Support Center > Search Results > SecureKnowledge Details
R80.10 CloudGuard Controller/vSEC Controller Hotfix v1 Known Limitations Technical Level
Solution

This article lists all of the R80.10 vSEC Controller Hotfix v1 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

Important notes:

 

Table of Contents

  • General Limitations
  • vSEC Controller Server
  • vSEC Controller Hotfix
  • vSEC Controller Enforcer Hotfix
  • vSEC Central License
  • vSEC Controller Monitoring
  • Google Cloud Platform
  • Nuage Networks
  • Threat Prevention Tagging
  • VMware NSX
  • VMware vCenter
  • Cisco APIC
  • Cisco ISE
  • Public Cloud
  • Microsoft Azure
  • Amazon Web Services
  • OpenStack

 

ID Symptoms
General Limitations
01372023 vSEC Controller is supported only on Gaia OS.

vSEC objects (Data Center Servers and Data Center Objects) are not supported in NAT policy.

 

In case of replacement of a Data Center Server's certificate that has been trusted by the user, communication with the Data Center Server fails and a log is sent.

Workaround: To resolve, open the Data Center Server object in SmartConsole, and click on "Test connection".

  vSEC objects (Data Center objects) are not supported in Threat Prevention Exceptions (R80 SmartConsole - "SECURITY POLICIES" app - "Threat Prevention" section - "Exceptions").
01683557  Changes of the IP address of a Data Center object will be enforced after approximately 30 seconds. This autoUpdateIntervalInSeconds parameter can be configured globally, or per Data Center server type, as described in sk112855.
02500441 

Integrating Data Center server to a Domain Server created with an IP address that was used in previously deleted Domain Server may cause vSEC Controller to malfunction.

To resolve, restart the vSEC Controller process using the vsec_controller_stop command.

01970321  vSEC objects (Data Center Servers and Data Center Objects) are not supported in:
  • Network Group objects
  • Global Domain
 

Upgrading to R80.10: Before upgrading the vSEC Controller Hotfix from the R80 Security Management Server / Multi-Domain Security Management Server with the vSEC Service Registration Hotfix, you must first uninstall the vSEC Service Registration Hotfix. This ensures that services that are deployed are not impacted during the upgrade process.

Refer to "Upgrading the vSEC Controller" in the R80.10 vSEC Controller Administration Guide.

VSECC-589  Changes in connection properties (such as credentials or URL) of existing Data Center Servers will take effect (e.g., importing objects, updating objects updates, etc.) only after policy is installed on all the Security Gateways that have Data Center objects from this Data Center.
  Changes in connection properties (such as credentials or URL) of existing Data Center Server followed by policy installation, will require the Security Gateway to initialize all mappings of IP addresses for Data Center objects in all enforcement sessions.
01968060 If either Identity Awareness API is not installed on the Security Gateway, or installed but disabled, then vSEC objects (Data Center Servers and Data Center Objects) are not enforced by the Security Gateway, and are considered as objects without IP address.
There is no indication in SmartConsole about the missing configuration.
02010025 Data Center objects and standard network objects are not supported in the same rule cell.
02070398 Importing 'Data Center Object' hierarchy object that contains one of the vSEC Gateway's IP addresses might lead to service drops. Therefore, vSEC Gateway's IP addresses must be excluded in additional rule.
  Running the command fw unloadlocal on a Security Gateway with Security Policy that include Data Center objects will disassociate the IPs from the Data Center objects.

To restore this information, after policy is installed run vsec_controller_cli and resend the enforcement data to the appropriate Security Gateway.

  vSEC objects (Data Center objects) are not supported in Threat Prevention Exceptions that are installed on R77.20 and R77.30 vSEC Gateways (R80.10 SmartConsole - "SECURITY POLICIES" app - "Threat Prevention" section - "Exceptions").
VSECNSX-602 Unable to install VSR with vSEC Controller in StandAlone configuration.
VSECC-448  Cluster objects (ClusterXL and 3rd party Cluster with the exception of vSEC for NSX) must be configured with reachable VIP as the main Cluster IP address to receive updates on Data Center imported objects.
vSEC Controller Server
 

To upgrade from R77.30 Security Management Server, with installed R77.30 vSEC Controller, to R80.10 Security Management Server, contact Check Point Support

  CPRID communication (TCP port 18208) must be allowed between the Management Server to the Security Gateway and throughout the network (use the Check Point predefined service 'FW1_CPRID'). Refer to sk52421 and open the ports used by Check Point (especially, TCP port 18208).
  vSEC Controller does not support overlapping, or duplicate IP addresses on the same Security Gateway.
  Logs for rules with Subnets, AWS Security Groups, Microsoft Azure Network Security Groups or VMware NSX Security Groups will contain only the IP address, and will not contain the instance name.
  Update of the vSEC Gateway with IP mappings for newly imported Data Center objects:
When performing "Import of Data Center Objects" into the policy and policy installation, a time interval that is greater than or equal to the value of the enforcementUpdateIntervalTime parameter will pass before the IP mapping of the new objects will be communicated to the vSEC Gateway, and the new rules will be enforced (refer to sk112855).
  Non-ASCII characters in 'Data Center Object' names might not be displayed properly in Security Logs and Events.
  If Data Center object's name includes non-English characters, enforcement will work, but the name of this Data Center object will not appear in the SmartLog log.
02438266

Official VMware Tools must be installed on a VM in order for vSEC Controller to successfully pool IP addresses. Install the VMware Tools for your specific version.

For more information, refer to: VMware Knowledge Base 2004754: Installing and upgrading VMware Tools in vSphere

02413946 "Failed to update Data Center server objects on gateway" log in SmartLog on R80 vSEC Controller. Refer to sk114956.
02419442 Policy Verification for overlapping, hiding or contradicting rules that include Data Center Objects is not supported.
02419560 Policy that contains Data Center Objects is not enforced immediately after the policy installation. It takes time for the vSEC Controller to update the vSEC Gateway.
02420907 Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported. (If an object name contains one of the above characters, enforcement will not work.)
  If Data Center Object name contains the following characters in its name:
  • "{" - opening curly bracket 
  • "}" - closing curly bracket 
  • "[" - opening square bracket 
  • "]" - closing square bracket 
  • "<" - less than 
  • ">" - greater than
Then, the Data Center Object name will appear in SmartLog with "_", instead of of each of the above characters. For example: {Name1} will appear as _Name1_
02462704 Data Center object with empty name cannot be imported to security policy.
02457148 In the $VSECDIR/conf/vsec.conf configuration file (sk112855), there is no verification for minimal value of the enforcementSessionTimeoutInMinutes parameter.
02459679 The $VSECDIR/conf/vsec.conf configuration file (sk112855) is not synchronized in Management HA and must be edited on both Management Servers separately.
02468654 In a Multi-Domain Security Management Server environment, VSX Gateway / VSX Cluster and all Virtual Systems that enforce a policy with Data Center objects, must reside on the same Domain Management Server.
02499863
For MDS HA managing a VSX gateway, a domain server must be deployed on all MDS servers that manage the VSX gateway installed with imported data center objects.
Note: This instruction applies to the VSX object. This is not mandatory for the virtual systems.
02500446

VS Cluster first policy installation should not include Data Center Objects.
Note: If this cannot be achieved, a full-sync must be run on the cluster by running the following on the standby member:

  1. fw ctl setsync off
  2. fw ctl setsync start
vSEC Controller Hotfix
  Before uninstalling the vSEC Controller Hotfix from R80 Security Management Server / Multi-Domain Security Management Server with installed vSEC Service Registration Hotfix, you must first uninstall the vSEC Service Registration Hotfix.
  Data Center objects imported to a policy will no longer be enforced, or updated after the vSEC Controller hotfix is uninstalled. It is recommended to remove all imported Data Center objects from the policy before uninstalling this hotfix.
01372023
vSEC Controller Hotfix is supported only on Gaia OS.
01372023
vSEC Service Registration Hotfix is supported only on Gaia OS.
vSEC Controller Enforcer Hotfix
  To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:
  • vSEC Controller Enforcer Hotfix must be installed
  • Identity Awareness blade must be activated with Terminal Servers authentication

The R80 vSEC Controller v2 Administration Guide describes the procedure for enabling this functionality.

01968060 If either Identity Awareness API is not installed on the Security Gateway, or it is installed but disabled, then vSEC objects (Data Center Servers and Data Center Objects) are not enforced by the Security Gateway, and are considered as objects without an IP address. There is no indication in SmartConsole about the missing configuration.
01965783
If a Security Gateway works with vSEC Controller and other Identity Sources, there must not be IP addresses belonging to Data Center objects also associated to Machines in other Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center object, or Access Roles with such Machines, and improper Security Policy enforcement.

Note: In R80.10, we have getTypePriority only for machine session.

The priorities are: ("1" is the highest priority and "4" is the lowest)

  1. VPN
  2. Identity agent / TS agent
  3. RADIUS accounting, IDA API, captive portal, Identity Collector
  4. AD Query
02010025
Data Center objects and standard network objects are not supported in the same rule cell.
PMTR-26157 In 41k/61k VSX gateway, CloudGuard objects are not supported.
vSEC Central License
PMTR-3953

Only one type of license is supported. If there is more than one license package (NGX, NGTP, DLP), the first license that was added to the account will create the default pool. Only licenses of this type will be distributed.

PMTR-3955  The gateway must have a policy installed to receive the license. A gateway without a policy will not receive a license.
PMTR-3956  An update to a gateway's Vcore count, will be updated, one day from the time the changes were made. Expediting the update is possible, by initiating a policy installation, or by running distribution from vsec_lic_cli menu.
PMTR-3957  Operations from SmartUpdate, such as attach/detach, will be ignored by this feature. Do not use any such operation on vSEC licenses after starting this feature.
PMTR-3952  In the MDS HA system mode, every vsec_lic_cli operation which runs on one MDS, requires that 'Run license distribution' is entered on the other MDS (from the vsec_lic_cli menu).
PMTR-3949  Evaluation license will not be distributed.
PMTR-3948  The tool can work in one of the following modes: system mode or domain mode. Do not use both at the same time. If there is a need to change the mode, all vSEC licenses must be deleted from the management (using vsec_lic_cli) prior to the change. (Refer to the R80.10 vSEC Controller v1 Administration Guide for more information on the two modes.)
PMTR-3947 When the core usage report is generated, time periods in which the management was down will be considered, as if the gateway was down.
PMTR-3950  This tool does not support the distribution of licenses to vSEC for NSX gateways. (Refer to the vSEC Gateway for NSX Managed by R80.10 Platforms Administration Guide for details on how to license it.)
  To use the tool in system mode, the management server must have connectivity to the Internet. Make sure that the DNS and proxy are configured correctly (each domain must configure its own proxy).
  MDS system mode requires a license whose IP address has not been changed more than the maximum allowed by UserCenter.

If your license has had its IP address changed that many times, please contact your sales representative. 

VSECC-544  The vSEC Central License Management Utility is not able to give a license to another StandAlone machine - i.e., to the Secondary Full HA cluster member.
On the Secondary Full HA cluster member, it is required to install a separate non-central license generated for the IP address of the Secondary Full HA cluster member.
VSECC-557 In MDS server the license report with vSEC Central License data can be viewed from the relevant context only. When using domain mode it can be viewed from the domain and when using system mode it can be viewed from the MDS level only. The other license report will be empty in the vSEC licenses page.
vSEC Controller Monitoring

After executing these commands, reboot, cprestart, and vsec off, Data Centers that have no imported objects, will not automatically show in the Data Center table.

To see the Data Centers in the table, open each Data Center individually in SmartConsole. 

PMTR-3946
Data Centers that have no imported objects, will not appear in the Data Center table, after the vsec off command is run.
VSECC-346
Problems in Data Center will not always change the status of the Security Management server in SmartConsole.

Workaround: Open the Device & License information window to see the real status and update the status in SmartConsole.

VSECC-546

In full HA mode, monitoring via SmartView is unavailable.

Workaround: Perform monitoring via cpstat.

VSECC-461

SmartView Monitor (legacy GUI) is not supported for viewing vSEC data and status.

Google Cloud Platform
PMTR-3789
IP addresses for Tags objects are not displayed in SmartConsole.
  The time on the Gaia OS must be synchronized with the current time. Otherwise, polling of information from Google Cloud Platform might fail.
Nuage Networks

Virtual IPs and Floating IPs are currently not supported.
  vPorts of the Container and Host are currently not supported.
Threat Prevention Tagging
  Security Tag names must contain only alpha-numeric characters. Otherwise, Threat Prevention Tagging will not work.
  The IP Address of a vSEC Gateway for NSX that is configured in SmartConsole must be the same IP Address assigned to interface eth0.
  Threat Prevention Tagging is disabled when Security Tag is removed.
No log is sent in such a case.
VMware NSX
  VMware NSX object - IP Set objects with ranges or CIDR block notations are not supported. IP Set Objects representing one, or more, individual IP address/es are supported. 
  Official VMware Tools must be installed on a VM in order for vSEC Controller to successfully pool IP addresses. Install the VMware Tools for your specific version. For more information, refer to: VMware Knowledge Base 2004754: Installing and upgrading VMware Tools in vSphere.
VMware vCenter
02070398
Importing 'Data Center Object' hierarchy object that contains one of the vSEC Gateway's IP addresses might lead to service drops.
Therefore, vSEC Gateway's IP addresses must be excluded in an additional rule.
Cisco APIC
 

Cisco APIC object - L3 External EPG objects are not supported.

  vSEC for Cisco ACI controller IP address mapping and updates are based on ACI fabric IP learning capabilities, which requires enabling of unicast routing on the Bridge Domain containing the EPG.
 

Cisco APIC versions lower than 2.1:

The Cisco ACI fabric does not age out individual endpoint IP address mappings, as long as one of the IP addresses responds to keep-alive ARP Requests from the fabric. As a result, these stale IP addresses will also be learned by the vSEC Controller.

  Supported fabric size: The total amount of all the following objects must not exceed 100,000:
  • Tenants
  • Application Profiles
  • EPGs
  • IP addresses
  APIC HTTP URLs, which redirect to HTTPS, are not supported. Use either HTTPS URLs directly, or HTTP without redirection.
  Mixing both HTTP and HTTPS APIC URLs in the connection properties is not supported.
  When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs connects.
There is no requirement for initial verification for all the URLs.
  On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL.
  Changes to privileges of the APIC user that was used to create the Data Center object, are not reflected during an active login session.
For example, if a new security domain is added to the user, which allows him to see a new tenant, this will not be visible to the APIC scanner.

Workaround:
Run the vsec_controller_stop command on the vSEC Controller to restart the vSEC Controller services and force a new login.

 

If an object imported from Cisco APIC is deleted on the APIC, and then created again, the object must be re-imported into Check Point Policy. Enforcement will work properly once the object has been recreated in APIC, however the re-import is required to maintain updates for the object in the Security Management Server.

  Only the following TLS cipher suites are supported for APIC HTTPS connectivity:
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
Cisco ISE

Supports only polling mechanisms for object updates.

  Supports up to 10 concurrent connections. This may cause intermittent failures to refresh IP information in an MDM environment where many domains use the ISE controller.
  Overall performance degradation of IP-to-SGT mapping retrievals, as number of IPs grows.
  Filtering IP-to-SGT mappings by SG name uses a wildcard ('*SG_NAME*') search, so incorrect IPs may be returned, in case two SGs have overlapping names (one is contained in the other). 
  With many IP-to-SGT mappings, SmartConsole may display a "General error occurred" message when attempting to import objects, before the initial download of objects has completed (a.k.a. "first scan"). 
Public Cloud
02472202

IPv6 information is not imported for Data Center Objects in Public Cloud. vSEC Gateways in Public Cloud do not support IPv6.

  VSX mode is not supported on an R77.30 Gateway installed on Amazon Web Services, or on Microsoft Azure.
  Data Center Tags:
  • Tags keys and values longer than 100 characters will be truncated to the first 100 characters and "..." will be padded to the end of the tag.
  • In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive. In vSEC Controller, both Tag key and Tag value will be treated as case-sensitive. Meaning, the same key/value in different cases will be shown on 2 separate lines in SmartConsole.
Microsoft Azure
PMTR-3938

vSEC Controller for Microsoft Azure will no longer retrieve Load Balancer IP addresses for Virtual Machine Scale Sets objects.

PMTR-3808
Public IP addresses for virtual machines in Virtual Machine Scale Sets will be retrieved only for the AzureCloud environment.
  Resource Group object name displayed in vSEC controller might differ (in terms of lower/upper case) from the name displayed in the Microsoft Azure Portal.
Amazon Web Services
 

The time on the Gaia OS must be synchronized with the current time. Otherwise, polling of information from AWS might fail.

  The region name that was selected in the "Create New AWS Server" view, might appear as the region code name in the import view.
  The value of the AWS Tag "Name" that appears as part of the object's name, will be truncated after the first 100 characters.
OpenStack
02462845

OpenStack HTTPS authentication is using tokens that expire according to OpenStack configuration. Upon token expiration, a new HTTPS session is created, and a log indicating authentication failure is sent.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment