This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JaySon_2021
Contributor
‎2026-03-10 05:27 AM
Jump to solution

On-Prem SMS. New firewall in Azure. How to connect?

We have an on-prem SMS that currently manages a couple of on-prem firewalls. We are deploying a Checkpoint cluster in Azure and need to manage it from our on-prem SMS. How do we accomplish this?

0 Kudos
1 Solution

Accepted Solutions
CP_Chris
Employee Employee
Employee
‎2026-03-11 12:13 PM
In response to JaySon_2021
Jump to solution

SIC is an encrypted protocol. You need to make sure you have an automatic public NAT address for your SMS with the "use for control connections" enabled, and then connect to the public (Azure NAT) IPs. This is perfectly safe and is used by thousands of customers with no issue today.

View solution in original post

(1)
14 Replies
PhoneBoy
Admin
Admin
‎2026-03-10 07:13 AM
Jump to solution

Adding the Azure gateways to your on-prem SMS works the same as it does for your on-prem gateways: establish SIC and install policy.
Setting the cluster up in Azure to get to that point, on the other hand…https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Clust...

0 Kudos
JaySon_2021
Contributor
‎2026-03-10 10:52 AM
In response to PhoneBoy
Jump to solution

Additional info. We do not have a communication path to Azure from our SMS. Do we need to have a VPN or other direct communication path to Azure in order for the SMS to communicate with the newly deployed Checkpoint cluster? Or is there a mechanism within the SMS to connect to Azure directly?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-10 11:52 AM
In response to JaySon_2021
Jump to solution

I recall seeing some sort of plug in (if thats the right word) you can run on sms for this, just cant remember the process now. Let me see if I can find it for you.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
JaySon_2021
Contributor
‎2026-03-10 12:02 PM
In response to the_rock
Jump to solution

Thanks Andy. Seems to be a Catch22. On-prem SMS and Azure Checkpoint. If I dont have a path to Azure from my network where the SMS resides, how can I add the new firewall and apply policy.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-10 12:07 PM
In response to JaySon_2021
Jump to solution

Hm...thats bit tricky situation, exactly sounds like catch 22, as you said. There would need to be some way for sms to communicate with Azure gw. Are you able to ping public azure IP from sms itself at all?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-10 12:54 PM
In response to JaySon_2021
Jump to solution

Not sure if what I said before would apply, I am sure I was thinking of a specific script in $FWDIR/scripts dir, but if its on prem mgmt, doubt it would be there by default. If you send a content of that dir, I can easily confirm.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-10 01:33 PM
In response to JaySon_2021
Jump to solution

A network connection is required to initialize SIC, install policy, and send logs back to the management/log server.

0 Kudos
JaySon_2021
Contributor
‎2026-03-10 01:35 PM
In response to PhoneBoy
Jump to solution

Ok. So how are customers who have on-prem SMS and are building Checkpoint firewalls in Azure making this solution work? VPN? 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-10 01:52 PM
In response to JaySon_2021
Jump to solution

I know people who did this without any issues. Im no Azure expert by any means, but I believe you may need to look at some sone policies in azure portal, also proper routing needs to be in place.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-10 02:58 PM
In response to JaySon_2021
Jump to solution

The gateways are exposed to the Internet through your Azure configuration.

JaySon_2021
Contributor
‎2026-03-11 06:57 AM
In response to PhoneBoy
Jump to solution

Hi PB. So we would use the front end IPs (Azure NATs) as the VPN termination AND for management of the Azure checkpoint cluster? Isn't that a security risk?

0 Kudos
CP_Chris
Employee Employee
Employee
‎2026-03-11 12:13 PM
In response to JaySon_2021
Jump to solution

SIC is an encrypted protocol. You need to make sure you have an automatic public NAT address for your SMS with the "use for control connections" enabled, and then connect to the public (Azure NAT) IPs. This is perfectly safe and is used by thousands of customers with no issue today.

(1)
the_rock
MVP Diamond
MVP Diamond
‎2026-03-11 03:23 PM
In response to CP_Chris
Jump to solution

That makes perfect sense.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-11 04:47 PM
In response to JaySon_2021
Jump to solution

Yes, that's how you do it.
All SIC traffic is authenticated and encrypted.
The default firewall policy blocks unnecessary traffic.
It's no different than managing a remote physical gateway over the Internet, something customers have been doing for decades.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events