Table of Contents
Note: In R80.40, the Controller is already installed, and also starts automatically so the user does not have to do anything. All is working out of the box.
What's New in R80 vSEC Controller v2
- Support for vSEC Controller in Amazon Web Services (AWS)
- Support for vSEC Controller in Microsoft Azure
- Support for vSEC Controller in OpenStack
- Support for Threat Prevention Tagging in vSEC Gateway for VMware NSX
- Support for vSEC Controller in R80 Multi-Domain Security Management Server
Resolved Issues
Note: For Known Limitations, refer to R80 vSEC Controller v2 Known Limitations.
ID |
Symptoms |
vSEC Controller |
02201301 |
Data Center objects may not be enforced on vSEC Gateway, if Data Center objects are used in both Access policy and Threat Prevention policy, and only one of these policies is installed. Refer to sk112616. |
vSEC Controller Hotfix |
- |
Reinstalling of vSEC Controller Hotfix is not supported from CPUSE.
Follow these steps to reinstall the vSEC Controller Hotfix:
- Uninstall the vSEC Controller Hotfix
- Reboot the vSEC Controller
- Install the vSEC Controller Hotfix again
- Reboot the vSEC Controller
|
Threat Prevention |
- |
vSEC Threat Prevention Tagging is not supported. |
Introduction to vSEC Controller
This section describes the R80 vSEC Controller v2 components.
Component |
Description |
Mandatory:
R80 vSEC Controller v2 Hotfix
and
R80 vSEC Controller v2 Enforcer Hotfix
and
R80 SmartConsole
|
R80 vSEC Controller v2 Hotfix must be installed on R80 Security Management Server / Multi-Domain Security Management Server (which makes it a vSEC Controller server) in order to fetch Data Center objects from VMware NSX / VMware vCenter, Cisco APIC, Amazon Web Services (AWS), Microsoft Azure and OpenStack, and use them in Check Point policy.
R80 Security Management Server / Multi-Domain Security Management Server with installed R80 vSEC Controller v2 Hotfix is able:
-
to fetch Data Center objects from VMware NSX / VMware vCenter, Cisco APIC, Amazon Web Services (AWS), Microsoft Azure and OpenStack.
-
to manage the following Security Gateways only:
- Security Gateways R77.30 and R77.20 only, with installed R80 vSEC Controller v2 Enforcer Hotfix, whose policy contains Data Center objects
- Security Gateways R75.20 and higher, whose policy must not contain any Data Center objects
|
R80 vSEC Controller v2 Enforcer Hotfix must be installed on Check Point Security Gateway to turn it into vSEC Gateway and accept a policy that contains Data Center objects from the vSEC Controller.
|
SmartConsole is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways. The improved R80 SmartConsole for R80 vSEC Controller server allows the administrator to create and work with Data Center objects.
|
Optional:
R80 vSEC Service Registration v2 Hotfix |
This package installs modules on Check Point vSEC Controller server that are required by VMware NSX / Cisco ACI.
R80 vSEC Controller v2 with installed R80 vSEC Service Registration v2 Hotfix is able:
-
to deploy Check Point service in Hypervisor Mode to VMware NSX (using OVF), and to Cisco ACI.
-
to manage vSEC Gateways for VMware NSX in Hypervisor Mode (sk114518).
-
to manage vSEC Gateways for Cisco ACI (sk111969).
|
Refer to the following illustration:

Installation Instructions
-
Install R80 vSEC Controller v2:
-
Install Take_132 of Check Point R80 (which includes Take_76 of R80 Jumbo Hotfix Accumulator).
-
Install R80 vSEC Controller v2 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server:
-
Install R80 SmartConsole for R80 vSEC Controller v2:
-
Install Security Gateway and R80 vSEC Controller v2 Enforcer Hotfix:
-
Install Security Gateway R77.20 / R77.30 with Jumbo Hotfix Accumulator for R77.20 / R77.30:
Note: Installation of Jumbo Hotfix Accumulator for R77.20 / R77.30 is recommended, but not mandatory.
-
Install R80 vSEC Controller v2 Enforcer Hotfix on Security Gateway R77.20 / R77.30:
Show / Hide the Notes
- This package of vSEC Controller v2 Enforcer Hotfix for Security Gateway R77.30 can be installed:
- either on top of R77.30 GA,
- or on top of Take_185 (and higher) of R77.30 Jumbo Hotfix Accumulator
(otherwise, the installation of the vSEC Controller v2 Enforcer Hotfix would fail)
- This package of vSEC Controller v2 Enforcer Hotfix for Security Gateway R77.20 can be installed:
- on top of R77.20 GA,
- or on top of Take_99 (and higher) of R77.20 Jumbo Hotfix Accumulator
(otherwise, the installation of the vSEC Controller v2 Enforcer Hotfix would fail)
- For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
- Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
- For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
- Legacy CLI installation instructions:
- Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
- Unpack and install the hotfix package:
[Expert@HostName:0]# cd /some_path_to_fix/
[Expert@HostName:0]# tar -zxvf Check_Point_<Version>_vSEC_Controller_Enforcer_Hotfix_Gaia_ sk115772.tgz
[Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME>
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
- Reboot the machine.
- On Security Gateway R77.20, only Legacy CLI installation is supported.
Documentation
Product |
Link |
R80 vSEC Controller v2 |
|
vSEC for NSX |
|
Revision History