Thanks - the reasons for asking is that the policy has  no stealth rule at the moment but we are trying to prevent external access to the https cert - I have looked at many SKs but in my lab building on-prem environment incrementally the stealth rule if the first thing that deterministically stops the access. However this is an on-prem lab not maas.

If the on-prem box calls home - does this mean we dont even need a mgmt rule unless you want to access gaia from private-nets? 

I asked the support centre AI - it has impressed me more than once lately..

"To properly manage an on-premises gateway using MaaS (Management as a Service) and configure the correct management and stealth rules, follow these steps:

Management Rule
Allow Management Traffic:
Ensure that the gateway can communicate with the MaaS service. This typically involves allowing outbound HTTPS traffic to the MaaS service endpoints.
Example rule:
Source: Gateway
Destination: <Service-Identifier>.maas.checkpoint.com
Service: HTTPS (TCP/443)
Action: Allow

Stealth Rule
Configure Stealth Rule:
A stealth rule is used to protect the gateway itself from unauthorized access. It should be placed at the top of the rule base to drop any traffic that is not explicitly allowed.
Example rule:
Source: Any
Destination: Gateway
Service: Any
Action: Drop

Additional Considerations
Bidirectional Rules:
Ensure that the rules are bidirectional if necessary, especially for management traffic that requires responses.
NAT Configuration:
If the gateway is behind a NAT device, ensure that the NAT configuration allows the necessary traffic to pass through.
Example Configuration
Here is an example of how the rules might look in a simplified format:

Rule No. Source Destination Service Action
1 Any Gateway Any Drop
2 Gateway .maas.checkpoint.com HTTPS (TCP/443) Allow
3 ... ... ...
Verifying Configuration
Check MaaS Tunnel:
Ensure the MaaS tunnel is up and running by using the following commands in Expert mode:
maas status
show security-gateway cloud-mgmt-service

Check Interface:
Verify the
maas_tunnel
interface is configured correctly:
ifconfig

By following these steps, you can ensure that your on-premises gateway is properly managed by MaaS and protected by a stealth rule.

BE AWARE
Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product."

can anyone sanity check that ai response as it looks awesome but dont want people to lock themselves out of their gateways by following info published in this post 🙂

From Quantum Smart-1 Cloud Administration Guide: assuming r81.20 =  I guess you allow any private nets in a mgmt rule and block everything else with a stealth rule;

"Which ports must be open on the Security Gateway?
You must allow outbound HTTPS traffic to FQDN listed below to allow the communication
between the Security Gateway and the service:
n To your domain at Smart-1 Cloud:
<Service-Identifier>.maas.checkpoint.com
n For Smart-1 Cloud deployments in Europe:
cloudinfra-gw.portal.checkpoint.com
n For Smart-1 Cloud deployments in the United States:
cloudinfra-gw-us.portal.checkpoint.com
n For Smart-1 Cloud deployments in the APAC:
https://cloudinfra-gw.ap.portal.checkpoint.com
From version R80.40, there is an implied rule that always allows this traffic when working in
the MaaS mode."

Apologies for being so confused!

Here is what I got 🙂

Andy

awesome - it is quite an impressive feature!

I would say that it would be nice for the documentation to have an example policy for when onboarding.

Yes, absolutely, its a fantastic feature.

Andy

Forgot to paste below, its just another question that auto-populated, but makes sense 🙂

Andy