Support Center > Search Results > SecureKnowledge Details
vSEC Gateway for NSX /CloudGuard for NSX managed by vSEC Controller/CloudGuard Controller
Solution

This article describes the vSEC/CloudGuard Gateways for NSX managed by vSEC/CloudGuard Controller.

Table of Contents

  1. Introduction to vSEC
  2. Components required for installation of vSEC Gateway for NSX managed by vSEC Controller
  3. Compatibility between vSEC Gateways for NSX and vSEC Controllers
  4. R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA)
    1. Highlights
    2. Installation Instructions
    3. Documentation
  5. R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  6. R77.30 vSEC Gateway v1 for NSX managed by R80 vSEC Controller v1
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  7. R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R77.30 vSEC Controller v2'
    5. How to upgrade to 'R77.30 vSEC Gateway v2'
    6. Documentation
  8. R77.30 vSEC Gateway v2 for NSX managed by R80 vSEC Controller v2
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R77.30 vSEC Gateway v2'
    5. Documentation
  9. R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. Documentation
  10. R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade to 'R80.10 vSEC Service Registration v4'
    5. How to upgrade to 'R77.30 vSEC Gateway v4'
    6. Documentation
  11. R80.10 CloudGuard Gateway for NSX managed by R80.10 Management Server
    1. What's New
    2. Resolved Issues
    3. Installation Instructions
    4. How to upgrade the CoudGuard Service registration
    5. How to upgrade to 'R80.10 CoudGuard Gateway for NSX'
    6. Documentation
  12. Revision History

 

Click Here to Show the Entire Article

 

(1) Introduction to vSEC

Check Point vSEC solutions and products:

vSEC solution vSEC product

vSEC for Private Cloud with SDN

(Micro-segment your data center. Secure East-West traffic between applications.)

vSEC for Public IaaS

(Secure applications and connectivity in public clouds.)

vSEC for Virtual Data Center

(Virtual Security Gateway with integration to cloud management platforms.)

Refer to vSEC for NSX Architecture Overview and sk111060 - ATRG: vSEC for VMware NSX.

 

(2) Components required for installation of vSEC Gateway for NSX managed by vSEC Controller

The following components are mandatory for installation of vSEC Gateway for NSX managed by vSEC Controller:

  • On the Management side, the following should be installed:

    # Component Description
    1

    Security Management Server /
    Multi-Domain Security Management Server

    Check Point Management Server is the basic infrastructure to manage Check Point Security Gateways.

    2

    vSEC Controller Hotfix

    Installing this package on top of Check Point Management Server turns it into vSEC Controller server that is able:

    • to fetch Data Center objects from VMware NSX / VMware vCenter

    • to manage vSEC Gateways for NSX

    3

    vSEC Service Registration Hotfix

    This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / VMware vCenter:

    • to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF)

    • to manage vSEC Gateways for VMware NSX in Hypervisor Mode

    4

    SmartConsole for vSEC Controller server

    This is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways.

    The improved SmartConsole for vSEC Controller server allows the administrator to create and work with Data Center objects.

    Important Note: For Management Server R80.10 and above, use the standard SmartConsole R80.10 and above.

  • On the Gateway side, the following should be installed:

    # Component Description
    1

    SEC Gateway for NSX - OVF template

    This is the standard OVF template that deploys Check Point Security Gateway as Service VM.

    2

    vSEC Controller Enforcer for NSX Hotfix

    Installing this package on top of Check Point Security Gateway turns it into vSEC Gateway for NSX and allows it to accept a policy that contains Data Center objects from the vSEC Controller.

    Note: This package is installed as a part of OVF on Check Point Service VM.

Refer to the following illustration:

 

(3) Compatibility between vSEC/CloudGuard Gateways for NSX and vSEC/CloudGuard Controllers

The table below shows which vSEC Gateways for NSX (in the rows) can be managed by which vSEC Controllers (in the columns).

Note: Each vSEC Controller version in this table is a link to the relevant section in this article.

For example, "R77.30 vSEC Gateway v1 for NSX" can be managed only by "R77.30 vSEC Controller v1" and "R80 vSEC Controller v1".

  R77.30
vSEC
Controller (GA)
R77.30
vSEC
Controller v1
R77.30
vSEC
Controller v2
R80
vSEC
Controller v1
R80
vSEC
Controller v2
R80.10
Management
Server
R80.10 CloudGuard Gateway for NSX HF (T154)  x  x  yes
R80.10 CloudGuard Gateway for NSX x x x x x yes
R77.30 vSEC Gateway v4 for NSX x x x x x Yes
R77.30 vSEC Gateway v2 for NSX x x Yes x Yes Yes
R77.30 vSEC Gateway v1 for NSX x Yes x Yes x x
R77.20 vSEC Gateway for NSX Yes x x x x x

Legend:

 Yes  = this vSEC Controller is able to manage this vSEC Gateway (click on the "Yes" to go to the relevant section)
 x  = this vSEC Controller can not manage this vSEC Gateway

 

(4) R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA)

Click Here to Show the Entire section

Note: Previously, this release was documented in sk105297.

  • (4-A) Highlights

    Show / Hide this sub-section
    • Full VMware NSX support.
    • New vSEC Controller for Cloud Orchestration and management of physical gateways.
    • R77.20 vSEC Gateway for NSX is based on Security Gateway R77.20.


  • (4-B) Installation Instructions

    Show / Hide this sub-section
    1. Install R77.30 vSEC Controller (GA):

      1. Install R77.30 GA Security Management Server / Multi-Domain Security Management Server on Gaia OS.

      2. Install R77.30 Add-on on R77.30 Security Management Server / Multi-Domain Security Management Server.

        Important Note: On Multi-Domain Security Management Server, the Add-on must be activated on the Domain Management Servers.

      3. Install vSEC Bundle Hotfix for R77.30 Security Management Server / Multi-Domain Security Management Server:

        Package CPUSE
        Offline (a,b)
        Legacy
        CLI
        vSEC Bundle Hotfix for R77.30 Security Management Server
        and Multi-Domain Security Management Server
        (TGZ) (TGZ)

        Notes:

        1. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        2. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
      4. Install R77.30 SmartConsole and SmartDomain Manager for R77.30 vSEC Controller:

        Package Link
        R77.30 SmartConsole and SmartDomain Manager
        for R77.30 vSEC Controller
        (EXE)
    2. Install R77.20 vSEC Gateway for NSX (Hypervisor mode):

      Package Link
      R77.20 vSEC Gateway for NSX - OVF package (TGZ)
    3. Install vSEC Gateway for NSX in Network Mode:

      If another Check Point Security Gateway has to be installed as regular Virtual Machine, or connected externally to ESX/ESXi host, and this Security Gateway should be made aware of VMware Data Center objects
      (example topology: [ESXi host with Virtual Machines] --- [External Security Gateway] --- [Internet]),
      then install:

      1. Install either R77.20 GA Security Gateway on Gaia OS, or R77.30 GA Security Gateway on Gaia OS.

      2. Install vSEC Hotfix for Security Gateway R77.20 / R77.30:

        Package CPUSE
        Offline (a,b)
        Legacy
        CLI
        vSEC Hotfix for Security Gateway R77.20 (TGZ) (TGZ)
        vSEC Hotfix for Security Gateway R77.30 (TGZ) (TGZ)

        Notes:

        1. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        2. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).


  • (4-C) Documentation

 

(5) R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1

Click Here to Show the Entire section

Note: Previously, this release was documented in sk109576.

 

(6) R77.30 vSEC Gateway v1 for NSX managed by R80 vSEC Controller v1

Click Here to Show the Entire section

Note: Previously, this release was documented in sk111966.

 

(7) R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2

Click Here to Show the Entire section

Note: Previously, this release was documented in sk114516.

  • (7-A) What's New

    Show / Hide this sub-section
    • Improvements and stability fixes:

      • OVF template of vSEC Gateway v2 for NSX includes fixes from General Availability Take_159 of R77.30 Jumbo Hotfix Accumulator
      • Integration of R77.30 vSEC Gateway v2 for NSX with the R77.30 vSEC Controller v2
        (that includes fixes from General Availability Take_185 of R77.30 Jumbo Hotfix Accumulator)
      • Improvements in Provisioning and Automation
    • Newly Supported Features:

      • Zero Downtime Upgrade
      • HTTPS Inspection
      • Streaming IPS Protections ('Header Spoofing' and 'SYN Attack')
      • Identity Awareness Sharing
      • Improved Traffic redirection, which starts when the security policy is installed, to prevent downtime.


  • (7-B) Resolved Issues

    Show / Hide this sub-section

    Note: For Known Limitations, refer to R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Known Limitations.

    ID Symptoms
    00786818 HTTPS Inspection is not supported.
    00575642 IPS protection 'Header Spoofing' is not supported.
    00527312 IPS protection 'SYN Attack' is not supported.
    00784665

    Identity Awareness blade does not support:

    • Identity Gateway (vSEC Bundle Hotfix from sk114594 is required).


  • (7-C) Installation Instructions

    Show / Hide this sub-section
    1. Install R77.30 vSEC Controller v2:

      1. Install R77.30 GA Security Management Server / Multi-Domain Security Management Server on Gaia OS.

      2. Install R77.30 Add-on on R77.30 Security Management Server / Multi-Domain Security Management Server.

        Important Note: On Multi-Domain Security Management Server, the Add-on must be activated on the Domain Management Servers.

      3. Install only General Availability Take_185 of R77.30 Jumbo Hotfix Accumulator.

        Note: Other Takes of R77.30 Jumbo Hotfix Accumulator are not supported.

      4. Install the vSEC Bundle Hotfix:

        Package CPUSE
        Online Identifier (a)
        CPUSE
        Offline (b,c)
        Bundle Hotfix for R77.30 vSEC Controller v2 and
        R77.30 vSEC Gateway v2 for NSX
        Check_Point_R77_30_VSEC_v2_MGMT_and_GW_FULL.tgz (TGZ)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Contact Check Point Support to get the Legacy CLI package.
          Installation instructions appear in the R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Administration Guide - chapter "Installing the vSEC Controller".
      5. Install R77.30 SmartConsole and SmartDomain Manager for R77.30 vSEC Controller v2:

        Package Link
        R77.30 SmartConsole and SmartDomain Manager
        for R77.30 vSEC Controller v2
        (EXE)
        Show / Hide the Notes
    2. Install R77.30 vSEC Gateway v2 for NSX (Hypervisor mode):

    3. Using VMware Datacenter objects on a non-vSEC for NSX Security Gateway:

      Example topology:

      In order to use VMware Datacenter objects in security policy that is installed on a non-vSEC for NSX Security Gateway, a special Hotfix must be installed on that Security Gateway.

      Install the following images and packages on a non-vSEC for NSX Security Gateway:

      1. Install either R77.20 GA Security Gateway on Gaia OS , or R77.30 GA Security Gateway on Gaia OS.

      2. Install Jumbo Hotfix Accumulator:

      3. Install vSEC Hotfix for Security Gateway R77.20 / R77.30:

        Package CPUSE
        Online Identifier (a)
        CPUSE
        Offline (b,c)
        Legacy
        CLI (d)
        vSEC Hotfix for Security Gateway R77.20 Check_Point_R77_20_VSEC_GW_sk109576_FULL.tgz (TGZ) (TGZ)
        vSEC Hotfix for Security Gateway R77.30 Check_Point_R77_30_VSEC_v2_MGMT_and_GW_FULL.tgz (TGZ) Note "d"
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Contact Check Point Support to get the Legacy CLI package for Security Gateway R77.30.
          Installation instructions appear in the R77.30 vSEC Gateway v2 for NSX managed by R77.30 vSEC Controller v2 Administration Guide - chapter "Installing the vSEC Controller".


  • (7-D) How to upgrade to 'R77.30 vSEC Controller v2'

    Show / Hide this sub-section

    If your R77.30 vSEC Controller is currently running with Take_117 of R77.30 Jumbo Hotfix Accumulator,
    then follow these steps to upgrade to Take_185 of R77.30 Jumbo Hotfix Accumulator:

    1. Install the latest build of the CPUSE Agent from sk92449: CPUSE - Gaia Software Updates on R77.30 vSEC Controller.

    2. Download this shell script package (upgrade.sh) to your computer.

    3. Transfer the shell script from your computer to R77.30 vSEC Controller (into some directory, e.g., /some_path_to_script/).

    4. Go to the directory where you have put the shell script:

      [Expert@HostName:0]# cd /some_path_to_script/
    5. Convert the script from DOS to UNIX format:

      [Expert@HostName:0]# dos2unix upgrade.sh
    6. Assign the required permissions to the shell script:

      [Expert@HostName:0]# chmod u+x upgrade.sh
    7. Execute the "upgrade" shell script to export the relevant vSEC-related configuration:

      [Expert@HostName:0]# ./upgrade.sh backup
    8. Uninstall the current vSEC Bundle Hotfix for Management Server (the "Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576)" package that was installed from sk109576) using the CPUSE, as described in the sk92449: CPUSE - Gaia Software Updates - section "(4-C) How to work with CPUSE - How to uninstall a CPUSE package":

      • In Gaia Portal:

        • Either select the Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576) package - click on More button on the toolbar, and select Uninstall
        • Or right-click on the Check Point Hotfix for R77.30 vSEC Controller and R77.30 vSEC Gateway for NSX (sk109576) package and select Uninstall
      • In Gaia Clish:

        HostName> show installer packages installed
        HostName> installer uninstall[press Space key][press Tab key]
        HostName> installer uninstall <Number_of_vSEC_Bundle_Hotfix_Package>
    9. Reboot the R77.30 vSEC Controller machine.

    10. Install General Availability Take_185 of R77.30 Jumbo Hotfix Accumulator.

      Note: Other Takes of R77.30 Jumbo Hotfix Accumulator are not supported.
    11. Reboot the R77.30 vSEC Controller machine.

    12. Install the improved vSEC Bundle Hotfix for Security Management Server / Multi-Domain Security Management Server from the "(7-C) Installation Instructions" section above.

    13. Reboot the R77.30 vSEC Controller machine.

    14. Execute the "upgrade" shell script to restore the relevant vSEC-related configuration:

      [Expert@HostName:0]# cd /some_path_to_script/
      [Expert@HostName:0]# ./upgrade.sh restore


  • (7-E) How to upgrade to 'R77.30 vSEC Gateway v2'

    Show / Hide this sub-section

    If your vSEC Gateway for NSX is currently running the previous version "R77.30 vSEC Gateway v1 for NSX managed by R77.30 vSEC Controller v1",
    then follow these steps to upgrade from "R77.30 vSEC Gateway for NSX" to "R77.30 vSEC Gateway v2 for NSX":



  • (7-F) Documentation

 

(8) R77.30 vSEC Gateway v2 for NSX managed by R80 vSEC Controller v2

Click Here to Show the Entire section

 

(9) R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server

Click Here to Show the Entire section

 

(10) R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server

Click Here to Show the Entire section
  • (10-A) What's New

    Show / Hide this sub-section
    • Integration of R77.30 vSEC Gateway v4 for NSX with the new R80.10 Management Server (sk111841).

    • OVF template of vSEC Gateway v4 for NSX includes fixes from General Availability Take_216 of R77.30 Jumbo Hotfix Accumulator

    • Significant performance improvement with NSX 6.3.2, with the VMware Network Extensibility (NetX) scale

    • IPv6 support

    • Support of "Reject" action in firewall rulebase

    • Support for using vSEC for NSX Gateway as TAP/Monitor device (sk101670)

    • Failure policy can be changed for services that have already been deployed

    • Bug fixes



  • (10-B) Resolved Issues

    Show / Hide this sub-section

    For Known Limitations, refer to:

    ID Symptoms
    01502922 The firewall rulebase 'Reject' action is not supported.
    Rules with action 'Reject' will behave similarly to Rules with action 'Drop'.
    00631138 IPv6 is not supported.


  • (10-C) Installation Instructions

    Show / Hide this sub-section
    1. Install R80.10 Management Server:

      1. Refer to sk111841 - Check Point R80.10

        1. Install R80.10 Security Management Server / Multi-Domain Security Management Server
          (or upgrade from R80 vSEC Controller v2)
        2. Install R80.10 SmartConsole for R80.10 Management Server
        3. Enable the vSEC Controller by running the "vsec on" command
          (refer to the R80.10 vSEC Controller Administration Guide -
          chapter "Integrating with Data Center Servers" - section "Enabling the vSEC Controller")
      2. Install vSEC Service Registration v4 Hotfix on R80.10 Management Server:

        Important Note: API Server must be enabled (it is by default) on R80.10 Management Server, so that vSEC Service Registration v4 Hotfix could function properly (to check the current state, run the "api status" command).

        Package CPUSE
        Online Identifier
        CPUSE
        Offline
        vSEC Service Registration v4 Hotfix
        for R80.10 Management Server
        Check_Point_R80.10_vSEC_Service_Hotfix4_FULL.tgz (a) Contact Customer Support
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
    2. Install R77.30 vSEC Gateway v4 for NSX (Hypervisor mode):

      Package Link
      R77.30 vSEC Gateway v4 for NSX - OVF package (a) (TGZ)
      R77.30 vSEC Gateway v4 for NSX - Upgrade package (b) (TGZ)
      Show / Hide the Notes
      1. Installation instructions appear in the R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server Administration Guide - chapter "Configuring the Management Server" - section "Installing the vSEC Gateway OVF Files".
      2. Refer to the section "(10-E) How to upgrade to 'R77.30 vSEC Gateway v4'".


  • (10-D) How to upgrade to 'R80.10 vSEC Service Registration v4'

    Show / Hide this sub-section

    Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Upgrading the Service".

    Follow these steps on R80 vSEC Controller v2 with installed "vSEC Service Registration v2 Hotfix" / R80.10 Management Server with installed "vSEC Service Registration v3 Hotfix" in order to upgrade it to R80.10 Management Server with "vSEC Service Registration v4 Hotfix":

    1. Uninstall the current "vSEC Service Registration v3 Hotfix".

      Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Installing the vSEC Service Registration Hotfix" - section "Uninstalling the Hotfix".

    2. Reboot the Management Server.

    3. On R80 vSEC Controller v2 server, upgrade to R80.10 and reboot.

    4. Install the vSEC Service Registration v4 Hotfix for R80.10 Management Server.

    5. Reboot the R80.10 Management Server.

    6. Configure the vSEC Management Server properties:

      Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Configuring the Management Server" - section "Configuring the vSEC Management Server Properties".

      1. Connect to the command line on the R80.10 Security Management Server / Multi-Domain Security Management Server.

      2. On Multi-Domain Security Management Server, the following steps must be performed in the context of each relevant Domain Management Server:

        [Expert@HostName:0]# mdsenv <IP address or Name of Domain Security Management Server>
      3. Go to the vSEC Configuration Menu:

        [Expert@HostName:0]# vsec_config
      4. From the menu, select VMware Configuration.

      5. Press n to configure manually.

      6. Select Change Global configuration - select Service Manager Credentials.

      7. For each NSX that has the service registered, update the Service Manager Credentials.

        Notes:

        • These credentials are given to the NSX Manager that uses the credentials as identification for all the operations done by the vSEC Management Server.
        • Make sure the administrator has Management API login permission.
        • In a Multi-Domain Server environment, make sure the administrator has permissions on the relevant Domain for the Domain Management Server.


  • (10-E) How to upgrade to 'R77.30 vSEC Gateway v4'

    Show / Hide this sub-section

    You can upgrade the "R77.30 vSEC Gateway v1 for NSX" / "R77.30 vSEC Gateway v2 for NSX" to "R77.30 vSEC Gateway v4 for NSX" using either the CPUSE hotfix package, or the new OVF files.

    Refer to vSEC Gateway for NSX managed by R80.10 Management Server Administration Guide - chapter "Upgrading the vSEC Gateway for NSX".



  • (10-F) Documentation

(11) R80.10 CloudGuard Gateway for NSX managed by R80.10 Management Server

  • (11-A) What's New

    Show / Hide this section
    • R80.10 Security Gateway Integration
    • Automated Upgrade Procedure
    • Fast Deployment with Check Point Blink
    • Performance improvements with the new VMware NEtX SDK (NSX Manager 6.3.2 and above)
    • CloudGuard for NSX as a Tap/Monitor device

     

  • (11-B) Resolved Issues 

    Show / Hide this section

    For Known Limitations, refer to:

    R80.10  CloudGuard Gateway for NSX managed by R80.10 Management Server Known Limitations

    R80.10 Known Limitations - section "CloudGuard Controller"

    ID Symptoms
    00553212 R77.30 vSEC Gateway v4 for NSX in Hypervisor Mode supports up to 32 cluster members. 
    00784665

    Identity Awareness Blade does not support:

    • Identity Agent

     

  • (11-C) Installation Instructions

    Show / Hide this section
    1. Install R80.10 Management Server:

      1. Refer to sk111841 - Check Point R80.10

        1. Install R80.10 Security Management Server / Multi-Domain Security Management Server
        2. Install R80.10 SmartConsole for R80.10 Management Server
        3. Install R80.10 Jumbo Hotfix Take 112 or newer
        4. Enable the vSEC Controller by running the "vsec on" command
          (refer to the R80.10 vSEC Controller Administration Guide -
          chapter "Integrating with Data Center Servers" - section "Enabling the vSEC Controller")
      2. Install vSEC v5 Hotfix on R80.10 Management Server:

        Important Note: API Server must be enabled (it is by default) on R80.10 Management Server, so that vSEC Service Registration v5 Hotfix can function properly (to check the current state, run the "api status" command). 

        Important Note: Do not install VSR5 on top of VSR4. You must first uninstall VSR4 and then install VSR5. If you mistakenly installed VSR5 on top of VSR4, follow the installation recovery instructions in sk122316.

        Package CPUSE
        Online Identifier
        CPUSE
        Offline
        vSEC Service Registration v5 Hotfix
        for R80.10 Management Server
        Check_Point_R80.10_VSR5_Bundle_T36_sk114518_FULL.tgz
        (TGZ)

        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
    2. Install R80.10 Cloudguard for NSX (Hypervisor mode):

      Package Link
      R80.10 Cloudguard for NSX - OVF package (a) (TGZ)
      R80.10 CloudGuard Gateway for NSX HF (T154) - OVF Package  (TGZ)
      R80.10 CloudGuard Gateway for NSX HF (T154) - Upgrade package (TGZ)
      Show / Hide the Notes
      1. Installation instructions appear in the Admin Guide - chapter "Configuring the Management Server" - section "Installing the vSEC Gateway OVF Files".
      2. Refer to the above section (11-E) - How to upgrade to R80.10 CloudGuard Gateway for NSX.
  • (11-D) How to upgrade to R80.10 CloudGuard Service Registration

    Show / Hide this section

    From v3/v4

    1. Uninstall the previous version of the CloudGuard Service Registration. If you have R80, upgrade to R80.10.
    2. Install the R80.10 Jumbo Hotfix Take 112 and above.
    3. Install the R80.10 CloudGuard Service Registration v5.
    4. Connect to the CloudGuard Management Server or the Multi-Domain Server with a console connection or SSH. Run: cloudguard_config (on a Multi-Domain Server run cloudguard_config on every Domain Management Server).
    5. Select VMware Configutration.
    6. Configure the CloudGuard Management Server Properties (refer to page 21 of the admin guide). 
    7. Because you are not registering this service for the first time, select n.
    8. For each NSX Service Manager that has a service registered, update the credentials. Go to Change Global Configuration > Service Manager Credentials and follow the on-screen prompts. 

    The Security Management Server with the new CloudGuard Registration Hotfix re-attaches itself to an existing deployed Gateway. All services will continue as they did before the upgrade.  

    From v2

    1. Upgrade to R80.10.
    2. Install the R80.10 Jumbo Hotfix Take 112 and above.
    3. Install the R80.10 CloudGuard Service Registration v5.
    4. Connect to the CloudGuard Management Server or the Multi-Domain Server with a console connection or SSH. Run: vsec on. 

    When performing the upgrade, the vCenter and NSX objects disable the Trusted connection. To enable the objects again, from SmartConsole, Trust the connection to reconnect the NSX and vCenter objects.

    5. On a Multi-Domain Server only:

      a. Run cloudguard_config on every Domain Management Server.

      b. Select VMware Configuration

      c. Configure the CloudGuard Management Server properties.

      d. Select n, because you are not registering this service for the first time.

    6. Run: cloudguard_config -upgrade

    On a Multi-Domain Server, run the command from the Multi-Domain Server IP address.

    The Security Management Server with the new CloudGuard registration Hotfix re-attaches itself to a gateway that has already been deployed. All services continue as they did before the upgrade.

     

  • (11-E) How to upgrade to R80.10 CloudGuard Gateway for NSX

    Show / Hide this section

    You can upgrade the "R80.10 CloudGuard Gateway for NSX" manually or via the CLI.

    Refer to CloudGuard Gateway for NSX Managed by R80.10 Platforms Administration Guide - section "Upgrading the CloudGuard Gateway for NSX" 

     

  • (11-F) Documentation

(12) Revision History

Show / Hide the revision history

Date Description
23 May 2018 Added "R80.10 CloudGuard Gateway for NSX" and relevant compatability information. 
11 July 2017 "Introduction to vSEC" section - added link to vSEC for NSX Architecture Overview
10 July 2017 Added "R77.30 vSEC Gateway v4 for NSX managed by R80.10 Management Server"
22 May 2017 Added "R77.30 vSEC Gateway v2 for NSX managed by R80.10 Management Server"
05 Apr 2017 Improved "Table of Contents"
05 Mar 2017 Clarified the "What's New" item that OVF template of "vSEC Gateway v2 for NSX" includes fixes from General Availability Take_159 of R77.30 Jumbo Hotfix Accumulator
28 Feb 2017 First release of this article.
Applies To:
  • This SK replaces sk105297, sk109576, sk111966, sk114516

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment