There are white papers published here about using a seperate policy server in your DMZ for this purpose. Depending on your existing licensing this may already be included within your entitlements.
Note if it's solely product updates of interest you have the ability to influence how those e.g A/V updates are received if the policy server or endpoint manager is unavailable i.e. direct from Check Point or other location.
Coming back to your original query yes it is something that is done by some customers (via NAT) depending on their internal policies, others may opt to achieve via VPN.
CCSM R77/R80/ELITE