Support Center > Search Results > SecureKnowledge Details
R80.x vSEC Controller configuration parameters
Solution

Table of Contents:

  1. Background
  2. Supported global parameters
  3. Supported parameters for R80 vSEC Controller v1
  4. Supported parameters for R80 vSEC Controller v2
  5. Supported parameters for R80.10 vSEC Controller
  6. Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20
  7. Related solutions
  8. Revision history

 

Click Here to Show the Entire Article

 

(1) Background

R80.x vSEC Controller can be configured using various parameters in the $VSECDIR/conf/vsec.conf file.

Important Note: All configuration values are being read from the $VSECDIR/conf/vsec.conf file only once - when vSEC Controller is being loaded. In case one of the parameters was changed, administrator should run the relevant command from the "Command to update the parameter's value" column.

The following sections provide the list of parameters, parameter's description, possible values, and the command to force the parameter's update.

 

(2) Supported global parameters

Show / Hide this section

Notes:

  • The global section of the $VSECDIR/conf/vsec.conf file starts with:
    # Global scanner

  • The global section was added starting in R80 vSEC Controller v2 and R80.10 vSEC Controller.

  • Every parameter in the global section will affect every Data Center type, unless the parameter is changed in the specific Data Center type section.

    To change the values of the global parameters for a specific Data Center type, add an additional parameter
    in the corresponding section for that Data Center type with the relevant prefix: nsx., vcenter., aws., azure., openstack., and apic..
    For example, to change the value of the global.connectTimeoutInMilliseconds from 30000 to 20000 for Cisco ACI Data Center type,
    add apic.connectTimeoutInMilliseconds=20000 in the "# ACI scanner config" section.

  • If a specific parameter is deleted from the specific Data Center type section, the value is taken from the global section, only for that relevant parameter.

Parameter Default
value		 Min / Max
value		 Unit Description Command
to reload the
parameter's value
global.scannerInterval 30 min:
1		 second This parameter is relevant for scanners, which work in "polling" mode without notifications.

Every Data Center (NSX/ACI) has a scanner that should be synchronized with it.
Every X seconds the scanner pulls data automatically.		 vsec_controller_stop
global.connectTimeoutInMilliseconds 30000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Data Center.  
global.readTimeoutInMilliseconds 120000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading Data Center objects.  

 

(3) Supported parameters for R80 vSEC Controller v1

Show / Hide this section

This section provides the list of parameters supported by the R80 vSEC Controller v1.

In addition, refer to section "(2) Supported global parameters".

Parameter Default
value		 Min / Max
value		 Unit Description Command
to reload the
parameter's value
wsPort 999 - -

Web Service port for Proxy, which is responsible of handling Data Centers.

Note: It is not recommended to change the value of this parameter.

 cprestart
enforcementUpdateIntervalTime 10 min:
1		 second

The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.

The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.

 vsec_controller_stop
enforcementSessionTimeoutInMinutes 4320 min:
5

max:
43200		 minute The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway.
When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller.
Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.		 vsec_controller_stop
scannerInterval 30 min:
1		 second

This parameter is relevant for scanners which work in "polling" mode and not with notifications.

Each Data Center (e.g., NSX / ACI) has a scanner that should be synchronized with it.
Every X seconds the scanner will pull data automatically.

 vsec_controller_stop
autoUpdateIntervalInSeconds 30 min:
5		 second The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.). cprestart

 

(4) Supported parameters for R80 vSEC Controller v2

Show / Hide this section

This section provides the list of parameters supported by the R80 vSEC Controller v2.

In addition, refer to section "(2) Supported global parameters".

Parameter Default
value		 Min / Max
value		 Unit Description Command
to reload the
parameter's value
wsPort 999 - -

Web Service port for Proxy, which is responsible of handling Data Centers.

Note: It is not recommended to change the value of this parameter.

 cprestart
enforcementUpdateIntervalTime 10 min:
1		 second

The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.

The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.

 vsec_controller_stop
enforcementSessionTimeoutInMinutes 4320 min:
5

max:
43200		 minute The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway.
When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller.
Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.		 vsec_controller_stop
autoUpdateIntervalInSeconds 30 min:
5		 second The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.). cprestart

The $VSECDIR/conf/vsec.conf file also contains sections for specific Data Center types:

Type of
Data Center		 Parameter Default
value		 Min / Max
value		 Unit Description
VMware
NSX

(# NSX scanner)		 nsx.connectTimeoutInMilliseconds 15000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
nsx.readTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware
vCenter

(# vCenter scanner)		 vcenter.readTimeoutInMilliseconds 30000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS

(# AWS scanner)		 aws.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure

(# Azure scanner)		 azure.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco
ACI

(# ACI scanner)		 apic.connectTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
apic.readTimeoutInMilliseconds 120000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack

(# OpenStack scanner)		 openstack.connectTimeoutInMilliseconds 15000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
openstack.readTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.

 

(5) Supported parameters for R80.10 vSEC Controller

Show / Hide this section

This section provides the list of parameters supported by the R80.10 vSEC Controller.

In addition, refer to section "(2) Supported global parameters".

Parameter Default
value		 Min / Max
value		 Unit Description Command
to reload the
parameter's value
wsPort 999 - -

Web Service port for Proxy, which is responsible of handling Data Centers.

Note: It is not recommended to change the value of this parameter.

 cprestart
enforcementUpdateIntervalTime 10 min:
1		 second

The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.

The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.

 vsec_controller_stop
enforcementSessionTimeoutInMinutes 4320 min:
5

max:
43200		 minute The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway.
When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller.
Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.		 vsec_controller_stop
autoUpdateIntervalInSeconds 30 min:
5		 second autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.). cprestart

The $VSECDIR/conf/vsec.conf file also contains sections for specific Data Center types:

Type of
Data Center		 Parameter Default
value		 Min / Max
value		 Unit Description
VMware
NSX

(# NSX scanner)		 nsx.connectTimeoutInMilliseconds 15000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
nsx.readTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware
vCenter

(# vCenter scanner)		 vcenter.readTimeoutInMilliseconds 30000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS

(# AWS scanner)		 aws.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure

(# Azure scanner)		 azure.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco
ACI

(# ACI scanner)		 apic.connectTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
apic.readTimeoutInMilliseconds 120000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack

(# OpenStack scanner)		 openstack.connectTimeoutInMilliseconds 15000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
openstack.readTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.

 

(6) Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20

Show / Hide this section

This section provides the list of parameters supported by the R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20

In addition, refer to section "(2) Supported global parameters".

Parameter Default
value		 Min / Max
value		 Unit Description Command
to reload the
parameter's value
wsPort 999 - -

Web Service port for Proxy, which is responsible of handling Data Centers.

Note: It is not recommended to change the value of this parameter.

 cprestart
enforcementUpdateIntervalTime 10 min:
1		 second

The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.

The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.

 vsec_controller_stop
enforcementSessionTimeoutInMinutes 4320 min:
5

max:
43200		 minute The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway.
When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller.
Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.		 vsec_controller_stop
autoUpdateIntervalInSeconds 30 min:
5		 second The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.). cprestart
poolMode  mds     When working with central license tool, user can choose whether to handle the licenses in system mode or domain mode.

Note: This can also be set using CLI command. In system mode, run vsec_lic_cli mode mds/domain

 cprestart
automaticDistributionState
 off      The value assigned to this parameter represents whether central license tool is off or on.

Note: User can also change this value via CLI by running the command vsec_lic_cli on/off

 cprestart
gatewayCoreUsageDataCollectionState
 disable     

The value assigned to this parameter represents whether to enable the hourly core usage report to save hourly records for each gateway (in order to be able to generate hourly core usage report).

Note: This value can be configured by using the central license menu: vsec_lic_cli.

 cprestart
licenseCoreUsageStore
 1095  Min=1 Max=1095  days  The value assigned to this parameter represents the vSEC central license hourly core usage for each gateway.
 cprestart
gatewayLicenseAllowedDownTime
 Max=4  days  The value assigned to this parameter represents the time a gateway can be down until we take its license.
 cprestart

The $VSECDIR/conf/vsec.conf file also contains sections for specific Data Center types:

Type of
Data Center		 Parameter Default
value		 Min / Max
value		 Unit Description
VMware
NSX

(# NSX scanner)		 nsx.connectTimeoutInMilliseconds 15000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
nsx.readTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware
vCenter

(# vCenter scanner)		 vcenter.readTimeoutInMilliseconds 30000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS

(# AWS scanner)		 aws.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure

(# Azure scanner)		 azure.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco
ACI

(# ACI scanner)		 apic.connectTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
apic.readTimeoutInMilliseconds 120000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack

(# OpenStack scanner)		 openstack.connectTimeoutInMilliseconds 15000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
openstack.readTimeoutInMilliseconds 20000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.
Nuage

(# Nuage scanner)		 nuage.connectTimeoutInMilliseconds
 15000 5000 millisecond Specifies the maximum timeout when establishing a connection with a Nuage networks VSP Data Center.
nuage.readTimeoutInMilliseconds 20000 5000 millisecond Specifies the maximum read timeout when a connection is established for reading Nuage networks VSP Data Center objects.
Google

(# Google scanner)		 google.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a Google Data Center.
ISE

(# ISE scanner)		 ise.connectTimeoutInMilliseconds 60000 min:
5000		 millisecond Specifies the maximum timeout when establishing a connection with a ISE Data Center.
ise.readTimeoutInMilliseconds 120000 min:
5000		 millisecond Specifies the maximum read timeout when a connection is established for reading ISE Data Center objects.
ise.threadPoolSize 2    

This parameter is for Check Point internal purposes only.

Note: It is not recommended to change the value of this parameter.
ise.maxPageSize 100    

This parameter is for Check Point internal purposes only.

Note: It is not recommended to change the value of this parameter.



Type of
Data Center		 Prefix for
Parameter Names		 Parameters supported by
this Data Center type		 Final
Parameter Names
VMware NSX nsx connectTimeoutInMilliseconds nsx.connectTimeoutInMilliseconds
readTimeoutInMilliseconds nsx.readTimeoutInMilliseconds
VMware vCenter vcenter readTimeoutInMilliseconds vcenter.readTimeoutInMilliseconds
Amazon Web Services (AWS) aws connectTimeoutInMilliseconds aws.connectTimeoutInMilliseconds
Microsoft Azure azure connectTimeoutInMilliseconds azure.connectTimeoutInMilliseconds
Cisco ACI apic connectTimeoutInMilliseconds apic.connectTimeoutInMilliseconds
readTimeoutInMilliseconds apic.readTimeoutInMilliseconds
OpenStack openstack connectTimeoutInMilliseconds openstack.connectTimeoutInMilliseconds
readTimeoutInMilliseconds openstack.readTimeoutInMilliseconds
Google google connectTimeoutInMilliseconds google.connectTimeoutInMilliseconds
Nuage networks VSP nuage connectTimeoutInMilliseconds
readTimeoutInMilliseconds		 nuage.connectTimeoutInMilliseconds
nuage.readTimeoutInMilliseconds
Cisco Identity Services Engine (ISE) ise connectTimeoutInMilliseconds ise.connectTimeoutInMilliseconds
readTimeoutInMilliseconds ise.readTimeoutInMilliseconds
threadPoolSize ise.threadPoolSize
maxPageSize ise.maxPageSize

Relevant source code:

Version of vSEC Controller Link to source code
R80.10 vSEC Controller
with Stability Hotfix #1
(link to the relevant SK
will be added later)		 https://opengrok.checkpoint.com:8443/source/xref/R80_10_cirrus3/vsec_wrapper/vsec.conf
R80.10 vSEC Controller https://opengrok.checkpoint.com:8443/source/xref/hugo1/vsec_wrapper/vsec.conf
R80 vSEC Controller v2 https://opengrok.checkpoint.com:8443/source/xref/R80_jhf_76_cirrus2/vsec_wrapper/vsec.conf
R80 vSEC Controller v1 https://opengrok.checkpoint.com:8443/source/xref/R80_jumbo_hf_29_vsec/vsec_wrapper/vsec.conf

 

 

(8) Revision history

Show / Hide revision history

Date Description
08 May 2018
  • Added Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 
30 Jan 2018
  • Added Nuage networks VSPData Center information.
24 Oct 2017
  • Improved text in section "(2) Supported global parameters"
02 Oct 2017
  • Improved design of this article
  • Added description of new parameters introduced in R80.10
13 Feb 2017
  • Added the note: All configuration values are being read from the $VSECDIR/conf/vsec.conf file only once - when vSEC Controller is being loaded. In case one of the parameters was changed, administrator should run the relevant command from the "Command to update the parameter's value" column.
  • Updated the min and max values of the enforcementSessionTimeoutInMinutes parameter
13 Oct 2016
  • Improved description of the enforcementSessionTimeoutInMinutes parameter
11 Aug 2016
  • First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment