CheckPointSW · chkp-avivm · Sep 18, 2025 · Sep 17, 2025 · Sep 18, 2025
diff --git a/modules/nva_into_existing_hub/README.md b/modules/nva_into_existing_hub/README.md
@@ -43,6 +43,8 @@ module "example_module" {
         admin-shell                     = "/etc/cli.sh"
         sic-key                         = "xxxxxxxxxxxx"
         admin_SSH_key                   = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
+        maintenance_mode_password_hash  = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+        serial_console_password_hash    = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
         bgp-asn                         = "64512"
         custom-metrics                  = "yes"
         routing-intent-internet-traffic = "yes"
@@ -83,6 +85,8 @@ module "example_module" {
 | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;<br/>/bin/bash;<br/>/bin/csh;<br/>/bin/tcsh.<br/>**Default:** "/etc/cli.sh" |
 | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. |
 | **admin_SSH_key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure. |
+| **serial_console_password_hash** | Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password. To generate password hash use the command `openssl passwd -6 PASSWORD` on Linux.<br/>**Note:** In Azure Virtual Wan there is currently no serial console on the Network Virtual Appliance, the serial console password will be used as a maintenance mode password in R81.10 and below. | string | |
+| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux. | string | |
 | **bgp-asn** | The BGP autonomous system number | string | 64512.<br/>**Default:** "64512" |
 | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;<br/>no.<br/>**Default:** "yes" |
 | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;<br/>no.<br/>Please verify routing-intent is configured successfully post-deployment.<br/>**Default:** "yes" |

diff --git a/modules/nva_into_existing_hub/main.tf b/modules/nva_into_existing_hub/main.tf
@@ -184,6 +184,12 @@ resource "azapi_resource" "managed-app" {
 			sshPublicKey = {
 			  value = var.admin_SSH_key
 			},
+			MaintenanceModePasswordHash = {
+			  value = var.maintenance_mode_password_hash
+			},
+			SerialConsolePasswordHash = {
+			  value = var.serial_console_password_hash
+			},
 			BGP = {
 			  value = var.bgp-asn
 			},

diff --git a/modules/nva_into_existing_hub/variables.tf b/modules/nva_into_existing_hub/variables.tf
@@ -117,6 +117,16 @@ variable "admin_SSH_key" {
   default = ""
 }
 
+variable "serial_console_password_hash" {
+  description = "Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password."
+  type = string
+}
+
+variable "maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash, relevant only for R81.20 and higher versions"
+  type = string
+}
+
 variable "bgp-asn" {
   type    = string
   default = "64512"

diff --git a/modules/nva_into_new_vwan/README.md b/modules/nva_into_new_vwan/README.md
@@ -46,6 +46,8 @@ module "example_module" {
     admin-shell                     = "/etc/cli.sh"
     sic-key                         = "xxxxxxxxxxxx"
     admin_SSH_key                   = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
+    maintenance_mode_password_hash  = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    serial_console_password_hash    = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
     bgp-asn                         = "64512"
     custom-metrics                  = "yes"
     routing-intent-internet-traffic = "yes"
@@ -89,6 +91,8 @@ module "example_module" {
 | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;<br/>/bin/bash;<br/>/bin/csh;<br/>/bin/tcsh.<br/>**Default:** "/etc/cli.sh" |
 | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. |
 | **admin_SSH_key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure. |
+| **serial_console_password_hash** | Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password. To generate password hash use the command `openssl passwd -6 PASSWORD` on Linux.<br/>**Note:** In Azure Virtual Wan there is currently no serial console on the Network Virtual Appliance, the serial console password will be used as a maintenance mode password in R81.10 and below. | string | |
+| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux. | string | |
 | **bgp-asn** | The BGP autonomous system number | string | 64512.<br/>**Default:** "64512" |
 | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;<br/>no.<br/>**Default:** "yes" |
 | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;<br/>no.<br/>Please verify routing-intent is configured successfully post-deployment.<br/>**Default:** "yes" |

diff --git a/modules/nva_into_new_vwan/main.tf b/modules/nva_into_new_vwan/main.tf
@@ -197,6 +197,12 @@ resource "azapi_resource" "managed-app" {
         sshPublicKey = {
           value = var.admin_SSH_key
         },
+        MaintenanceModePasswordHash = {
+          value = var.maintenance_mode_password_hash
+        },
+        SerialConsolePasswordHash = {
+          value = var.serial_console_password_hash
+        },
         BGP = {
           value = var.bgp-asn
         },

diff --git a/modules/nva_into_new_vwan/variables.tf b/modules/nva_into_new_vwan/variables.tf
@@ -128,6 +128,16 @@ variable "admin_SSH_key" {
   default = ""
 }
 
+variable "serial_console_password_hash" {
+  description = "Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password."
+  type = string
+}
+
+variable "maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash, relevant only for R81.20 and higher versions."
+  type = string
+}
+
 variable "bgp-asn" {
   type    = string
   default = "64512"

diff --git a/modules/vmss_existing_vnet/variables.tf b/modules/vmss_existing_vnet/variables.tf
@@ -289,7 +289,7 @@ variable "frontend_port" {
 variable "backend_port" {
   description = "Port that will be exposed to the external Load Balance"
   type = string
-  default = "8081"
+  default = "80"
 }
 
 variable "frontend_load_distribution" {

diff --git a/modules/vmss_new_vnet/variables.tf b/modules/vmss_new_vnet/variables.tf
@@ -278,7 +278,7 @@ variable "frontend_port" {
 variable "backend_port" {
   description = "Port that will be exposed to the external Load Balance"
   type = string
-  default = "8081"
+  default = "80"
 }
 
 variable "frontend_load_distribution" {