R80 vSEC Controller v1

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk111963
Technical Level
Product	vSEC Controller
Version	R80
OS	Gaia
Platform / Model	All
Date Created	14-Jul-2016
Last Modified	15-Jul-2019

Solution

Table of Contents

What's New
Resolved Issues
Introduction
Installation Instructions
Documentation
Revision History

	For more information on Check Point releases refer to: release map, upgrade map, backward compatibility map.
	For more information on R80 vSEC Controller v1, refer to: R80 vSEC Controller v1 Release Notes R80 vSEC Controller v1 Known Limitations You can also visit our vSEC forum or any other Check Point discussion forum to ask questions and get answers from technical peers and Support experts.

What's New in R80 vSEC Controller v1

Support for vSEC for Cisco ACI (sk111969).
Improved visibility. Changes to integrated systems show immediately in SmartConsole.
R80 Web API enhanced for vSEC objects and commands.
Improved performance and Software Blade support.
Improved infrastructure for enforcement and logging.
Support of multiple NSX servers for one Security Management Servers.

Resolved Issues

Note: For Known Limitations, refer to R80 vSEC Controller v1 Known Limitations.

ID	Symptoms
vSEC Controller
-	R80 vSEC Controller supports up to 1000 virtual objects in the Data Center Server. Performance may be affected if you have more objects.
01680567	If the Virtual Machine belongs to more than one Data Center Group, the name in the vSEC Gateway log can be associated with the wrong Data Center Group.
01682838	Certificates are not transferred between High Availability members. If the import menu freezes, then reset SIC between the CMS and Security Management Server / Domain Management Server.
01682786	If you click "show 20 more" in the cloud object import list, there are duplicate entries. This issue is fixed if you close the picker window and open it again.
01680565; 01625764; 01618134	Data Center Group content is not synchronized with VMware vCenter.
Management High Availability
01951398	High Availability of Multi-Domain Security Management Servers is not supported.
01682838	Certificates are not transferred between High Availability members. If the import menu freezes, then reset SIC between the CMS and Security Management Server / Domain Management Server.

Introduction

This section describes the R80 vSEC Controller v1 components:

Component	Description
*Mandatory*: R80 vSEC Controller v1 Hotfix and R80 vSEC Controller v1 Enforcer Hotfix and R80 SmartConsole	R80 vSEC Controller Hotfix must be installed on R80 Security Management Server / Multi-Domain Security Management Server (which makes it a vSEC Controller server) in order to fetch Data Center objects from VMware NSX / VMware vCenter, Cisco APIC, and use them in Check Point policy. R80 Security Management Server / Multi-Domain Security Management Server with installed R80 vSEC Controller v1 Hotfix is able: to fetch Data Center objects from VMware NSX / VMware vCenter, and Cisco APIC. to manage only the following Security Gateways: Security Gateways R77.30 and R77.20 only, with installed vSEC Controller Enforcer Hotfix, whose policy contains Data Center objects Security Gateways R75.20 and above, whose policy must not contain any Data Center objects vSEC Controller v1 Hotfix must be installed on Check Point Security Management Server / Multi-Domain Security Management Server (which makes it a vSEC Controller) in order to fetch Data Center objects from VMware NSX / VMware vCenter, and Cisco APIC, and use them in Check Point policy.
	R80 vSEC Controller v1 Enforcer Hotfix must be installed on Check Point Security Gateway to turn it into vSEC Gateway and accept a policy that contains Data Center objects from the vSEC Controller.
	SmartConsole for vSEC Controller server is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways. The improved SmartConsole for vSEC Controller server allows the administrator to create and work with Data Center objects.
*Optional*: R80 vSEC Service Registration Hotfix	This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / Cisco ACI. R80 vSEC Controller with installed R80 vSEC Service Registration Hotfix is able: to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF), and to Cisco ACI. to manage vSEC Gateways for VMware NSX in Hypervisor Mode (sk111966). to manage vSEC Gateways for Cisco ACI (sk111969).

Refer to the following illustration:

Installation Instructions

Install R80 vSEC Controller v1:

Install Take_113 of Check Point R80.
Show / Hide the Notes
- Only Take 113 and lower of R80 release are supported.
- Only Take_29 of R80 Jumbo Hotfix Accumulator for R80 is supported (it is integrated into Take_113 of R80).
- For lower released Takes of R80 (lower than Take_113), it is also required to manually install Take 29
  of R80 Jumbo Hotfix Accumulator (contact Check Point Support to get this Take_29).

Install R80 vSEC Controller v1 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server:

Package ^(a)	CPUSE Online Identifier ^(b)	CPUSE Offline ^(c,d)
vSEC Controller v1 Hotfix for R80 Security Management Server and Multi-Domain Security Management Server	Check_Point_R80_vSEC_Controller_Hotfix1_FULL.tgz	(TGZ)

Show / Hide the Notes

Effective July 27, 2016, vSEC Controller v1 Hotfix has been replaced resolving sk112616.
For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
Legacy CLI installation is not supported.

Install R80 SmartConsole for R80 vSEC Controller v1:

Package Link

R80 SmartConsole for R80 vSEC Controller v1 (EXE)

Install R77.20 / R77.30 Security Gateway and R80 SEC Controller v1 Enforcer hotfix:

Install R77.20 / R77.30 Security Gateway with Jumbo Hotfix Accumulator:
- Either install Security Gateway R77.30 GA on Gaia OS
  and optionally Jumbo Hotfix Accumulator for R77.30 - Take_185 and above
- Or install Security Gateway R77.20 GA on Gaia OS
  and optionally Jumbo Hotfix Accumulator for R77.20 - Take_99 and above
Note: Installation of Jumbo Hotfix Accumulator for R77.20 / R77.30 is recommended, but not mandatory.

Install R80 vSEC Controller v1 Enforcer Hotfix on R77.20 / R77.30 Security Gateway:

Package	CPUSE Online Identifier	CPUSE Offline	Legacy CLI
vSEC Controller v1 Enforcer hotfix for Security Gateway R77.30 ^(a)	Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_FULL.tgz ^(c)	(TGZ) ^(d,e)	(TGZ) ^(f)
vSEC Controller v1 Enforcer hotfix for Security Gateway R77.20 ^(b)	N / A ^(g)	N / A ^(g)	(TGZ) ^(f)

Show / Hide the Notes

This package of R80 vSEC Controller v1 Enforcer Hotfix for R77.30 Security Gateway can be installed:
- either on top of R77.30 GA,
- or on top of Take_185 (and above) of R77.30 Jumbo Hotfix Accumulator
(otherwise, the installation of the R80 vSEC Controller v1 Enforcer Hotfix would fail)
This package of R80 vSEC Controller v1 Enforcer Hotfix for R77.20 Security Gateway can be installed:
- on top of R77.20 GA,
- or on top of Take_99 (and above) of R77.20 Jumbo Hotfix Accumulator
(otherwise, the installation of the R80 vSEC Controller v1 Enforcer Hotfix would fail)
For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
Legacy CLI installation instructions:
1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
2. Unpack and install the hotfix package:
  [Expert@HostName:0]# cd /some_path_to_fix/
  [Expert@HostName:0]# tar -zxvf Check_Point_<Version>_vSEC_Controller_Enforcer_Hotfix1_Gaia_sk111963.tgz
  [Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME>
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
3. Reboot the machine.
On R77.20 Security Gateway, only Legacy CLI installation is supported.

Documentation

Revision History

Show / Hide the revision history

Date	Description
15 July 2019	Link to Release map was replaced
05 Apr 2017	Minor improvements in text
21 Mar 2017	Update the package of "vSEC Controller v1 Enforcer hotfix for Security Gateway R77.30"
27 Feb 2017	Minor text corrections
26 Feb 2017	Minor text corrections
15 Jan 2017	Updated the link to Take_113 of R80
30 Nov 2016	Added a note that: only Take 113 and lower of R80 release are supported on R80 Takes lower than 113, only Take_29 of R80 Jumbo Hotfix is supported other Takes of R80 Jumbo Hotfix are not supported
11 Aug 2016	Added reference to sk112855
27 July 2016	R80 vSEC Controller Hotfix has been replaced resolving sk112616
21 July 2016	Added references to: sk111966 - vSEC for NSX R80 sk111969 - vSEC for ACI R80
20 July 2016	Minor text corrections Added Legacy CLI instructions for R80 vSEC Controller v1 Enforcer Hotfix
14 July 2016	First release of this article

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating