Data Center objects may not be enforced on vSEC Gateway, if Data Center objects are used in both Access policy and Threat Prevention policy, and only one of these policies is installed. Refer to sk112616.
vSEC Controller Hotfix
-
Reinstalling of vSEC Controller Hotfix is not supported from CPUSE.
Follow these steps to reinstall the vSEC Controller Hotfix:
Uninstall the vSEC Controller Hotfix
Reboot the vSEC Controller
Install the vSEC Controller Hotfix again
Reboot the vSEC Controller
Threat Prevention
-
vSEC Threat Prevention Tagging is not supported.
Introduction to vSEC Controller
This section describes the R80 vSEC Controller v2 components.
Component
Description
Mandatory:
R80 vSEC Controller v2 Hotfix
and
R80 vSEC Controller v2 Enforcer Hotfix
and
R80 SmartConsole
R80 vSEC Controller v2 Hotfix must be installed on R80 Security Management Server / Multi-Domain Security Management Server (which makes it a vSEC Controller server) in order to fetch Data Center objects from VMware NSX / VMware vCenter, Cisco APIC, Amazon Web Services (AWS), Microsoft Azure and OpenStack, and use them in Check Point policy.
R80 Security Management Server / Multi-Domain Security Management Server with installed R80 vSEC Controller v2 Hotfix is able:
to fetch Data Center objects from VMware NSX / VMware vCenter, Cisco APIC, Amazon Web Services (AWS), Microsoft Azure and OpenStack.
to manage the following Security Gateways only:
Security Gateways R77.30 and R77.20 only, with installed R80 vSEC Controller v2 Enforcer Hotfix, whose policy contains Data Center objects
Security Gateways R75.20 and higher, whose policy must not contain any Data Center objects
R80 vSEC Controller v2 Enforcer Hotfix must be installed on Check Point Security Gateway to turn it into vSEC Gateway and accept a policy that contains Data Center objects from the vSEC Controller.
SmartConsole is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways. The improved R80 SmartConsole for R80 vSEC Controller server allows the administrator to create and work with Data Center objects.
Optional:
R80 vSEC Service Registration v2 Hotfix
This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / Cisco ACI.
R80 vSEC Controller v2 with installed R80 vSEC Service Registration v2 Hotfix is able:
to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF), and to Cisco ACI.
to manage vSEC Gateways for VMware NSX in Hypervisor Mode (sk114518).
Install R80 vSEC Controller v2 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server:
Package
CPUSE Online Identifier (a)
CPUSE Offline (b,c)
vSEC Controller Hotfix for R80 Security Management Server and Multi-Domain Security Management Server deployed in VMWare ESX, OpenStack, KVM; or installed on a physical machine
vSEC Controller Hotfix for R80 Security Management Server and Multi-Domain Security Management Server deployed in Amazon Web Services (AWS), or Microsoft Azure
Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
Unpack and install the hotfix package: [Expert@HostName:0]# cd /some_path_to_fix/ [Expert@HostName:0]# tar -zxvf Check_Point_<Version>_vSEC_Controller_Enforcer_Hotfix_Gaia_ sk115772.tgz [Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME> Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
Reboot the machine.
On Security Gateway R77.20, only Legacy CLI installation is supported.
"Installation Instructions" section - improved the description of the existing "R80 vSEC Controller v2 Hotfix" that it is intended for R80 Management Server deployed in VMWare ESX, Cisco ACI, OpenStack, or installed on a physical machine
"Installation Instructions" section - added additional "R80 vSEC Controller v2 Hotfix" that is intended for R80 Management Server deployed in Amazon Web Services (AWS), or Microsoft Azure
