R80.x vSEC Controller configuration parameters

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk112855
Product	vSEC Controller
Version	R80, R80.10, R80.20
OS	Gaia
Platform / Model	All
Date Created	11-Aug-2016
Last Modified	07-Oct-2018

Solution

Table of Contents:

Background
Supported global parameters
Supported parameters for R80 vSEC Controller v1
Supported parameters for R80 vSEC Controller v2
Supported parameters for R80.10 vSEC Controller
Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20
Related solutions
Revision history

Click Here to Show the Entire Article

(1) Background

R80.x vSEC Controller can be configured using various parameters in the $VSECDIR/conf/vsec.conf file.

Important Note: All configuration values are being read from the $VSECDIR/conf/vsec.conf file only once - when vSEC Controller is being loaded. In case one of the parameters was changed, administrator should run the relevant command from the "Command to update the parameter's value" column.

The following sections provide the list of parameters, parameter's description, possible values, and the command to force the parameter's update.

(2) Supported global parameters

Show / Hide this section

Notes:

The global section of the $VSECDIR/conf/vsec.conf file starts with:
# Global scanner
The global section was added starting in R80 vSEC Controller v2 and R80.10 vSEC Controller.
Every parameter in the global section will affect every Data Center type, unless the parameter is changed in the specific Data Center type section.

To change the values of the global parameters for a specific Data Center type, add an additional parameter
in the corresponding section for that Data Center type with the relevant prefix: nsx., vcenter., aws., azure., openstack., and apic..
For example, to change the value of the global.connectTimeoutInMilliseconds from 30000 to 20000 for Cisco ACI Data Center type,
add apic.connectTimeoutInMilliseconds=20000 in the "# ACI scanner config" section.
If a specific parameter is deleted from the specific Data Center type section, the value is taken from the global section, only for that relevant parameter.

Parameter	Default value	Min / Max value	Unit	Description	Command to reload the parameter's value
global.scannerInterval	30	min: 1	second	This parameter is relevant for scanners, which work in "polling" mode without notifications. Every Data Center (NSX/ACI) has a scanner that should be synchronized with it. Every X seconds the scanner pulls data automatically.	vsec_controller_stop
global.connectTimeoutInMilliseconds	30000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Data Center.
global.readTimeoutInMilliseconds	120000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading Data Center objects.

(3) Supported parameters for R80 vSEC Controller v1

Show / Hide this section

This section provides the list of parameters supported by the R80 vSEC Controller v1.

In addition, refer to section "(2) Supported global parameters".

Parameter	Default value	Min / Max value	Unit	Description	Command to reload the parameter's value
wsPort	999	-	-	Web Service port for Proxy, which is responsible of handling Data Centers. Note: It is not recommended to change the value of this parameter.	cprestart
enforcementUpdateIntervalTime	10	min: 1	second	The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway. The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.	vsec_controller_stop
enforcementSessionTimeoutInMinutes	4320	min: 5 max: 43200	minute	The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.	vsec_controller_stop
scannerInterval	30	min: 1	second	This parameter is relevant for scanners which work in "polling" mode and not with notifications. Each Data Center (e.g., NSX / ACI) has a scanner that should be synchronized with it. Every X seconds the scanner will pull data automatically.	vsec_controller_stop
autoUpdateIntervalInSeconds	30	min: 5	second	The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).	cprestart

(4) Supported parameters for R80 vSEC Controller v2

Show / Hide this section

This section provides the list of parameters supported by the R80 vSEC Controller v2.

In addition, refer to section "(2) Supported global parameters".

Parameter	Default value	Min / Max value	Unit	Description	Command to reload the parameter's value
wsPort	999	-	-	Web Service port for Proxy, which is responsible of handling Data Centers. Note: It is not recommended to change the value of this parameter.	cprestart
enforcementUpdateIntervalTime	10	min: 1	second	The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway. The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.	vsec_controller_stop
enforcementSessionTimeoutInMinutes	4320	min: 5 max: 43200	minute	The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.	vsec_controller_stop
autoUpdateIntervalInSeconds	30	min: 5	second	The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).	cprestart

The $VSECDIR/conf/vsec.conf file also contains sections for specific Data Center types:

Type of Data Center	Parameter	Default value	Min / Max value	Unit	Description
VMware NSX (`# NSX scanner`)	nsx.connectTimeoutInMilliseconds	15000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
VMware NSX (`# NSX scanner`)	nsx.readTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware vCenter (`# vCenter scanner`)	vcenter.readTimeoutInMilliseconds	30000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS (`# AWS scanner`)	aws.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure (`# Azure scanner`)	azure.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco ACI (`# ACI scanner`)	apic.connectTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
Cisco ACI (`# ACI scanner`)	apic.readTimeoutInMilliseconds	120000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack (`# OpenStack scanner`)	openstack.connectTimeoutInMilliseconds	15000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
OpenStack (`# OpenStack scanner`)	openstack.readTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.

(5) Supported parameters for R80.10 vSEC Controller

Show / Hide this section

This section provides the list of parameters supported by the R80.10 vSEC Controller.

In addition, refer to section "(2) Supported global parameters".

Parameter	Default value	Min / Max value	Unit	Description	Command to reload the parameter's value
wsPort	999	-	-	Web Service port for Proxy, which is responsible of handling Data Centers. Note: It is not recommended to change the value of this parameter.	cprestart
enforcementUpdateIntervalTime	10	min: 1	second	The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway. The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.	vsec_controller_stop
enforcementSessionTimeoutInMinutes	4320	min: 5 max: 43200	minute	The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.	vsec_controller_stop
autoUpdateIntervalInSeconds	30	min: 5	second	autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).	cprestart

The $VSECDIR/conf/vsec.conf file also contains sections for specific Data Center types:

Type of Data Center	Parameter	Default value	Min / Max value	Unit	Description
VMware NSX (`# NSX scanner`)	nsx.connectTimeoutInMilliseconds	15000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
VMware NSX (`# NSX scanner`)	nsx.readTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware vCenter (`# vCenter scanner`)	vcenter.readTimeoutInMilliseconds	30000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS (`# AWS scanner`)	aws.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure (`# Azure scanner`)	azure.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco ACI (`# ACI scanner`)	apic.connectTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
Cisco ACI (`# ACI scanner`)	apic.readTimeoutInMilliseconds	120000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack (`# OpenStack scanner`)	openstack.connectTimeoutInMilliseconds	15000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
OpenStack (`# OpenStack scanner`)	openstack.readTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.

(6) Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20

Show / Hide this section

This section provides the list of parameters supported by the R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20

In addition, refer to section "(2) Supported global parameters".

Parameter	Default value	Min / Max value	Unit	Description	Command to reload the parameter's value
wsPort	999	-	-	Web Service port for Proxy, which is responsible of handling Data Centers. Note: It is not recommended to change the value of this parameter.	cprestart
enforcementUpdateIntervalTime	10	min: 1	second	The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway. The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.	vsec_controller_stop
enforcementSessionTimeoutInMinutes	4320	min: 5 max: 43200	minute	The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.	vsec_controller_stop
autoUpdateIntervalInSeconds	30	min: 5	second	The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).	cprestart
poolMode	mds			When working with central license tool, user can choose whether to handle the licenses in system mode or domain mode. Note: This can also be set using CLI command. In system mode, run vsec_lic_cli mode mds/domain	cprestart
automaticDistributionState	off			The value assigned to this parameter represents whether central license tool is off or on. Note: User can also change this value via CLI by running the command vsec_lic_cli on/off	cprestart
gatewayCoreUsageDataCollectionState	disable			The value assigned to this parameter represents whether to enable the hourly core usage report to save hourly records for each gateway (in order to be able to generate hourly core usage report). Note: This value can be configured by using the central license menu: vsec_lic_cli.	cprestart
licenseCoreUsageStore	1095	Min=1 Max=1095	days	The value assigned to this parameter represents the vSEC central license hourly core usage for each gateway.	cprestart
gatewayLicenseAllowedDownTime	4	Max=4	days	The value assigned to this parameter represents the time a gateway can be down until we take its license.	cprestart

The $VSECDIR/conf/vsec.conf file also contains sections for specific Data Center types:

Type of Data Center	Parameter	Default value	Min / Max value	Unit	Description
VMware NSX (`# NSX scanner`)	nsx.connectTimeoutInMilliseconds	15000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
VMware NSX (`# NSX scanner`)	nsx.readTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware vCenter (`# vCenter scanner`)	vcenter.readTimeoutInMilliseconds	30000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS (`# AWS scanner`)	aws.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure (`# Azure scanner`)	azure.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco ACI (`# ACI scanner`)	apic.connectTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
Cisco ACI (`# ACI scanner`)	apic.readTimeoutInMilliseconds	120000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack (`# OpenStack scanner`)	openstack.connectTimeoutInMilliseconds	15000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
OpenStack (`# OpenStack scanner`)	openstack.readTimeoutInMilliseconds	20000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.
Nuage (`# Nuage scanner`)	nuage.connectTimeoutInMilliseconds	15000	5000	millisecond	Specifies the maximum timeout when establishing a connection with a Nuage networks VSP Data Center.
Nuage (`# Nuage scanner`)	nuage.readTimeoutInMilliseconds	20000	5000	millisecond	Specifies the maximum read timeout when a connection is established for reading Nuage networks VSP Data Center objects.
Google (`# Google scanner`)	google.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a Google Data Center.
ISE (`# ISE scanner`)	ise.connectTimeoutInMilliseconds	60000	min: 5000	millisecond	Specifies the maximum timeout when establishing a connection with a ISE Data Center.
	ise.readTimeoutInMilliseconds	120000	min: 5000	millisecond	Specifies the maximum read timeout when a connection is established for reading ISE Data Center objects.
	ise.threadPoolSize	2			This parameter is for Check Point internal purposes only. Note: It is not recommended to change the value of this parameter.
	ise.maxPageSize	100			This parameter is for Check Point internal purposes only. Note: It is not recommended to change the value of this parameter.

Type of Data Center	Prefix for Parameter Names	Parameters supported by this Data Center type	Final Parameter Names
VMware NSX	nsx	connectTimeoutInMilliseconds	nsx.connectTimeoutInMilliseconds
VMware NSX	nsx	readTimeoutInMilliseconds	nsx.readTimeoutInMilliseconds
VMware vCenter	vcenter	readTimeoutInMilliseconds	vcenter.readTimeoutInMilliseconds
Amazon Web Services (AWS)	aws	connectTimeoutInMilliseconds	aws.connectTimeoutInMilliseconds
Microsoft Azure	azure	connectTimeoutInMilliseconds	azure.connectTimeoutInMilliseconds
Cisco ACI	apic	connectTimeoutInMilliseconds	apic.connectTimeoutInMilliseconds
Cisco ACI	apic	readTimeoutInMilliseconds	apic.readTimeoutInMilliseconds
OpenStack	openstack	connectTimeoutInMilliseconds	openstack.connectTimeoutInMilliseconds
OpenStack	openstack	readTimeoutInMilliseconds	openstack.readTimeoutInMilliseconds
Google	google	connectTimeoutInMilliseconds	google.connectTimeoutInMilliseconds
Nuage networks VSP	nuage	connectTimeoutInMilliseconds readTimeoutInMilliseconds	nuage.connectTimeoutInMilliseconds nuage.readTimeoutInMilliseconds
Cisco Identity Services Engine (ISE)	ise	connectTimeoutInMilliseconds	ise.connectTimeoutInMilliseconds
		readTimeoutInMilliseconds	ise.readTimeoutInMilliseconds
		threadPoolSize	ise.threadPoolSize
		maxPageSize	ise.maxPageSize

Relevant source code:

Version of vSEC Controller	Link to source code
R80.10 vSEC Controller with Stability Hotfix #1 (link to the relevant SK will be added later)	https://opengrok.checkpoint.com:8443/source/xref/R80_10_cirrus3/vsec_wrapper/vsec.conf
R80.10 vSEC Controller	https://opengrok.checkpoint.com:8443/source/xref/hugo1/vsec_wrapper/vsec.conf
R80 vSEC Controller v2	https://opengrok.checkpoint.com:8443/source/xref/R80_jhf_76_cirrus2/vsec_wrapper/vsec.conf
R80 vSEC Controller v1	https://opengrok.checkpoint.com:8443/source/xref/R80_jumbo_hf_29_vsec/vsec_wrapper/vsec.conf

(8) Revision history

Show / Hide revision history

Date	Description
08 May 2018	Added Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1
30 Jan 2018	Added Nuage networks VSPData Center information.
24 Oct 2017	Improved text in section "(2) Supported global parameters"
02 Oct 2017	Improved design of this article Added description of new parameters introduced in R80.10
13 Feb 2017	Added the note: All configuration values are being read from the $VSECDIR/conf/vsec.conf file only once - when vSEC Controller is being loaded. In case one of the parameters was changed, administrator should run the relevant command from the "Command to update the parameter's value" column. Updated the min and max values of the enforcementSessionTimeoutInMinutes parameter
13 Oct 2016	Improved description of the enforcementSessionTimeoutInMinutes parameter
11 Aug 2016	First release of this article

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating

THREAT INTELLIGENCE

UNDER ATTACK?

RISK ASSESSMENT

Chat

Phone

Locations

Community

SOLUTIONS FOR...

PRODUCT ARCHITECTURE

PRODUCTS

NEXT GENERATION THREAT PREVENTION

MOBILE SECURITY

ENDPOINT SECURITY

NEXT GENERATION FIREWALLS

SECURITY MANAGEMENT

INDUSTRIES

ARCHITECTURE

SUPPORT CENTER

SUPPORT PROGRAMS

SECURITY SERVICES

KNOWLEDGE AND EDUCATION

PROFESSIONAL SERVICES

CHANNEL PARTNERS

TECHNOLOGY PARTNERS

PARTNER PORTAL

COMPANY OVERVIEW

NEWS & MEDIA

EVENTS

CAREERS

(1) Background

(2) Supported global parameters

(3) Supported parameters for R80 vSEC Controller v1

(4) Supported parameters for R80 vSEC Controller v2

(5) Supported parameters for R80.10 vSEC Controller

(6) Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20

(8) Revision history

THREAT INTELLIGENCE

UNDER ATTACK?

RISK ASSESSMENT

Chat

Phone

Locations

Community

SOLUTIONS FOR...

PRODUCT ARCHITECTURE

PRODUCTS

NEXT GENERATION THREAT PREVENTION

MOBILE SECURITY

ENDPOINT SECURITY

NEXT GENERATION FIREWALLS

SECURITY MANAGEMENT

INDUSTRIES

ARCHITECTURE

SUPPORT CENTER

SUPPORT PROGRAMS

SECURITY SERVICES

KNOWLEDGE AND EDUCATION

PROFESSIONAL SERVICES

CHANNEL PARTNERS

TECHNOLOGY PARTNERS

PARTNER PORTAL

COMPANY OVERVIEW

NEWS & MEDIA

EVENTS

CAREERS

(1) Background

(2) Supported global parameters

(3) Supported parameters for R80 vSEC Controller v1

(4) Supported parameters for R80 vSEC Controller v2

(5) Supported parameters for R80.10 vSEC Controller

(6) Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20

(7) Related solutions

(8) Revision history