Table of Contents
VMware Tools are not supported on SecurePlatform. This is because VMware Tools circumvents SecurePlatform and other Check Point security controls. This represents a potential security risk. If you create and configure your virtual machines correctly, including the disk size, memory and display properties, you do not need VMware Tools.
If you are not using a Check Point's VPN-1 VE image (certified by VMware and published through the VMware Marketplace), build configure your SecurePlatform virtual machine using a guest OS definition of "Redhat Enterprise Linux 5 (64 bit)." as the guest operating system. This optimizes the Virtual Machine hardware presented to your guest.
On a Linux guest, the VMware tools provide the following functions / features / supportgives the following functionality to Linux-based virtual machines:
- Enhanced driver support:
- Enhanced mouse support (also part of the VMtools user process).
- Enhanced SVGA support (also part of the VMtools user process).
- Updated vmnet driver. Updated Buslogic driver.
- Shared folders kernel module.
- VMTools user process:
- Copy/paste between the guest and the host.
- Drag and drop file support.
- VMTools services:
- Passing commands between the host and the guest
- Scripting input to the guest.
- Time synchronization between the guest and host, This mitigates the non-linear nature of clock timing in virtual environments and provides synthetic time management.
- Memory management (garbage collection).
Why you do not need VMware Tools for a SecurePlatform virtual machine:
- Enhanced driver support is irrelevant. The SecurePlatform console has command-line functionality only and does not need mouse support.
- Since there is no GUI, SVGA drivers are unnecessary.
- VPN-1 VE and RHEL5 (64-bit) guests automatically assign the Intel Pro-1000 NIC. vmnet driver support is not required.
- Check Point tested the SCSI driver included with SecurePlatform. There is no appreciable benefit to replacing this driver.
- Shared folder and drag and drop file support can circumvent SecurePlatform controls. This represents a potential security risk.
- Passing commands between the host and guest can circumvent SecurePlatform controls. This represents a potential security risk.
- Script input to the guest can circumvent SecurePlatform controls. This represents a potential security risk.
- You can provide effective clock synchronization between SecurePlatform virtual machines by using common external sources, preferably multiple NTP sources. Synchronizing to the host increases the risk of SIC corruption, loss of event time stamp integrity and the loss of security environment management capability.
- The memory management (garbage collection) feature uses memory over-commitment to share memory efficiently between virtual machines. A well-configured SecurePlatform virtual machine does not require this functionality.
You can pre-allocate and prioritize memory on a per-virtual system basis. Read the following article for a discussion of VMware memory management issues.
- VMware Tools features provide an attack vector into the guest virtual machine, thereby compromising security.
Check Point released its next-generation unified operating system (called "Gaia") with R75.40.
Gaia includes a pre-installed implementation of VMware's tools package, including the following drivers: vmhgfs, vmci, vmblock, vmmemctl and vmsync . When installed, a Gaia-based virtual machine's vmware tools status will appear as "unmanaged."
- VMXNET3 is supported by Security Gateway VE in Network mode:
- Starting from R77 it is included in the OVF Template only.
- Starting from R77.30 it is included in the ISO and in the OVF Template.
- VMXNET is not supported.
- Gaia includes a pre-installed implementation of VMware's tools package.