreover the access policy capabilities in Spark Management is more simplified comparing to Smart-1, which makes a migration impossible.

You can add external CA certificates to Spark Management to be distributed to the connected gateways under Settings -> Certificates. When a device is managed by Spark Management, the VPN certificate is automatically issued and maintained by Spark Management as long as the device remains connected to the service. This means that when configuring a VPN community where the center is managed by Smart-1, and the Spark gateways are managed by Spark Management, you will need to share the CA with each side. Where the center is usually configured as LSV.

I am also sharing an SK for how to setup a VPN community in Spark Management with an externally managed Check Point gateway: https://support.checkpoint.com/results/sk/sk177545