- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi guys,
I am going to do some checkups for various entities. I have central management with public IP. The end entities have probably own firewall, usually DHCP public address, or even worse they are behind several hide NAT. Simply said there is not possible to open connection from MGMT to Checkup device.
In ideal case I would like to bring checkup device to end customer, configure one interface with access to internet, rename the GW according the Customer Name, create SIC from gateway in DAIP mode and collect logs on MGMT (finally I'll do Checkup report with filter to Origin).
In worst case I am able to create SIC for DAIP in my office and then bring Checkup device to end customer. What is exactly written in SIC certificate? Is it possible to rename gateway in management without reinitialize SIC. I would like to filter report based on Origin? (there is no way to reinitialize SIC when GW is moved between end customers).
Thank you man. This was my initial idea -> but it's a public sector, no data/metadata can be posted outside organization. This option has been prohibited by layers. Therefor no Horizon or SMart-1 cloud is applicable.
Even checkup is working with SMB with DAIP without issues, I have already smart-1 6000L box and couple of full size FW (6200,7000, and bigger)
I believe the object name is partially there in the SIC certificate.
Having said that, renaming the gateway should not affect an existing SIC connection.
Its been a while since I did this, but I recall in the old days it used to give warning that you had to detach a license to rename the object. Might be different now, but will try tomorrow in my R81.20 lab.
Renaming the gateway would not cause affect on SIC however it would definitely cause an issue on IPsec vpn if that is part of any community. I guess CP wont allow you do that.
I knew there had to be more to it than I thought. As a matter of fact, yes, you DO have to reset sic...please see below steps.
https://community.checkpoint.com/t5/General-Topics/How-to-change-Security-Gateway-name/td-p/33310
Thank you guys for reply.
Actually I don't need to rename gateway, it is enough to rename object in mgmt to be able track down logs based on origin. I can live with uncleared data on device when moving between customers 😀 (I hope renaming object will not trigger log entries edit)
Back to my initial issue: So there is no way, how to establish SIC from GW, when there is not possible to connect from mgmt server -> GW.
When there is not possible to open connection from MGMT to GW (only opposite way) - do this affect functionality of GW in DAIP mode? (I do only checkups, so there is only initial rulebase fetch once; I take care only about log forward from GW to mgmt server).
Keep in mind the certificate for SIC is issued by the management server.
When you do reset SIC from a gateway, all you’re doing is removing the existing certificate and establishing the shared secret that will be used when the management connects.
Even the “reset SIC on gateway without a restart” procedure ultimately does this (removes SIC certificate, resets shared secret). 
Management must always initialize SIC with the gateway.
In a DAIP scenario (where the gateway object is marked as having a Dynamic IP), you specify the current IP address of the gateway when establishing SIC.
For gateways that are truly behind NAT and marked as DAIP, there is a somewhat different communication mechanism (inherited from the SMB devices).
In either case, ultimately, the gateway must be able to reach the management server IP. 
well,
When I am behind several NAT and there is no way to connect from MGMT to GW (only from GW to MGMT), I have to use another approach. Anyway I am sad that in DAIP is not supported TE/TEX/CA,... I am wondering that last message from RnD is 2 years old (it is not supported), while on SMB I am using it without issues.
Finally I left the Idea of central management in this case and I'll configure stand alone boxes.
When Check Point SEs run Security Checkups, they typically use a locally managed gateway.
In fact, we even offer a Blink image for it: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Granted, it needs to be a larger box due to the need for Management + SmartEvent.
A couple other options for this involving the cloud:
With Horizon NDR, the issue is moot - you don't need a management server so no SIC.
See: https://community.checkpoint.com/t5/Horizon-NDR/Horizon-NDR-Deployment-Guide/m-p/157374#M70.
Step 1: Install gateway with R81.10 or R81.20, latest jumbo.
Step 2: Define a sensor object on Horizon NDR, GENERATE REGISTRATION KEY, and run the provided command on your gateway.
Step 3: Attach the gateway to a customer's SPAN port, and wait for logs to accumulate.
Step 4: On the REPORTS tab, click "+ REQUEST", select report type, and submit. After a few minutes you'll get your report.
Step 5: Move the gateway to another customer's site, and repeat from Step 3.
Note: It's best if you provision a separate NDR subdomain for each customer, so that the reports don't contain residual information from the previous one.
Thank you man. This was my initial idea -> but it's a public sector, no data/metadata can be posted outside organization. This option has been prohibited by layers. Therefor no Horizon or SMart-1 cloud is applicable.
Even checkup is working with SMB with DAIP without issues, I have already smart-1 6000L box and couple of full size FW (6200,7000, and bigger)
If it's a one-off, then this would indeed be overkill, but I would note that Horizon NDR is a completely portable application, in fact is also being used by some defense sector customers that are completely isolated from the Internet (with data diodes transferring ThreatCloud updates into their Private ThreatCloud). So perfectly suitable for public sector applications.
Well, keep in mind that as that link I sent you states, even renaming it may require SIC reset. As a matter of fact, I tried doing this in both R81.10 and R81.20 and would NOT let me rename it even in smart console without SIC reset. I had to 100% follow steps from link in my previous post.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 22 | |
| 17 | |
| 12 | |
| 10 | |
| 9 | |
| 9 | |
| 7 | |
| 7 | |
| 7 | |
| 5 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY