Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20
Related solutions
Revision history
Click Here to Show the Entire Article
(1) Background
R80.x CloudGuard Controller can be configured using various parameters in the vsec.conf file.
vsec.conf location:
Starting from R80.20.M2:
On Multi-Domain Security Management: $MDSDIR/conf
On Security Management Server: $FWDIR/conf
Before R80.20.M2: $VSECDIR/conf
Important: All configuration values are being read from the vsec.conf file only once - when CloudGuard Controller is being loaded. In case one of the parameters was changed, administrator should run the relevant command from the "Command to update the parameter's value" column.
The following sections provide the list of parameters, parameter's description, possible values, and the command to force the parameter's update.
Every parameter in the global section will affect every Data Center type, unless the parameter is changed in the specific Data Center type section.
To change the values of the global parameters for a specific Data Center type, add an additional parameter in the corresponding section for that Data Center type with the relevant prefix: nsx., vcenter., aws., azure., openstack., and apic.. For example, to change the value of the global.connectTimeoutInMilliseconds from 30000 to 20000 for Cisco ACI Data Center type, add apic.connectTimeoutInMilliseconds=20000 in the "# ACI scanner config" section.
If a specific parameter is deleted from the specific Data Center type section, the value is taken from the global section, only for that relevant parameter.
Parameter
Default value
Min / Max value
Unit
Description
Command to reload the parameter's value
global.scannerInterval
30
min: 1
second
This parameter is relevant for scanners, which work in "polling" mode without notifications.
Every Data Center (NSX/ACI) has a scanner that should be synchronized with it. Every X seconds the scanner pulls data automatically.
vsec_controller_stop
global.connectTimeoutInMilliseconds
30000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Data Center.
global.readTimeoutInMilliseconds
120000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading Data Center objects.
(3) Supported parameters for R80 vSEC Controller v1
In addition, refer to section "(2) Supported global parameters".
Parameter
Default value
Min / Max value
Unit
Description
Command to reload the parameter's value
wsPort
999
-
-
Web Service port for Proxy, which is responsible of handling Data Centers.
Note: It is not recommended to change the value of this parameter.
cprestart
enforcementUpdateIntervalTime
10
min: 1
second
The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.
The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.
vsec_controller_stop
enforcementSessionTimeoutInMinutes
4320
min: 5
max: 43200
minute
The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.
vsec_controller_stop
scannerInterval
30
min: 1
second
This parameter is relevant for scanners which work in "polling" mode and not with notifications.
Each Data Center (e.g., NSX / ACI) has a scanner that should be synchronized with it. Every X seconds the scanner will pull data automatically.
vsec_controller_stop
autoUpdateIntervalInSeconds
30
min: 5
second
The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).
cprestart
(4) Supported parameters for R80 vSEC Controller v2
In addition, refer to section "(2) Supported global parameters".
Parameter
Default value
Min / Max value
Unit
Description
Command to reload the parameter's value
wsPort
999
-
-
Web Service port for Proxy, which is responsible of handling Data Centers.
Note: It is not recommended to change the value of this parameter.
cprestart
enforcementUpdateIntervalTime
10
min: 1
second
The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.
The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.
vsec_controller_stop
enforcementSessionTimeoutInMinutes
4320
min: 5
max: 43200
minute
The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.
vsec_controller_stop
autoUpdateIntervalInSeconds
30
min: 5
second
The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).
cprestart
The vsec.conf file also contains sections for specific Data Center types:
Type of Data Center
Parameter
Default value
Min / Max value
Unit
Description
VMware NSX
(# NSX scanner)
nsx.connectTimeoutInMilliseconds
15000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
nsx.readTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware vCenter
(# vCenter scanner)
vcenter.readTimeoutInMilliseconds
30000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS
(# AWS scanner)
aws.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure
(# Azure scanner)
azure.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco ACI
(# ACI scanner)
apic.connectTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
apic.readTimeoutInMilliseconds
120000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack
(# OpenStack scanner)
openstack.connectTimeoutInMilliseconds
15000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
openstack.readTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.
(5) Supported parameters for R80.10 vSEC Controller
In addition, refer to section "(2) Supported global parameters".
Parameter
Default value
Min / Max value
Unit
Description
Command to reload the parameter's value
wsPort
999
-
-
Web Service port for Proxy, which is responsible of handling Data Centers.
Note: It is not recommended to change the value of this parameter.
cprestart
enforcementUpdateIntervalTime
10
min: 1
second
The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.
The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.
vsec_controller_stop
enforcementSessionTimeoutInMinutes
4320
min: 5
max: 43200
minute
The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.
vsec_controller_stop
autoUpdateIntervalInSeconds
30
min: 5
second
autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).
cprestart
The vsec.conf file also contains sections for specific Data Center types:
Type of Data Center
Parameter
Default value
Min / Max value
Unit
Description
VMware NSX
(# NSX scanner)
nsx.connectTimeoutInMilliseconds
15000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
nsx.readTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware vCenter
(# vCenter scanner)
vcenter.readTimeoutInMilliseconds
30000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS
(# AWS scanner)
aws.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure
(# Azure scanner)
azure.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco ACI
(# ACI scanner)
apic.connectTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
apic.readTimeoutInMilliseconds
120000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack
(# OpenStack scanner)
openstack.connectTimeoutInMilliseconds
15000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
openstack.readTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.
(6) Supported parameters for R80.10 CloudGuard Controller / vSEC Controller Hotfix v1 and R80.20
In addition, refer to section "(2) Supported global parameters".
Parameter
Default value
Min / Max value
Unit
Description
Command to reload the parameter's value
wsPort
999
-
-
Web Service port for Proxy, which is responsible of handling Data Centers.
Note: It is not recommended to change the value of this parameter.
cprestart
enforcementUpdateIntervalTime
10
min: 1
second
The time, during which the vSEC Controller will enforce Data Center objects onto the vSEC Gateway.
The action itself also takes time - the value you enter is just describing the initiation of the enforcement action.
vsec_controller_stop
enforcementSessionTimeoutInMinutes
4320
min: 5
max: 43200
minute
The value assigned to this parameter represents the time, during which the session exists on the vSEC Gateway. When there is no connectivity between the vSEC Controller and the vSEC Gateway, the value assigned to this parameter will not be updated by vSEC Controller. Then, the session will be considered empty, and the enforcement of rules that contain Data Center object will ignore it and keep to a next rule.
vsec_controller_stop
autoUpdateIntervalInSeconds
30
min: 5
second
The autoUpdate checks the status of all the dataCenterObjects that were imported once in X seconds and update the delta (e.g., objects were deleted, IP address was changed, etc.).
cprestart
poolMode
mds
When working with central license tool, user can choose whether to handle the licenses in system mode or domain mode.
Note: This can also be set using CLI command. In system mode, run vsec_lic_cli mode mds/domain
cprestart
automaticDistributionState
off
The value assigned to this parameter represents whether central license tool is off or on.
Note: User can also change this value via CLI by running the command vsec_lic_cli on/off
cprestart
gatewayCoreUsageDataCollectionState
disable
The value assigned to this parameter represents whether to enable the hourly core usage report to save hourly records for each gateway (in order to be able to generate hourly core usage report).
Note: This value can be configured by using the central license menu: vsec_lic_cli.
cprestart
licenseCoreUsageStore
1095
Min=1 Max=1095
days
The value assigned to this parameter represents the vSEC central license hourly core usage for each gateway.
cprestart
gatewayLicenseAllowedDownTime
4
Max=4
days
The value assigned to this parameter represents the time a gateway can be down until we take its license.
cprestart
The vsec.conf file also contains sections for specific Data Center types:
Type of Data Center
Parameter
Default value
Min / Max value
Unit
Description
VMware NSX
(# NSX scanner)
nsx.connectTimeoutInMilliseconds
15000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a VMware NSX Data Center.
nsx.readTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading VMware NSX Data Center objects.
VMware vCenter
(# vCenter scanner)
vcenter.readTimeoutInMilliseconds
30000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading VMware vCenter Data Center objects.
AWS
(# AWS scanner)
aws.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Amazon Web Services (AWS) Data Center.
Azure
(# Azure scanner)
azure.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Microsoft Azure Data Center.
Cisco ACI
(# ACI scanner)
apic.connectTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Cisco ACI Data Center.
apic.readTimeoutInMilliseconds
120000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading Cisco ACI Data Center objects.
OpenStack
(# OpenStack scanner)
openstack.connectTimeoutInMilliseconds
15000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a OpenStack Data Center.
openstack.readTimeoutInMilliseconds
20000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading OpenStack Data Center objects.
Nuage
(# Nuage scanner)
nuage.connectTimeoutInMilliseconds
15000
5000
millisecond
Specifies the maximum timeout when establishing a connection with a Nuage networks VSP Data Center.
nuage.readTimeoutInMilliseconds
20000
5000
millisecond
Specifies the maximum read timeout when a connection is established for reading Nuage networks VSP Data Center objects.
Google
(# Google scanner)
google.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a Google Data Center.
ISE
(# ISE scanner)
ise.connectTimeoutInMilliseconds
60000
min: 5000
millisecond
Specifies the maximum timeout when establishing a connection with a ISE Data Center.
ise.readTimeoutInMilliseconds
120000
min: 5000
millisecond
Specifies the maximum read timeout when a connection is established for reading ISE Data Center objects.
ise.threadPoolSize
2
This parameter is for Check Point internal purposes only.
Note: It is not recommended to change the value of this parameter.
ise.maxPageSize
100
This parameter is for Check Point internal purposes only.
Note: It is not recommended to change the value of this parameter.
Improved text in section "(2) Supported global parameters"
02 Oct 2017
Improved design of this article
Added description of new parameters introduced in R80.10
13 Feb 2017
Added the note: All configuration values are being read from the vsec.conf file only once - when vSEC Controller is being loaded. In case one of the parameters was changed, administrator should run the relevant command from the "Command to update the parameter's value" column.
Updated the min and max values of the enforcementSessionTimeoutInMinutes parameter
13 Oct 2016
Improved description of the enforcementSessionTimeoutInMinutes parameter
11 Aug 2016
First release of this article
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
