Firewall Interface Specifications

Check Point Specifications

Cloud Provider	Check Point VM Instance Interfaces	Description	Inbound Security Group Rule
AWS	eth0 (on subnet -Public-FW-ingress-egress-AZ-a) eth1 (on subnet -dmz-firewall)	Egress or Untrusted Interface (Egress Interface is used as the management interface) LAN or Trusted Interface	Controller version lower than 7.0.1577: Allow ALL from 0.0.0.0/0 Controller version 7.0.1577 and above: TCP 443, TCP 22
Azure	eth0 (on subnet -Public-FW-ingress-egress) eth1 (on subnet -dmz-firewall)	Egress or Untrusted Interface LAN or Trusted Interface	Allow ALL Allow ALL (do not change)

Cloud Provider

Check Point VM Instance Interfaces

Description

Inbound Security Group Rule

AWS

eth0 (on subnet -Public-FW-ingress-egress-AZ-a)

eth1 (on subnet -dmz-firewall)

Egress or Untrusted Interface (Egress Interface is used as the management interface)

LAN or Trusted Interface

Controller version lower than 7.0.1577: Allow ALL from 0.0.0.0/0

Controller version 7.0.1577 and above: TCP 443, TCP 22

Azure

eth0 (on subnet -Public-FW-ingress-egress)

eth1 (on subnet -dmz-firewall)

Egress or Untrusted Interface

LAN or Trusted Interface

Allow ALL

Allow ALL (do not change)

FortiGate Specifications

Cloud Provider	FortiGate VM Interfaces	Description	Inbound Security Group Rule
AWS	eth0 (on subnet -Public-FW-ingress-egress-AZ-a) eth1 (on subnet -dmz-firewall)	Egress or Untrusted Interface LAN or Trusted Interface	Controller version lower than 7.0.1577: Allow ALL Controller version 7.0.1577 and higher: TCP 443 is allowed from the Controller’s public or private IP
Azure	eth0 (on subnet -Public-FW-ingress-egress) eth1 (on subnet -dmz-firewall)	Egress or Untrusted Interface LAN or Trusted Interface	Allow ALL Allow ALL (do not change)

Cloud Provider

FortiGate VM Interfaces

Description

Inbound Security Group Rule

AWS

eth0 (on subnet -Public-FW-ingress-egress-AZ-a)

eth1 (on subnet -dmz-firewall)

Egress or Untrusted Interface

LAN or Trusted Interface

Controller version lower than 7.0.1577: Allow ALL

Controller version 7.0.1577 and higher: TCP 443 is allowed from the Controller’s public or private IP

Azure

eth0 (on subnet -Public-FW-ingress-egress)

eth1 (on subnet -dmz-firewall)

Egress or Untrusted Interface

LAN or Trusted Interface

Allow ALL

Allow ALL (do not change)

Palo Alto Specifications

Palo Alto firewall versions greater than 9.1.3 are supported in the GCP Transit FireNet configuration if you select one of the available Flex Next-Generation firewall options.

Cloud Provider	Header 2	Header 3	Header 4
AWS	eth0 (on subnet -Public-FW-ingress-egress-AZ-a) eth1 (on subnet -Public-gateway-and-firewall-mgmt-AZ-a) eth2 (on subnet -dmz-firewall)	Egress or Untrusted Interface Management Interface LAN or Trusted Interface	Allow ALL Controller version lower than 7.0.1577: Allow SSH, HTTPS, ICMP, TCP 3978
Azure	eth0 (on subnet -Public-gateway-and-firewall-mgmt) eth1 (on subnet -Public-FW-ingress-egress) eth2 (on subnet -dmz-firewall)	Management Interface Egress or Untrusted Interface LAN or Trusted Interface	Allow SSH, HTTPS, ICMP, TCP 3978 Allow ALL Allow ALL (do not change)
GCP	nic0 nic1 nic2	Egress or Untrusted Interface Management Interface LAN or Trusted Interface	Allow ALL Allow SSH, HTTPS, ICMP, TCP 3978 Allow ALL (do not change)

Cloud Provider

Header 2

Header 3

Header 4

AWS

eth0 (on subnet -Public-FW-ingress-egress-AZ-a)

eth1 (on subnet -Public-gateway-and-firewall-mgmt-AZ-a)

eth2 (on subnet -dmz-firewall)

Egress or Untrusted Interface

Management Interface

LAN or Trusted Interface

Allow ALL

Controller version lower than 7.0.1577: Allow SSH, HTTPS, ICMP, TCP 3978

Azure

eth0 (on subnet -Public-gateway-and-firewall-mgmt)

eth1 (on subnet -Public-FW-ingress-egress)

eth2 (on subnet -dmz-firewall)

Management Interface

Egress or Untrusted Interface

LAN or Trusted Interface

Allow SSH, HTTPS, ICMP, TCP 3978

Allow ALL

Allow ALL (do not change)

GCP

nic0

nic1

nic2

Egress or Untrusted Interface

Management Interface

LAN or Trusted Interface

Allow ALL

Allow SSH, HTTPS, ICMP, TCP 3978

Allow ALL (do not change)