1

In SmartConsole, create a new Data Center object in one of these ways:

• In the top left corner, click Objects menu > More object types > Server > Data Center > New Microsoft Azure.
• In the top right corner, click Objects Pane > New > More > Server > Data Center > Microsoft Azure.

2

In the Enter Object Name field, enter the desired name.

3

Select the applicable authentication method:

• Service Principal
• Azure AD User Authentication

If you choose Service Principal (default):

1. In the Application ID field, enter your Service Principal application ID in the UUID format.
2. In the Application Key field, enter the Service Principal secret.
3. In the Directory ID field, enter the Tenant ID from the Service Principal in the UUID format.

You can create the Service Principal in the Azure Portal, with the Azure Powershell, or with the Azure CLI.

If you choose Azure AD User Authentication:

1. In the Username field, enter the Microsoft Azure credential in the format <username>@<domain>.

   The account type needed is a work or school account.

2. In the Password field, enter the password for your Microsoft Azure account.

The minimum recommended permission is Reader.

You can assign the Reader permission in one of these ways:

• Assign to all Resource Groups, from which you want to pull an item
• Add the permission on a subscription level

Note - If you have less permissions, some of the functionality might not work.

4

Click Test Connection.

5

Click OK.

6

Import objects from your Microsoft Azure server to your policy (for more about these objects, see the next sections).

• Network by Subscriptions - Import VNETS, subnets, Virtual Machines or VMSSs.
• Network Security Groups (NSG) - Import all IP addresses that belong to a specific NSG.

  The NSG is used only as a container for the list of all IP addresses (assigned to NICs and subnets) that are attached to this group.

• Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have specific tags and values.

Note - All changes in Microsoft Azure are updated automatically with the Check Point security policy. Users with permissions to change Resource Tags in Microsoft Azure may be able to change their access permissions.

7

Install the Access Control Policy.

Subscription

Helps you organize access to your cloud components.

Virtual Network

Represents your Microsoft Azure Virtual Network (VNET) in the cloud.

Subnet

A range of IP addresses in a VNET.

A VNET can be divided into many subnets.

Virtual Machine (VM)

Virtual computing environment.

Virtual Machine Scale Set (VMSS)

Manages sets of Virtual Machines.

Resource Group

Holds the components of your subscription as a group.

Network Security Group (NSG)

NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to the Virtual Machines instances in a Virtual Network.

NSGs can be associated with either subnets or individual Virtual Machines instances within that subnet.

Name

Name of the object and of the object Resource Group.

Format is: obj_name (obj_resource_group_name)

The user can edit the name after importing the object.

Name in server

Name of the object and of the object Resource Group.

Format is: obj_name (obj_resource_group_name)

Type in server

Object type.

IP address

Virtual Machines or VMSS IP addresses.

In the case of subnets, NSGs or Tags, the field contains a list of all the IP addresses in the container.

Note

Contains the address prefixes for VNETs and subnets.

URI

Object path.

Tags

Keys and Values attached to the Object.

Location

Physical location in Microsoft Azure.