Support Center > Search Results > SecureKnowledge Details
vSEC Gateway for NSX managed by vSEC Controller
Solution

This article describes the vSEC Gateways for NSX managed by vSEC Controller.

Table of Contents

  1. Introduction to vSEC
  2. Components required for installation of vSEC Gateway for NSX managed by vSEC Controller
  3. Compatibility between vSEC Gateways for NSX and vSEC Controllers
  4. R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA)
    1. Highlights
    2. Installation Instructions
    3. Documentation
  5. R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  6. R77.30 vSEC Gateway v1 for NSX managed by R80 vSEC Controller v1
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  7. R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R77.30 vSEC Controller v2'
    5. How to upgrade to 'R77.30 vSEC Gateway v2'
    6. Documentation
  8. R77.30 vSEC Gateway v2 for NSX managed by R80 vSEC Controller v2
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R77.30 vSEC Gateway v2'
    5. Documentation
  9. R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  10. R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R80.10 vSEC Service Registration v4'
    5. How to upgrade to 'R77.30 vSEC Gateway v4'
    6. Documentation
  11. Revision History

 

Click Here to Show the Entire Article

 

(1) Introduction to vSEC

Check Point vSEC solutions and products:

vSEC solution vSEC product

vSEC for Private Cloud with SDN

(Micro-segment your data center. Secure East-West traffic between applications.)

vSEC for Public IaaS

(Secure applications and connectivity in public clouds.)

vSEC for Virtual Data Center

(Virtual Security Gateway with integration to cloud management platforms.)

Refer to vSEC for NSX Architecture Overview and sk111060 - ATRG: vSEC for VMware NSX.

 

(2) Components required for installation of vSEC Gateway for NSX managed by vSEC Controller

The following components are mandatory for installation of vSEC Gateway for NSX managed by vSEC Controller:

  • On the Management side, the following should be installed:

    # Component Description
    1

    Security Management Server /
    Multi-Domain Security Management Server

    Check Point Management Server is the basic infrastructure to manage Check Point Security Gateways.

    2

    vSEC Controller Hotfix

    Installing this package on top of Check Point Management Server turns it into vSEC Controller server that is able:

    • to fetch Data Center objects from VMware NSX / VMware vCenter

    • to manage vSEC Gateways for NSX

    3

    vSEC Service Registration Hotfix

    This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / VMware vCenter:

    • to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF)

    • to manage vSEC Gateways for VMware NSX in Hypervisor Mode

    4

    SmartConsole for vSEC Controller server

    This is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways.

    The improved SmartConsole for vSEC Controller server allows the administrator to create and work with Data Center objects.

    Important Note: For Management Server R80.10 and above, use the standard SmartConsole R80.10 and above.

  • On the Gateway side, the following should be installed:

    # Component Description
    1

    SEC Gateway for NSX - OVF template

    This is the standard OVF template that deploys Check Point Security Gateway as Service VM.

    2

    vSEC Controller Enforcer for NSX Hotfix

    Installing this package on top of Check Point Security Gateway turns it into vSEC Gateway for NSX and allows it to accept a policy that contains Data Center objects from the vSEC Controller.

    Note: This package is installed as a part of OVF on Check Point Service VM.

Refer to the following illustration:

 

(3) Compatibility between vSEC Gateways for NSX and vSEC Controllers

The table below shows which vSEC Gateways for NSX (in the rows) can be managed by which vSEC Controllers (in the columns).

Note: Each vSEC Controller version in this table is a link to the relevant section in this article.

For example, "R77.30 vSEC Gateway v1 for NSX" can be managed only by "R77.30 vSEC Controller v1" and "R80 vSEC Controller v1".

  R77.30
vSEC
Controller (GA)
R77.30
vSEC
Controller v1
R77.30
vSEC
Controller v2
R80
vSEC
Controller v1
R80
vSEC
Controller v2
R80.10
Management
Server
R77.30 vSEC Gateway v4 for NSX x x x x x Yes
R77.30 vSEC Gateway v2 for NSX x x Yes x Yes Yes
R77.30 vSEC Gateway v1 for NSX x Yes x Yes x x
R77.20 vSEC Gateway for NSX Yes x x x x x

Legend:

 Yes  = this vSEC Controller is able to manage this vSEC Gateway (click on the "Yes" to go to the relevant section)
 x  = this vSEC Controller can not manage this vSEC Gateway

 

(4) R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA)

Click Here to Show the Entire section

Note: Previously, this release was documented in sk105297.

  • (4-A) Highlights

    Show / Hide this sub-section
    • Full VMware NSX support.
    • New vSEC Controller for Cloud Orchestration and management of physical gateways.
    • R77.20 vSEC Gateway for NSX is based on Security Gateway R77.20.


  • (4-B) Installation Instructions

    Show / Hide this sub-section
    1. Install R77.30 vSEC Controller (GA):

      1. Install R77.30 GA Security Management Server / Multi-Domain Security Management Server on Gaia OS.

      2. Install R77.30 Add-on on R77.30 Security Management Server / Multi-Domain Security Management Server.

        Important Note: On Multi-Domain Security Management Server, the Add-on must be activated on the Domain Management Servers.

      3. Install vSEC Bundle Hotfix for R77.30 Security Management Server / Multi-Domain Security Management Server:

        Package CPUSE
        Offline (a,b)
        Legacy
        CLI
        vSEC Bundle Hotfix for R77.30 Security Management Server
        and Multi-Domain Security Management Server
        (TGZ) (TGZ)

        Notes:

        1. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        2. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
      4. Install R77.30 SmartConsole and SmartDomain Manager for R77.30 vSEC Controller:

        Package Link
        R77.30 SmartConsole and SmartDomain Manager
        for R77.30 vSEC Controller
        (EXE)
    2. Install R77.20 vSEC Gateway for NSX (Hypervisor mode):

      Package Link
      R77.20 vSEC Gateway for NSX - OVF package (TGZ)
    3. Install vSEC Gateway for NSX in Network Mode:

      If another Check Point Security Gateway has to be installed as regular Virtual Machine, or connected externally to ESX/ESXi host, and this Security Gateway should be made aware of VMware Data Center objects
      (example topology: [ESXi host with Virtual Machines] --- [External Security Gateway] --- [Internet]),
      then install:

      1. Install either R77.20 GA Security Gateway on Gaia OS, or R77.30 GA Security Gateway on Gaia OS.

      2. Install vSEC Hotfix for Security Gateway R77.20 / R77.30:

        Package CPUSE
        Offline (a,b)
        Legacy
        CLI
        vSEC Hotfix for Security Gateway R77.20 (TGZ) (TGZ)
        vSEC Hotfix for Security Gateway R77.30 (TGZ) (TGZ)

        Notes:

        1. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        2. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).


  • (4-C) Documentation

 

(5) R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1

Click Here to Show the Entire section

Note: Previously, this release was documented in sk109576.

 

(6) R77.30 vSEC Gateway v1 for NSX managed by R80 vSEC Controller v1

Click Here to Show the Entire section

Note: Previously, this release was documented in sk111966.

 

(7) R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2

Click Here to Show the Entire section

Note: Previously, this release was documented in sk114516.

  • (7-A) What's New

    Show / Hide this sub-section
    • Improvements and stability fixes:

      • OVF template of vSEC Gateway v2 for NSX includes fixes from General Availability Take_159 of R77.30 Jumbo Hotfix Accumulator
      • Integration of R77.30 vSEC Gateway v2 for NSX with the R77.30 vSEC Controller v2
        (that includes fixes from General Availability Take_185 of R77.30 Jumbo Hotfix Accumulator)
      • Improvements in Provisioning and Automation
    • Newly Supported Features:

      • Zero Downtime Upgrade
      • HTTPS Inspection
      • Streaming IPS Protections ('Header Spoofing' and 'SYN Attack')
      • Identity Awareness Sharing
      • Improved Traffic redirection, which starts when the security policy is installed, to prevent downtime.


  • (7-B) Resolved Issues

    Show / Hide this sub-section

    Note: For Known Limitations, refer to R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Known Limitations.

    ID Symptoms
    00786818 HTTPS Inspection is not supported.
    00575642 IPS protection 'Header Spoofing' is not supported.
    00527312 IPS protection 'SYN Attack' is not supported.
    00784665

    Identity Awareness blade does not support:

    • Identity Gateway (vSEC Bundle Hotfix from sk114594 is required).


  • (7-C) Installation Instructions

    Show / Hide this sub-section
    1. Install R77.30 vSEC Controller v2:

      1. Install R77.30 GA Security Management Server / Multi-Domain Security Management Server on Gaia OS.

      2. Install R77.30 Add-on on R77.30 Security Management Server / Multi-Domain Security Management Server.

        Important Note: On Multi-Domain Security Management Server, the Add-on must be activated on the Domain Management Servers.

      3. Install only General Availability Take_185 of R77.30 Jumbo Hotfix Accumulator.

        Note: Other Takes of R77.30 Jumbo Hotfix Accumulator are not supported.

      4. Install the vSEC Bundle Hotfix:

        Package CPUSE
        Online Identifier (a)
        CPUSE
        Offline (b,c)
        Bundle Hotfix for R77.30 vSEC Controller v2 and
        R77.30 vSEC Gateway v2 for NSX
        Check_Point_R77_30_VSEC_v2_MGMT_and_GW_FULL.tgz (TGZ)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Contact Check Point Support to get the Legacy CLI package.
          Installation instructions appear in the R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Administration Guide - chapter "Installing the vSEC Controller".
      5. Install R77.30 SmartConsole and SmartDomain Manager for R77.30 vSEC Controller v2:

        Package Link
        R77.30 SmartConsole and SmartDomain Manager
        for R77.30 vSEC Controller v2
        (EXE)
        Show / Hide the Notes
    2. Install R77.30 vSEC Gateway v2 for NSX (Hypervisor mode):

    3. Using VMware Datacenter objects on a non-vSEC for NSX Security Gateway:

      Example topology:

      In order to use VMware Datacenter objects in security policy that is installed on a non-vSEC for NSX Security Gateway, a special Hotfix must be installed on that Security Gateway.

      Install the following images and packages on a non-vSEC for NSX Security Gateway:

      1. Install either R77.20 GA Security Gateway on Gaia OS , or R77.30 GA Security Gateway on Gaia OS.

      2. Install Jumbo Hotfix Accumulator:

      3. Install vSEC Hotfix for Security Gateway R77.20 / R77.30:

        Package CPUSE
        Online Identifier (a)
        CPUSE
        Offline (b,c)
        Legacy
        CLI (d)
        vSEC Hotfix for Security Gateway R77.20 Check_Point_R77_20_VSEC_GW_sk109576_FULL.tgz (TGZ) (TGZ)
        vSEC Hotfix for Security Gateway R77.30 Check_Point_R77_30_VSEC_v2_MGMT_and_GW_FULL.tgz (TGZ) Note "d"
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Contact Check Point Support to get the Legacy CLI package for Security Gateway R77.30.
          Installation instructions appear in the R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Administration Guide - chapter "Installing the vSEC Controller".


  • (7-D) How to upgrade to 'R77.30 vSEC Controller v2'

    Show / Hide this sub-section

    If your R77.30 vSEC Controller is currently running with Take_117 of R77.30 Jumbo Hotfix Accumulator,
    then follow these steps to upgrade to Take_185 of R77.30 Jumbo Hotfix Accumulator:

    1. Install the latest build of the CPUSE Agent from sk92449: CPUSE - Gaia Software Updates on R77.30 vSEC Controller.

    2. Download this shell script package (upgrade.sh) to your computer.

    3. Transfer the shell script from your computer to R77.30 vSEC Controller (into some directory, e.g., /some_path_to_script/).

    4. Go to the directory where you have put the shell script:

      [Expert@HostName:0]# cd /some_path_to_script/
    5. Convert the script from DOS to UNIX format:

      [Expert@HostName:0]# dos2unix upgrade.sh
    6. Assign the required permissions to the shell script:

      [Expert@HostName:0]# chmod u+x upgrade.sh
    7. Execute the "upgrade" shell script to export the relevant vSEC-related configuration:

      [Expert@HostName:0]# ./upgrade.sh backup
    8. Uninstall the current vSEC Bundle Hotfix for Management Server (the "Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576)" package that was installed from sk109576) using the CPUSE, as described in the sk92449: CPUSE - Gaia Software Updates - section "(4-C) How to work with CPUSE - How to uninstall a CPUSE package":

      • In Gaia Portal:

        • Either select the Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576) package - click on More button on the toolbar, and select Uninstall
        • Or right-click on the Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576) package and select Uninstall
      • In Gaia Clish:

        HostName> show installer packages installed
        HostName> installer uninstall[press Space key][press Tab key]
        HostName> installer uninstall <Number_of_vSEC_Bundle_Hotfix_Package>
    9. Reboot the R77.30 vSEC Controller machine.

    10. Install General Availability Take_185 of R77.30 Jumbo Hotfix Accumulator.

      Note: Other Takes of R77.30 Jumbo Hotfix Accumulator are not supported.
    11. Reboot the R77.30 vSEC Controller machine.

    12. Install the improved vSEC Bundle Hotfix for Security Management Server / Multi-Domain Security Management Server from the "(7-C) Installation Instructions" section above.

    13. Reboot the R77.30 vSEC Controller machine.

    14. Execute the "upgrade" shell script to restore the relevant vSEC-related configuration:

      [Expert@HostName:0]# cd /some_path_to_script/
      [Expert@HostName:0]# ./upgrade.sh restore


  • (7-E) How to upgrade to 'R77.30 vSEC Gateway v2'

    Show / Hide this sub-section

    If your vSEC Gateway for NSX is currently running the previous version "R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1",
    then follow these steps to upgrade from "R77.30 vSEC Gateway for NSX" to "R77.30 vSEC Gateway v2 for NSX":



  • (7-F) Documentation

 

(8) R77.30 vSEC Gateway v2 for NSX managed by R80 vSEC Controller v2

Click Here to Show the Entire section

 

(9) R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server

Click Here to Show the Entire section

 

(10) R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server

Click Here to Show the Entire section
  • (10-A) What's New

    Show / Hide this sub-section
    • Integration of R77.30 vSEC Gateway v4 for NSX with the new R80.10 Management Server (sk111841).

    • OVF template of vSEC Gateway v4 for NSX includes fixes from General Availability Take_216 of R77.30 Jumbo Hotfix Accumulator

    • Significant performance improvement with NSX 6.3.2, with the VMware Network Extensibility (NetX) scale

    • IPv6 support

    • Support of "Reject" action in firewall rulebase

    • Support for using vSEC for NSX Gateway as TAP/Monitor device (sk101670)

    • Failure policy can be changed for services that have already been deployed

    • Bug fixes



  • (10-B) Resolved Issues

    Show / Hide this sub-section

    For Known Limitations, refer to:

    ID Symptoms
    01502922 The firewall rulebase 'Reject' action is not supported.
    Rules with action 'Reject' will behave similarly to Rules with action 'Drop'.
    00631138 IPv6 is not supported.


  • (10-C) Installation Instructions

    Show / Hide this sub-section
    1. Install R80.10 Management Server:

      1. Refer to sk111841 - Check Point R80.10

        1. Install R80.10 Security Management Server / Multi-Domain Security Management Server
          (or upgrade from R80 vSEC Controller v2)
        2. Install R80.10 SmartConsole for R80.10 Management Server
        3. Enable the vSEC Controller by running the "vsec on" command
          (refer to the R80.10 vSEC Controller Administration Guide -
          chapter "Integrating with Data Center Servers" - section "Enabling the vSEC Controller")
      2. Install vSEC Service Registration v4 Hotfix on R80.10 Management Server:

        Important Note: API Server must be enabled (it is by default) on R80.10 Management Server, so that vSEC Service Registration v4 Hotfix could function properly (to check the current state, run the "api status" command).

        Package CPUSE
        Online Identifier
        CPUSE
        Offline
        vSEC Service Registration v4 Hotfix
        for R80.10 Management Server
        Check_Point_R80.10_vSEC_Service_Hotfix4_FULL.tgz (a) (TGZ) (b,c)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
    2. Install R77.30 vSEC Gateway v4 for NSX (Hypervisor mode):

      Package Link
      R77.30 vSEC Gateway v4 for NSX - OVF package (a) (TGZ)
      R77.30 vSEC Gateway v4 for NSX - Upgrade package (b) (TGZ)
      Show / Hide the Notes
      1. Installation instructions appear in the R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server Administration Guide - chapter "Configuring the Management Server" - section "Installing the vSEC Gateway OVF Files".
      2. Refer to the section "(10-E) How to upgrade to 'R77.30 vSEC Gateway v4'".


  • (10-D) How to upgrade to 'R80.10 vSEC Service Registration v4'

    Show / Hide this sub-section

    Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Upgrading the Service".

    Follow these steps on R80 vSEC Controller v2 with installed "vSEC Service Registration v2 Hotfix" / R80.10 Management Server with installed "vSEC Service Registration v3 Hotfix" in order to upgrade it to R80.10 Management Server with "vSEC Service Registration v4 Hotfix":

    1. Uninstall the current "vSEC Service Registration v3 Hotfix".

      Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Installing the vSEC Service Registration Hotfix" - section "Uninstalling the Hotfix".

    2. Reboot the Management Server.

    3. On R80 vSEC Controller v2 server, upgrade to R80.10 and reboot.

    4. Install the vSEC Service Registration v4 Hotfix for R80.10 Management Server.

    5. Reboot the R80.10 Management Server.

    6. Configure the vSEC Management Server properties:

      Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Configuring the Management Server" - section "Configuring the vSEC Management Server Properties".

      1. Connect to the command line on the R80.10 Security Management Server / Multi-Domain Security Management Server.

      2. On Multi-Domain Security Management Server, the following steps must be performed in the context of each relevant Domain Management Server:

        [Expert@HostName:0]# mdsenv <IP address or Name of Domain Security Management Server>
      3. Go to the vSEC Configuration Menu:

        [Expert@HostName:0]# vsec_config
      4. From the menu, select VMware Configuration.

      5. Press n to configure manually.

      6. Select Change Global configuration - select Service Manager Credentials.

      7. For each NSX that has the service registered, update the Service Manager Credentials.

        Notes:

        • These credentials are given to the NSX Manager that uses the credentials as identification for all the operations done by the vSEC Management Server.
        • Make sure the administrator has Management API login permission.
        • In a Multi-Domain Server environment, make sure the administrator has permissions on the relevant Domain for the Domain Management Server.


  • (10-E) How to upgrade to 'R77.30 vSEC Gateway v4'

    Show / Hide this sub-section

    You can upgrade the "R77.30 vSEC Gateway v1 for NSX" / "R77.30 vSEC Gateway v2 for NSX" to "R77.30 vSEC Gateway v4 for NSX" using either the CPUSE hotfix package, or the new OVF files.

    Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Upgrading the vSEC Gateway for NSX".



  • (10-F) Documentation

 

(11) Revision History

Show / Hide the revision history

Date Description
11 July 2017
10 July 2017
  • Added "R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server"
  • Improved "Compatibility between vSEC Gateways for NSX and vSEC Controllers"
22 May 2017
  • Added "R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server"
05 Apr 2017
  • Improved "Table of Contents"
  • "Introduction to vSEC" section - added link to "vSEC for Google Cloud Platform"
05 Mar 2017
  • Clarified the "What's New" item that OVF template of "vSEC Gateway v2 for NSX" includes fixes from General Availability Take_159 of R77.30 Jumbo Hotfix Accumulator
28 Feb 2017
  • First release of this article.
Applies To:
  • This SK replaces sk105297, sk109576, sk111966, sk114516

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment