Support Center > Search Results > SecureKnowledge Details
R80 vSEC Controller v1
Solution

Table of Contents

  • What's New
  • Resolved Issues
  • Introduction
  • Installation Instructions
  • Documentation
  • Revision History

 

For more information on Check Point releases refer to: release map, upgrade map, backward compatibility map.
For more information on R80 vSEC Controller v1, refer to:
You can also visit our vSEC forum or any other Check Point discussion forum to ask questions and get answers from technical peers and Support experts.

 

What's New in R80 vSEC Controller v1

  • Support for vSEC for Cisco ACI (sk111969).
  • Improved visibility. Changes to integrated systems show immediately in SmartConsole.
  • R80 Web API enhanced for vSEC objects and commands.
  • Improved performance and Software Blade support.
  • Improved infrastructure for enforcement and logging.
  • Support of multiple NSX servers for one Security Management Servers.

 

Resolved Issues

Note: For Known Limitations, refer to R80 vSEC Controller v1 Known Limitations.

ID Symptoms
vSEC Controller
- R80 vSEC Controller supports up to 1000 virtual objects in the Data Center Server. Performance may be affected if you have more objects.
01680567 If the Virtual Machine belongs to more than one Data Center Group, the name in the vSEC Gateway log can be associated with the wrong Data Center Group.
01682838 Certificates are not transferred between High Availability members. If the import menu freezes, then reset SIC between the CMS and Security Management Server / Domain Management Server.
01682786 If you click "show 20 more" in the cloud object import list, there are duplicate entries. This issue is fixed if you close the picker window and open it again.
01680565;
01625764;
01618134
Data Center Group content is not synchronized with VMware vCenter.
Management High Availability
01951398 High Availability of Multi-Domain Security Management Servers is not supported.
01682838 Certificates are not transferred between High Availability members. If the import menu freezes, then reset SIC between the CMS and Security Management Server / Domain Management Server.

 

Introduction

This section describes the R80 vSEC Controller v1 components:

Component Description

Mandatory:

R80 vSEC Controller v1 Hotfix

and

R80 vSEC Controller v1 Enforcer Hotfix

and

R80 SmartConsole

R80 vSEC Controller Hotfix must be installed on R80 Security Management Server / Multi-Domain Security Management Server (which makes it a vSEC Controller server) in order to fetch Data Center objects from VMware NSX / VMware vCenter, Cisco APIC, and use them in Check Point policy.

R80 Security Management Server / Multi-Domain Security Management Server with installed R80 vSEC Controller v1 Hotfix is able:

  • to fetch Data Center objects from VMware NSX / VMware vCenter, and Cisco APIC.

  • to manage only the following Security Gateways:

    • Security Gateways R77.30 and R77.20 only, with installed vSEC Controller Enforcer Hotfix, whose policy contains Data Center objects
    • Security Gateways R75.20 and above, whose policy must not contain any Data Center objects

vSEC Controller v1 Hotfix must be installed on Check Point Security Management Server / Multi-Domain Security Management Server (which makes it a vSEC Controller) in order to fetch Data Center objects from VMware NSX / VMware vCenter, and Cisco APIC, and use them in Check Point policy.

R80 vSEC Controller v1 Enforcer Hotfix must be installed on Check Point Security Gateway to turn it into vSEC Gateway and accept a policy that contains Data Center objects from the vSEC Controller.

SmartConsole for vSEC Controller server is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways.
The improved SmartConsole for vSEC Controller server allows the administrator to create and work with Data Center objects.

Optional:

R80 vSEC Service Registration Hotfix

This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / Cisco ACI.

R80 vSEC Controller with installed R80 vSEC Service Registration Hotfix is able:

  • to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF), and to Cisco ACI.

  • to manage vSEC Gateways for VMware NSX in Hypervisor Mode (sk111966).

  • to manage vSEC Gateways for Cisco ACI (sk111969).

Refer to the following illustration:

 

Installation Instructions

  1. Install R80 vSEC Controller v1:

    1. Install Take_113 of Check Point R80.

      Show / Hide the Notes
    2. Install R80 vSEC Controller v1 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server:

      Package (a) CPUSE
      Online Identifier (b)
      CPUSE
      Offline (c,d)
      vSEC Controller v1 Hotfix for R80 Security Management Server and
      Multi-Domain Security Management Server
      Check_Point_R80_vSEC_Controller_Hotfix1_FULL.tgz (TGZ)
      Show / Hide the Notes
      1. Effective July 27, 2016, vSEC Controller v1 Hotfix has been replaced resolving sk112616.
      2. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
      3. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
      4. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
      5. Legacy CLI installation is not supported.
    3. Install R80 SmartConsole for R80 vSEC Controller v1:

      Package Link
      R80 SmartConsole for R80 vSEC Controller v1 (EXE)
  2. Install R77.20 / R77.30 Security Gateway and R80 SEC Controller v1 Enforcer hotfix:

    1. Install R77.20 / R77.30 Security Gateway with Jumbo Hotfix Accumulator:

      Note: Installation of Jumbo Hotfix Accumulator for R77.20 / R77.30 is recommended, but not mandatory.

    2. Install R80 vSEC Controller v1 Enforcer Hotfix on R77.20 / R77.30 Security Gateway:

      Package CPUSE
      Online Identifier
      CPUSE
      Offline
      Legacy
      CLI
      vSEC Controller v1 Enforcer hotfix
      for Security Gateway R77.30 (a)
      Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_FULL.tgz (c) (TGZ) (d,e) (TGZ) (f)
      vSEC Controller v1 Enforcer hotfix
      for Security Gateway R77.20 (b)
      N / A (g) N / A (g) (TGZ) (f)
      Show / Hide the Notes
      1. This package of R80 vSEC Controller v1 Enforcer Hotfix for R77.30 Security Gateway can be installed:
        • either on top of R77.30 GA,
        • or on top of Take_185 (and above) of R77.30 Jumbo Hotfix Accumulator
        (otherwise, the installation of the R80 vSEC Controller v1 Enforcer Hotfix would fail)
      2. This package of R80 vSEC Controller v1 Enforcer Hotfix for R77.20 Security Gateway can be installed:
        • on top of R77.20 GA,
        • or on top of Take_99 (and above) of R77.20 Jumbo Hotfix Accumulator
        (otherwise, the installation of the R80 vSEC Controller v1 Enforcer Hotfix would fail)
      3. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
      4. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
      5. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
      6. Legacy CLI installation instructions:
        1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
        2. Unpack and install the hotfix package:
          [Expert@HostName:0]# cd /some_path_to_fix/
          [Expert@HostName:0]# tar -zxvf Check_Point_<Version>_vSEC_Controller_Enforcer_Hotfix1_Gaia_sk111963.tgz
          [Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME>
          Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
        3. Reboot the machine.
      7. On R77.20 Security Gateway, only Legacy CLI installation is supported.

 

Documentation

 

Revision History

Show / Hide the revision history

Date Description
05 Apr 2017
  • Minor improvements in text
21 Mar 2017
  • Update the package of "vSEC Controller v1 Enforcer hotfix for Security Gateway R77.30"
27 Feb 2017
  • Minor text corrections
26 Feb 2017
  • Minor text corrections
15 Jan 2017
  • Updated the link to Take_113 of R80
30 Nov 2016
  • Added a note that:

    • only Take 113 and lower of R80 release are supported
    • on R80 Takes lower than 113, only Take_29 of R80 Jumbo Hotfix is supported
    • other Takes of R80 Jumbo Hotfix are not supported
11 Aug 2016
27 July 2016
  • R80 vSEC Controller Hotfix has been replaced resolving sk112616
21 July 2016
20 July 2016
  • Minor text corrections
  • Added Legacy CLI instructions for R80 vSEC Controller v1 Enforcer Hotfix
14 July 2016
  • First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment