Support Center > Search Results > SecureKnowledge Details
Best Practices - vSEC Gateway for NSX
Solution

Table of Contents:

  • Example Environment
  • Initial Installation
    • Installing the Management Server Hotfix
  • Configuring the VMware Components
    • Configuring Agent VM
    • Adding the vCenter IP Address to the Runtime Settings
  • Deploying the vSEC Gateway SVM
    • Creating a vSEC Gateway IP Address Pool
    • Registering a vSEC Gateway Service
  • Deploying vSEC Gateway with the vSphere Web Client
    • Creating a vSEC Gateway IP Address Pool
    • Deploying the Service
  • Configuring NSX to Redirect traffic to the vSEC Gateway
    • Creating a Security Group and an IP Set
    • Creating vSEC Cluster Objects
    • Redirecting traffic to Check Point and installing policy
  • Troubleshooting

 

Example Environment

To best explain the configuration steps, we will be using the below network diagram.
Hercules1 and Hercules2 are VMs (Virtual Machines) protected by the vSEC gateways. This means that traffic that arrives FROM and TO these Virtual Machine will be redirected to vSEC for inspection 

 

 

Initial Installation

Installing the Management Server Hotfix

Install the Hotfix on Gaia R77.30 Security Management Server and R77.20/R77.30 Security Gateways. It is required for both the vSEC Gateway and the vSEC Controller. The version must be GA (no Hotfix). If a previous Hotfix is installed, consult with Check Point before you install this Hotfix. This Hotfix may overwrite custom features of an earlier installed R77.20 Hotfix.


 

Configuring the VMware Components

Before you start these procedures, install and configure the required VMware component. You can install more than one ESXi host.

Configuring Agent VM

To use a local Datastore on multiple ESX hosts (recommended) for the vSEC Gateway, or to use a non-distributed vSwitch for vSEC Gateway communication to the Security Management Server, you must configure Agent VM settings

Adding the vCenter IP Address to the Runtime Settings

VMware requires you to add the vCenter IP address to the Runtime Settings tab on the vCenter Server Setting page

 

Deploying the vSEC Gateway SVM

The Check Point Management server must have network connectivity to the vCenter server and NSX Manager during the registration steps.
The ESX hosts must have full connectivity with the vCenter server during the deployment procedure.

Installing the OVF Package and Configuring Global Parameters

The vSEC Gateway OVF package includes:

  • <file_name>.ovf
  • <file_name>.vmdk
  • <file_name>.mf

Registering a vSEC Gateway Service and Host Preparation

 

Deploying vSEC Gateway with the vSphere Web Client

After you complete service registration, you can deploy the vSEC Gateway with the vSphere Web Client. See the VMware documentation to learn more about service deployment.

Creating a vSEC Gateway IP Address Pool

We recommend that you create pool for automatic assignment of management interface IP addresses.

Deploying the Service

This procedure uses an Agent VM, for an environment with a local Datastore. If you will use an external Datastore, have its details ready before you begin.

 

Configuring NSX to Redirect traffic to the vSEC Gateway

This procedure shows the basic steps and options for configuring a Security Group. See the VMware documentation for conceptual information, detailed procedures and explanations of the different objects and options.

 

Creating a Security Group and an IP Set

Creating vSEC Cluster Objects

Create a cluster object, with vSEC Gateway members. Each gateway will automatically get the license attached to the cluster.

Redirecting traffic to Check Point and installing policy

Configure the NSX security policy to redirect traffic to Check Point entities. Create rules in this policy in pairs:

  • Rule for traffic from the Security Group (Source = Security Group) 
  • Rule for traffic to the Security Group (Destination = Security Group)

Note: You can also configure redirection rules from Partner security services > Firewall.

 

Troubleshooting

How to verify that traffic is redirected and inspected by gateways.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment