Configuring Azure Virtual WAN

To prepare the Azure Virtual WAN for integration with Check Point CloudGuard Connect perform these steps:

  1. Create an Azure Virtual WAN for integration with Check Point.

  2. Select secured resources for integration with Check Point.

  3. Assign API Access for Check Point.

Creating an Azure Virtual WAN

To create an overlay network and provide optimized access between branch offices and Microsoft resources you must log into your Azure Portal and perform configuration steps.

For more information see the online guide.


  1. Define an Azure Virtual WAN that represents your overlay network.

  2. Create a regional hub.

    A regional hub concentrates connections from branch offices and VNets in a specific region. Select one of the Microsoft Azure geographic locations closest to your users or to your applications.

  3. Create any of these assets:

    • Site - A representation of your branch office. It optimizes access from your users in the branch office to Microsoft resources, for example, cloud SaaS applications and cloud data centers.

      1. Select an applicable branch office routing device vendor, for example, Cisco, Silver Peak, and more.

      2. Set up VPN tunnels between your branch device and the virtual site.

      3. Connect the site to the regional hub.

      4. (Optional) Download the Microsoft Point-to-Site client to optimize network traffic users outside the office or roaming users. The Point-to-Site client routes all of their traffic through Microsoft Azure Virtual WAN.

        Later, when we add Check Point security to the networking path, users outside of the branch office will be also secured.

    • VNet – A network in your Azure workspace. It that can host compute instances.

      Connect the VNet to the regional hub. It optimizes an access from your servers hosted in the VNet to other Microsoft resources.

Selecting Secured Resources in Azure Portal

Select specific resources for Check Point protection and secure their traffic.


  1. Go to Azure Firewall Manager.

  2. Go to Convert Existing Hubs.

  3. Select the regional hub with its traffic that you want to secure.

    Note - At this point this is just a declaration. In the actual configuration you select granular sites and VNets that need to have their traffic secured in later steps.


  4. Click Next - Azure Firewall.

  5. Click Next - Trusted Security Partner.

  6. Select Check Point.


  7. Click Next and complete the conversion.

  8. Go to Connections and select the site or the VNet you defined before (see Configuring Azure Virtual WAN).

  9. Select the site or the VNet and click Secure Internet Traffic.

Assigning API Access to Check Point

To complete the secure setup you must provide Check Point API access and link your Check Point portal to your Azure portal. For this purpose you must create a Service Principal. With this Service Principal Check Point fetches the assets you want to secure and creates an applicable cloud network security architecture that secures their traffic.

A service principal is defined by these parameters:

  • Password

  • Application ID

  • Subscription ID

  • Tenant ID

Use all the parameters in the next configuration step (see Launching Azure Virtual WAN Integration in the Check Point Infinity Portal).

For more information see the online guide.


  1. Go to Azure Active Directory.

  2. Go to App Registrations.


  3. Click New Registration

  4. In the Register an Application window set these parameters:

    • Name - Enter a free text that describes the target application. For example, Check Point CloudGuard Connect.

    • Supported Account Types - Select an applicable Account Type.

    Note - All fields marked with an asterisk (*) are mandatory.

  5. Click Register.


    Note - Next screen contains the Application ID and Tenant ID for our next configuration steps.

  6. Select the app registration created in the previous steps.

  7. Click Save.