Support Center > Search Results > SecureKnowledge Details
vSEC Gateway for NSX managed by vSEC Controller
Solution

This article describes the vSEC Gateways for NSX managed by vSEC Controller.

Table of Contents

  1. Introduction to vSEC
  2. Components required for installation of vSEC Gateway for NSX managed by vSEC Controller
  3. Compatibility between vSEC Gateways for NSX and vSEC Controllers
  4. R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  5. R77.30 vSEC Gateway v2 for NSX managed by R80 vSEC Controller v2
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R77.30 vSEC Gateway v2'
    5. Documentation
  6. R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R77.30 vSEC Controller v2'
    5. How to upgrade to 'R77.30 vSEC Gateway v2'
    6. Documentation
  7. R77.30 vSEC Gateway v1 for NSX managed by R80 vSEC Controller v1
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  8. R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  9. R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA)
    1. Highlights
    2. Installation Instructions
    3. Documentation
  10. Revision History

 

Click Here to Show the Entire Article

 

(1) Introduction to vSEC

Check Point vSEC solutions and products:

vSEC solution vSEC product

vSEC for Private Cloud with SDN

(Micro-segment your data center. Secure East-West traffic between applications.)

vSEC for Public IaaS

(Secure applications and connectivity in public clouds.)

vSEC for Virtual Data Center

(Virtual Security Gateway with integration to cloud management platforms.)

 

(2) Components required for installation of vSEC Gateway for NSX managed by vSEC Controller

The following components are mandatory for installation of vSEC Gateway for NSX managed by vSEC Controller:

  • On the Management side, the following should be installed:

    # Component Description
    1

    Security Management Server /
    Multi-Domain Security Management Server

    Check Point Management Server is the basic infrastructure to manage Check Point Security Gateways.

    2

    vSEC Controller Hotfix

    Installing this package on top of Check Point Management Server turns it into vSEC Controller server that is able:

    • to fetch Data Center objects from VMware NSX / VMware vCenter

    • to manage vSEC Gateways for NSX

    3

    vSEC Service Registration Hotfix

    This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / VMware vCenter:

    • to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF)

    • to manage vSEC Gateways for VMware NSX in Hypervisor Mode

    4

    SmartConsole for vSEC Controller server

    This is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways.

    The improved SmartConsole for vSEC Controller server allows the administrator to create and work with Data Center objects.

    Important Note: For Management Server R80.10 and above, use the standard SmartConsole R80.10 and above.

  • On the Gateway side, the following should be installed:

    # Component Description
    1

    SEC Gateway for NSX - OVF template

    This is the standard OVF template that deploys Check Point Security Gateway as Service VM.

    2

    vSEC Controller Enforcer for NSX Hotfix

    Installing this package on top of Check Point Security Gateway turns it into vSEC Gateway for NSX and allows it to accept a policy that contains Data Center objects from the vSEC Controller.

    Note: This package is installed as a part of OVF on Check Point Service VM.

Refer to the following illustration:

 

(3) Compatibility between vSEC Gateways for NSX and vSEC Controllers

The table below shows which vSEC Gateways for NSX (in the rows) can be managed by which vSEC Controllers (in the columns).

Note: Each vSEC Controller version in this table is a link to the relevant section in this article.

For example, "R77.30 vSEC Gateway v1 for NSX" can be managed only by "R77.30 vSEC Controller v1" and "R80 vSEC Controller v1".

  R77.30
vSEC
Controller (GA)
R77.30
vSEC
Controller v1
R77.30
vSEC
Controller v2
R80
vSEC
Controller v1
R80
vSEC
Controller v2
R80.10
Management
Server
R77.30 vSEC Gateway v2 for NSX x x V x V V
R77.30 vSEC Gateway v1 for NSX x V x V x x
R77.20 vSEC Gateway for NSX V x x x x x

Legend:

  •  V  = this vSEC Controller is able to manage this vSEC Gateway
  •  x  = this vSEC Controller can not manage this vSEC Gateway

 

(4) R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server

Click Here to Show the Entire section

 

(5) R77.30 vSEC Gateway v2 for NSX managed by R80 vSEC Controller v2

Click Here to Show the Entire section

 

(6) R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2

Click Here to Show the Entire section

Note: Previously, this release was documented in sk114516.

  • (6-A) What's New

    Show / Hide this sub-section
    • Improvements and stability fixes:

    • Newly Supported Features:

      • Zero Downtime Upgrade
      • HTTPS Inspection
      • Streaming IPS Protections ('Header Spoofing' and 'SYN Attack')
      • Identity Awareness Sharing
      • Improved Traffic redirection, which starts when the security policy is installed, to prevent downtime.


  • (6-B) Resolved Issues

    Show / Hide this sub-section

    Note: For Known Limitations, refer to R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Known Limitations.

    ID Symptoms
    00786818 HTTPS Inspection is not supported.
    00575642 IPS protection 'Header Spoofing' is not supported.
    00527312 IPS protection 'SYN Attack' is not supported.
    00784665

    Identity Awareness blade does not support:

    • Identity Gateway (vSEC Bundle Hotfix from sk114594 is required).


  • (6-C) Installation Instructions

    Show / Hide this sub-section
    1. Install R77.30 vSEC Controller v2:

      1. Install R77.30 GA Security Management Server / Multi-Domain Security Management Server on Gaia OS.

      2. Install R77.30 Add-on on R77.30 Security Management Server / Multi-Domain Security Management Server.

        Important Note: On Multi-Domain Security Management Server, the Add-on must be activated on the Domain Management Servers.

      3. Install only Take_185 of R77.30 Jumbo Hotfix Accumulator.

        Note: Other Takes of R77.30 Jumbo Hotfix Accumulator are not supported.

      4. Install the vSEC Bundle Hotfix:

        Package CPUSE
        Online Identifier (a)
        CPUSE
        Offline (b,c)
        Bundle Hotfix for R77.30 vSEC Controller v2 and
        R77.30 vSEC Gateway v2 for NSX
        Check_Point_R77_30_VSEC_v2_MGMT_and_GW_FULL.tgz (TGZ)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Contact Check Point Support to get the Legacy CLI package.
          Installation instructions appear in the R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Administration Guide - chapter "Installing the vSEC Controller".
      5. Install R77.30 SmartConsole and SmartDomain Manager for R77.30 vSEC Controller v2:

        Package Link
        R77.30 SmartConsole and SmartDomain Manager
        for R77.30 vSEC Controller v2
        (EXE)
        Show / Hide the Notes
    2. Install R77.30 vSEC Gateway v2 for NSX (Hypervisor mode):

    3. Using VMware Datacenter objects on a non-vSEC for NSX Security Gateway:

      Example topology:

      In order to use VMware Datacenter objects in security policy that is installed on a non-vSEC for NSX Security Gateway, a special Hotfix must be installed on that Security Gateway.

      Install the following images and packages on a non-vSEC for NSX Security Gateway:

      1. Install either R77.20 GA Security Gateway on Gaia OS , or R77.30 GA Security Gateway on Gaia OS.

      2. Install Jumbo Hotfix Accumulator:

      3. Install vSEC Hotfix for Security Gateway R77.20 / R77.30:

        Package CPUSE
        Online Identifier (a)
        CPUSE
        Offline (b,c)
        Legacy
        CLI (d)
        vSEC Hotfix for Security Gateway R77.20 Check_Point_R77_20_VSEC_GW_sk109576_FULL.tgz (TGZ) (TGZ)
        vSEC Hotfix for Security Gateway R77.30 Check_Point_R77_30_VSEC_v2_MGMT_and_GW_FULL.tgz (TGZ) Note "d"
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Contact Check Point Support to get the Legacy CLI package for Security Gateway R77.30.
          Installation instructions appear in the R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Administration Guide - chapter "Installing the vSEC Controller".


  • (6-D) How to upgrade to 'R77.30 vSEC Controller v2'

    Show / Hide this sub-section

    If your R77.30 vSEC Controller is currently running with Take_117 of R77.30 Jumbo Hotfix Accumulator,
    then follow these steps to upgrade to Take_185 of R77.30 Jumbo Hotfix Accumulator:

    1. Install the latest build of the CPUSE Agent from sk92449: CPUSE - Gaia Software Updates on R77.30 vSEC Controller.

    2. Download this shell script package (upgrade.sh) to your computer.

    3. Transfer the shell script from your computer to R77.30 vSEC Controller (into some directory, e.g., /some_path_to_script/).

    4. Go to the directory where you have put the shell script:

      [Expert@HostName:0]# cd /some_path_to_script/
    5. Convert the script from DOS to UNIX format:

      [Expert@HostName:0]# dos2unix upgrade.sh
    6. Assign the required permissions to the shell script:

      [Expert@HostName:0]# chmod u+x upgrade.sh
    7. Execute the "upgrade" shell script to export the relevant vSEC-related configuration:

      [Expert@HostName:0]# ./upgrade.sh backup
    8. Uninstall the current vSEC Bundle Hotfix for Management Server (the "Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576)" package that was installed from sk109576) using the CPUSE, as described in the sk92449: CPUSE - Gaia Software Updates - section "(4-C) How to work with CPUSE - How to uninstall a CPUSE package":

      • In Gaia Portal:

        • Either select the Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576) package - click on More button on the toolbar, and select Uninstall
        • Or right-click on the Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576) package and select Uninstall
      • In Gaia Clish:

        HostName> show installer packages installed
        HostName> installer uninstall[press Space key][press Tab key]
        HostName> installer uninstall <Number_of_vSEC_Bundle_Hotfix_Package>
    9. Reboot the R77.30 vSEC Controller machine.

    10. Install Take_185 of R77.30 Jumbo Hotfix Accumulator.

      Note: Other Takes of R77.30 Jumbo Hotfix Accumulator are not supported.
    11. Reboot the R77.30 vSEC Controller machine.

    12. Install the improved vSEC Bundle Hotfix for Security Management Server / Multi-Domain Security Management Server from the "(6-C) Installation Instructions" section above.

    13. Reboot the R77.30 vSEC Controller machine.

    14. Execute the "upgrade" shell script to restore the relevant vSEC-related configuration:

      [Expert@HostName:0]# cd /some_path_to_script/
      [Expert@HostName:0]# ./upgrade.sh restore


  • (6-E) How to upgrade to 'R77.30 vSEC Gateway v2'

    Show / Hide this sub-section

    If your vSEC Gateway for NSX is currently running the previous version "R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1",
    then follow these steps to upgrade from "R77.30 vSEC Gateway for NSX" to "R77.30 vSEC Gateway v2 for NSX":



  • (6-F) Documentation

 

(7) R77.30 vSEC Gateway v1 for NSX managed by R80 vSEC Controller v1

Click Here to Show the Entire section

Note: Previously, this release was documented in sk111966.

 

(8) R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1

Click Here to Show the Entire section

Note: Previously, this release was documented in sk109576.

 

(9) R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA)

Click Here to Show the Entire section

Note: Previously, this release was documented in sk105297.

  • (9-A) Highlights

    Show / Hide this sub-section
    • Full VMware NSX support.
    • New vSEC Controller for Cloud Orchestration and management of physical gateways.
    • R77.20 vSEC Gateway for NSX is based on Security Gateway R77.20.


  • (9-B) Installation Instructions

    Show / Hide this sub-section
    1. Install R77.30 vSEC Controller (GA):

      1. Install R77.30 GA Security Management Server / Multi-Domain Security Management Server on Gaia OS.

      2. Install R77.30 Add-on on R77.30 Security Management Server / Multi-Domain Security Management Server.

        Important Note: On Multi-Domain Security Management Server, the Add-on must be activated on the Domain Management Servers.

      3. Install vSEC Bundle Hotfix for R77.30 Security Management Server / Multi-Domain Security Management Server:

        Package CPUSE
        Offline (a,b)
        Legacy
        CLI
        vSEC Bundle Hotfix for R77.30 Security Management Server
        and Multi-Domain Security Management Server
        (TGZ) (TGZ)

        Notes:

        1. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        2. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
      4. Install R77.30 SmartConsole and SmartDomain Manager for R77.30 vSEC Controller:

        Package Link
        R77.30 SmartConsole and SmartDomain Manager
        for R77.30 vSEC Controller
        (EXE)
    2. Install R77.20 vSEC Gateway for NSX (Hypervisor mode):

      Package Link
      R77.20 vSEC Gateway for NSX - OVF package (TGZ)
    3. Install vSEC Gateway for NSX in Network Mode:

      If another Check Point Security Gateway has to be installed as regular Virtual Machine, or connected externally to ESX/ESXi host, and this Security Gateway should be made aware of VMware Data Center objects
      (example topology: [ESXi host with Virtual Machines] --- [External Security Gateway] --- [Internet]),
      then install:

      1. Install either R77.20 GA Security Gateway on Gaia OS, or R77.30 GA Security Gateway on Gaia OS.

      2. Install vSEC Hotfix for Security Gateway R77.20 / R77.30:

        Package CPUSE
        Offline (a,b)
        Legacy
        CLI
        vSEC Hotfix for Security Gateway R77.20 (TGZ) (TGZ)
        vSEC Hotfix for Security Gateway R77.30 (TGZ) (TGZ)

        Notes:

        1. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        2. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).


  • (9-C) Documentation

 

(10) Revision History

Show / Hide the revision history

Date Description
22 May 2017
  • Added "R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server"
05 Apr 2017
  • Improved "Table of Contents"
  • "Introduction to vSEC" section - added link to "vSEC for Google Cloud Platform"
05 Mar 2017
  • Clarified the "What's New" item that OVF template of "vSEC Gateway v2 for NSX" includes fixes from Take_159 of R77.30 Jumbo Hotfix Accumulator
28 Feb 2017
  • First release of this article.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment