Thank you guys for reply.

Actually I don't need to rename gateway, it is enough to rename object in mgmt to be able track down logs based on origin. I can live with uncleared data on device when moving between customers 😀 (I hope renaming object will not trigger log entries edit)

Back to my initial issue: So there is no way, how to establish SIC from GW, when there is not possible to connect from mgmt server -> GW. 

When there is not possible to open connection from MGMT to GW (only opposite way) - do this affect functionality of GW in DAIP mode? (I do only checkups, so there is only initial rulebase fetch once; I take care only about log forward from GW to mgmt server).

Keep in mind the certificate for SIC is issued by the management server.
When you do reset SIC from a gateway, all you’re doing is removing the existing certificate and establishing the shared secret that will be used when the management connects.
Even the “reset SIC on gateway without a restart” procedure ultimately does this (removes SIC certificate, resets shared secret). 
Management must always initialize SIC with the gateway.

In a DAIP scenario (where the gateway object is marked as having a Dynamic IP), you specify the current IP address of the gateway when establishing SIC.
For gateways that are truly behind NAT and marked as DAIP, there is a somewhat different communication mechanism (inherited from the SMB devices).
In either case, ultimately, the gateway must be able to reach the management server IP. 

well,

When I am behind several NAT and there is no way to connect from MGMT to GW (only from GW to MGMT), I have to use another approach. Anyway I am sad that in DAIP is not supported TE/TEX/CA,... I am wondering that last message from RnD is 2 years old (it is not supported), while on SMB I am using it without issues.

Finally I left the Idea of central management in this case and I'll configure stand alone boxes.

When Check Point SEs run Security Checkups, they typically use a locally managed gateway.
In fact, we even offer a Blink image for it: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Granted, it needs to be a larger box due to the need for Management + SmartEvent.

A couple other options for this involving the cloud:

• Security Checkup with SMB appliance: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
• Using a Horizon NDR sensor. @Nir_Naaman can comment further on it.
• Use Smart-1 Cloud for the management of the device (though that has a cost to it, obviously).

With Horizon NDR, the issue is moot - you don't need a management server so no SIC.

See: https://community.checkpoint.com/t5/Horizon-NDR/Horizon-NDR-Deployment-Guide/m-p/157374#M70.

Step 1: Install gateway with R81.10 or R81.20, latest jumbo.

Step 2: Define a sensor object on Horizon NDR, GENERATE REGISTRATION KEY, and run the provided command on your gateway.

Step 3: Attach the gateway to a customer's SPAN port, and wait for logs to accumulate.

Step 4: On the REPORTS tab, click "+ REQUEST", select report type, and submit. After a few minutes you'll get your report.

Step 5: Move the gateway to another customer's site, and repeat from Step 3.

Note: It's best if you provision a separate NDR subdomain for each customer, so that the reports don't contain residual information from the previous one.

If it's a one-off, then this would indeed be overkill, but I would note that Horizon NDR is a completely portable application, in fact is also being used by some defense sector customers that are completely isolated from the Internet (with data diodes transferring ThreatCloud updates into their Private ThreatCloud). So perfectly suitable for public sector applications.

Well, keep in mind that as that link I sent you states, even renaming it may require SIC reset. As a matter of fact, I tried doing this in both R81.10 and R81.20 and would NOT let me rename it even in smart console without SIC reset. I had to 100% follow steps from link in my previous post.