Cloudguard For NSX: Administration Guide

28 October
2019
CLOUDGUARD FOR NSX
Administration Guide
[Classification: Restricted]
Table of Contents
Table of Contents
Terms 5
Introduction to CloudGuard 8
Basic Deployment with Hypervisor mode 8
ESXi Host Security Considerations 9
Requirements for VMware Tools 9
Workflow for Upgrading and Installing CloudGuard 10
Upgrading and Installing CloudGuard 10
Step 1: Installing the CloudGuard Service Registration Hotfix on the Management Server 10
Step 2: Upgrading the CloudGuard Service Registration Hotfix 11
Upgrading from v5 or v6 11
Using CPUSE to Install the Management Server Hotfix 11
Uninstalling the Hotfix 12
Step 3: Upgrading the CloudGuard Gateway for NSX 12
Upgrading the CloudGuard Gateway with the CLI 13
Upgrading the CloudGuard Gateway Manually 15
Step 4: Configuring the VMware Components 15
Adding the vCenter IP Address to the Runtime Settings 15
Preparing the ESXi Cluster for CloudGuard Service Deployment 16
Adding an ESXi to an ESXi Cluster 16
Configuring Agent VM Host Settings 16
Removing an ESXi Server from an ESXi Cluster 17
NSX Grouping Objects 17
Creating a Security Group 17
Creating a CloudGuard Gateway IP Address Pool 18
Creating an IP Set 18
vMotion 19
Step 5: Providing the URL OVF Path 20
Use Case - Manually Selecting the OVF File Location 20
Step 6: Configuring the Management Server 21
Configuring the Security Management Server or Multi-Domain Server Properties 22
CloudGuard for NSX Administration Guide | 2

Table of Contents
Step 7: Registering a New CloudGuard Gateway Service 23

Configuring Tap/Monitor Mode 25
Configuring IPv6 Support 25
Changing the Failure Policy 26
Automatic Provisioning of CloudGuard Objects 26
Uninstalling the CloudGuard Gateway Service 27
Management High Availability Failover 28
Step 8: Deploying and Configuring CloudGuard Security Gateway for NSX 30
Deploying CloudGuard Gateway 30
Deploying the Service 30
Configuring NSX to Redirect Traffic to the CloudGuard Gateway 31
Creating Security Policy 32
Excluding Virtual Machines from Distributed Firewall Protection 32
Preventing Traffic Redirection to the CloudGuard Service 33
NSX IP Mappings for Virtual Machines 34
Manually Creating CloudGuard Cluster Objects 34
Multi-Tenancy Support 36
Manual Activation of the CloudGuard Gateway 37
Configuring Threat Prevention for CloudGuard 38
Configuring Identity Awareness in CloudGuard 38
Configuring Application Control Policy 38
Configuring Anti-Virus Policy 39
Configuring Threat Emulation 39
Configuring HTTPS Inspection 39
Licensing CloudGuard Gateway for NSX 40
Troubleshooting and Best Practices 41
Service Registration: Not connected to a known vCenter 41
Service Registration: Failed to Create Service 41
Service Registration: Failed to Locate OVF File 42
Service Deployment Failure 42
Cannot Call Security Solution 42
Agent VM on Host is Expected to be Powered On 43
Agent VM is Missing on Host 44

Table of Contents
Agent VM Settings on Host are Missing 44

Automatic Provisioning Failed to Create Management Network Objects 45

Terms
Terms
CloudGuard
Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage,
and security.
CloudGuard Gateway
Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement.
CloudGuard Gateway inspects traffic between Virtual Machines to enforce security, without changing the
Virtual Network topology.
Data Center
Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores.
They are collected in a group for secured remote storage, management, and distribution of data.
DRS
Data Resource Scheduler. Monitors resource use across resource pools and allocates resources between
Virtual Machines to maximize throughput.
ESXi
A VMware physical hypervisor server that hosts one or more Virtual Machines and other virtual objects. All
references to ESX are also relevant for ESXi unless specifically noted otherwise. Trademark of VMware,
Inc.
Management Server
A Check Point Security Management Server or a Multi-Domain Server.
NSX Manager
Basic network and security functionality for virtual computer environments. A VMware product family for
SDN of Virtual Machines on the cloud (previously known as vShield). Trademark of VMware, Inc.
OVF
Open Virtualization Format. Open standard (independent of processor architecture) for the distribution of
software that runs on Virtual Machines.
Port Group
Virtual Switch ports that share parameters, such as bandwidth limitations and VLAN tagging policies, and
through which Virtual Machines connect to Virtual Switches. Unless otherwise specified, this refers to both
regular port groups (on one ESXi host) and dvPGs (distributed virtual port groups, on multiple ESXi hosts).
REST API
Representational State Transfer Application Programming Interface. The NSX API, for communication
between the NSX Manager and the Service Manager.

Terms
SDDC
Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated,
and managed through an API for full automation.
SDN
Software-Defined Network. Virtualization of topology, traffic, and functionality.
Security Group for NSX

A collection of virtual objects that defines the Distributed Firewall protection policy VMware NSX.
Service Composer
A VMware NSX component that provisions and assigns network and security services to applications in a
virtual infrastructure.
Service Manager
Component that manages the communication between Check Point products, CloudGuard and the
VMware NSX, through the VMware REST API.
SVM
Service Virtual Machine. A Virtual Machine deployed as a service on the ESXi and as part of NSX network.
CloudGuard Gateway is an SVM.
Threat Prevention Tagging

A feature for tagging and quarantining VMs infected by a bot or a virus, to apply stricter policies to the
tagged VMs.
vCenter Server
Centralized management tool for VMware vSphere. It manages many ESXi servers and VMs from different
ESXi servers, from one console application.
Virtual Network
Environment of logically connected Virtual Machines on an ESXi host.
vMotion
VMware technology for migration of active VMs between ESXi hosts.
vNIC
Virtual Network Interface Card. Software-based abstraction of a physical interface that supplies network
connectivity for Virtual Machines.

Terms
vSphere
VMware cloud computing virtualization operating system. The vSphere Web Client is the GUI to manage
Virtual Machines and their objects.

Introduction to CloudGuard
Check Point CloudGuard for VMware NSX delivers multi-layered defense to protect East-West traffic within
the VMware deployed Data Center. CloudGuard transparently enforces security at the hypervisor level
between Virtual Machines. It automatically quarantines infected Virtual Machines for remediation, and
provides comprehensive visibility into Virtual Network traffic trends and threats.
CloudGuard Gateway for NSX-V is automatically deployed as a service Virtual Machine in the VMware
virtual environment. It fully integrates with VMware NSX components. The CloudGuard Gateway secures
Data Center traffic between Virtual Machines across the Virtual Network.
Basic Deployment with Hypervisor mode
CloudGuard Gateways inspect all traffic that goes to, from, or inside the protected Security Group.
Item Entity Description
1 ESXi host The physical infrastructure is multiple ESXi hosts in an ESXi

cluster.
2 NSX NSX Manager defines Security Groups and the redirection policy.
3 vCenter Server vCenter manages ESXi hosts.

Item Entity Description
4 CloudGuard Gateway Inspects traffic:

n Between Virtual Machines in the Security Group.
n To and from the Security Group.
5 VMs Virtual Machines.
6 Protected Security Group Collection of vSphere objects protected by NSX.
7 Data Center core The Data Center switching and routing infrastructure.
8 Physical Security Gateway Physical enforcement point.
9 Check Point Management Check Point Management Server that is Software-Defined Data
Server Center aware.
ESXi Host Security Considerations

To learn how to secure your ESXi server, see VMware Best Practices - Security Hardening.
Check Point Best Practices:
n Use a separate secured network for the vSphere server management.

n Permissions required for integration between different solutions should follow the least privileges
model. This provides the minimum permissions required for proper function. For example,
VMware NSX Manager and Check Point Management Server.
To learn more about VMware roles and permissions, see the best practices in the Managing
VMware Virtual Center Roles and Permissions Guide.
Note:
CloudGuard Gateway for NSX requires NSX Administrator Permissions and a Read-only role
for the vCenter Server.
Requirements for VMware Tools

Install and run VMware Tools on guest Virtual Machines. Redirection of traffic to or from a specific Virtual
Machine to the CloudGuard Gateway for NSX (or any other service), requires that NSX map the IP address
for that specific Virtual Machine. To get a guest IP address, NSX Manager must have VMware Tools
installed. NSX Manager cannot properly redirect workloads that involve Virtual Machines that do not run
VMware Tools. See sk109460.
Note:
From NSX 6.4, there is no need to install VMware Tools.

Workflow for Upgrading and Installing CloudGuard
Workflow for Upgrading and

Installing CloudGuard
Upgrading and Installing CloudGuard
To upgrade or install the CloudGuard Gateway for NSX, open the systems listed here:
n vSphere Web Client
n SmartConsole
n Console or SSH connection
For first time installation

If you are installing CloudGuard for the first time, make sure to install the latest build of the CPUSE
Deployment Agent from sk92449. After you install CloudGuard, continue with Step 4.
Use the steps below as a guide for your system.
Step Procedure
"Step 1: Installing the CloudGuard Service Registration Hotfix on the Management Server" below
"Step 2: Upgrading the CloudGuard Service Registration Hotfix" on the next page
"Step 3: Upgrading the CloudGuard Gateway for NSX " on page 12
"Step 4: Configuring the VMware Components" on page 15
"Step 5: Providing the URL OVF Path" on page 20
"Step 6: Configuring the Management Server" on page 21
"Step 7: Registering a New CloudGuard Gateway Service" on page 23
"Step 8: Deploying and Configuring CloudGuard Security Gateway for NSX " on page 30
Step 1: Installing the CloudGuard Service

Registration Hotfix on the Management Server
n Install the CloudGuard Service Registration Hotfix. See the corresponding section in sk114518.

Step 2: Upgrading the CloudGuard Service

Registration Hotfix
You can upgrade from CloudGuard Service Registration v5 only.
Upgrading from v5 or v6
To upgrade from CloudGuard Service Registration v5 or v6:
Install the CloudGuard Service Registration v7.

The Check Point Management Server with the new CloudGuard Service Registration Hotfix re-attaches
itself to an existing deployed CloudGuard Gateway. All services continue as they did before the
upgrade.
Using CPUSE to Install the Management Server Hotfix

Note:
For detailed instructions about CPUSE, see sk92449.
To install a Management Server Hotfix with CPUSE online:
Step Description
1 From a web browser on your computer, connect to the Gaia Portal on your Security
Management Server or Multi-Domain Server.
2 From the left tree, go to Upgrades (CPUSE) > Status and Actions.
3 On the top toolbar, click Showing Recommended packages and select All .
If you do not see the Hotfix package, click Check For Updates .
4 Right-click the Hotfix package and select Verifier.
5 Left-click the Hotfix package and click Install Update.

CPUSE downloads the Hotfix package, and installation starts immediately.
The Management Server reboots when the installation is complete.
To install a Management ServerHotfix with CPUSE offline:
Step Description
1 Download this package from sk114518 to your computer.
2 With a web browser on your computer, connect to the Gaia Portal on your Security

Step Description
4 Select Import Package.

The Import Package window opens.
5 Click Browse and select the Management Server Hotfix package.
6 Click Upload.
7 On the top toolbar, click Showing Recommended packages and select All.
8 Right-click the Hotfix package and select Verifier.
9 Left-click the Hotfix package and click Install Update.

The installation starts immediately.
The Management Server reboots automatically when the installation is complete.
Uninstalling the Hotfix

Before you uninstall the Hotfix:
n Make sure no service is deployed.
n Make sure all services were removed from NSX, see "Uninstalling the CloudGuard Gateway
Service" on page 27.
To uninstall a Hotfix from Security Management Server or Multi-Domain Server with CPUSE:
Step Description
1 With a web browser on your computer, connect to the Gaia Portal on your Security
3 On the top toolbar, click Showing Recommended packages and select All.
4 Left-click the Hotfix package.
5 Click Uninstall.
Step 3: Upgrading the CloudGuard Gateway for

NSX
You can upgrade the CloudGuard Gateway for NSX manually or with the CLI.

Before you start the upgrade, you have to enable the OVF files. See "Step 5: Providing the URL OVF
Path" on page 20.
Notes:
n Make sure:
l There is connectivity between the OVF URL and the vCenter server and the Security
Management Server or Multi-Domain Server
l The OVF file is accessible from the Security Management Server or Multi-Domain Server
n If you update the OVF URL now, it affects only the new service registration.
Important - Before the upgrade, make sure the service status in the vSphere web client is UP, or the
upgrade fails.
Upgrading the CloudGuard Gateway with the CLI

To upgrade with the CLI:
Step Description
1 Connect to the command line on the Security Management Server or Multi-Domain

Server.
2 Log in to the Expert mode.
3 Run:
# cloudguard_config
4 SelectVMware Configuration > Manage Register Service > Upgrade Service >
NSX.
5 Select the Service you want to upgrade.
6 Select the Cluster you want to upgrade.
7 To register the service with a default configuration, press y to accept the default
settings.
There are two options:
n Enter y to automatically create the CloudGuard Gateway objects on the Security
Management Server or Multi-Domain Server and to automatically assign the IP
gateway address from the NSX IP pool.
n Enter n to manually create an object. Then, enter y to automatically assign to
CloudGuard Gateway an IP address from the NSX IP pool, or n, to set the IP
address manually.
See below for details to register the service.
8 Enter and confirm the default administrator password for the CloudGuard Gateway.

Step Description
9 Enter and confirm the SIC one-time password.
10 Select the IP pool, if you had selected to assign the IP gateway address from the NSX IP
pool.
If your IP pool has no IP, you can change your selection, or create new IP pool.
To register the service:
Description
Manual 1. Enter n to configure manually.

configuration 2. Enter a Service Name.
3. Select how you want to register the service.
Tap device See "Configuring Tap/Monitor Mode" on page 25
CloudGuard 1. Select Inspection.

Gateway 2. Configure the Failure Policy (for the Inspection Mode only).
The default policy is Fail close and all packets are dropped. If you choose
Fail open, all packets are accepted.
The Failure Policy determines if packets are allowed or dropped when the
ESX kernel cannot communicate with the CloudGuard Gateway agent. This
can happen when the CloudGuard Gateway is down, restarts, or has an
unexpected error. You can change the policy later. See "Changing the Failure
Policy" on page 26.
3. Configure IPv6 support. See "Configuring IPv6 Support" on page 25.
The upgrade is now in progress. The process takes some time. You can follow the progress on the
Management Server's console.
When the installation is complete, you have to redirect the traffic to the new service.
To redirect traffic to the new service:
Step Description
1 Select VMware Configuration > Manage Register Service > Change Redirection
Rules > NSX.
2 Select the old service.
3 Select the new service.
Use the vSphere Web UI to confirm the new service is running, and then uninstall the old service.

Upgrading the CloudGuard Gateway Manually

To upgrade manually:
Step Description
1 Provide the OVF URL path and files.
2 Register a new CloudGuard Gateway service.
3 Deploy the new CloudGuard Gateway service.
4 In SmartConsole, install the Access Control Policy on the Check Point Gateway.
5 On the vSphere web UI, change the redirection policy from the old service to the new
service.
6 Uninstall the old CloudGuard Gateway service.
Best Practice:
Before you install the new CloudGuard Gateway, migrate all the Virtual Machines to another ESXi.
There is less downtime when you upgrade.
Step 4: Configuring the VMware Components

Before you start these procedures, install and configure the required VMware component. You can install
more than one ESXi.
Adding the vCenter IP Address to the Runtime Settings

To use VMware, you must add the vCenter IP address to the Runtime Settings tab on the vCenter Server
Setting page.
To add the vCenter IP address:
Step Description
1 In the vSphere Web Client, click vCenter > vCenter Servers and select the server.
2 Click Manage > Settings > General > Runtime settings.
3 Click vCenter Server managed address > Edit > Runtime settings.
4 In the Virtual Center Server managed address field, enter the vCenter server IP
address.

Preparing the ESXi Cluster for CloudGuard Service

Deployment
The sections below describe how to configure an ESXi cluster.
Adding an ESXi to an ESXi Cluster

To add a new ESXi to a cluster:
Step Description
1 In the vSphere Web Client, right-click the ESXi cluster object and select Add Host.
2 Configure the Agent VM setting for the new host.

If there is CloudGuard Service deployed on the cluster, CloudGuard Gateway automatically
installs on the new host.
3 If you do not use an IP address pool or Automatic Provisioning, manually activate the
CloudGuard Gateway and then configure it.
Configuring Agent VM Host Settings
To configure Agent VM settings for each ESXi server:
Step Description
1 In the vSphere Web Client, go to the ESXi server and select the Configure tab for each
ESXi server.
2 Go to Agent VM settings > Edit.
3 In the Agent VM Settings window, select the datastore to hold the files for the CloudGuard
Gateway Service Virtual Machine.
Best Practice:
Deploy the CloudGuard Gateway on ESXi server local storage and not on external
storage.
4 In the Agent VM Settings window, select the Port Group network that connects to the
CloudGuard Gateway Service VM by default.
This Port Group is used for communication with the Security Management Server or Multi-
Domain Server.
5 Install the NSX VIB on all hosts before you deploy it.

To install the NSX VIB on all ESXi:
Step Description
1 Log in to the vSphere Web Client.
2 Select Networking and Security > Installation > Host Preparation.
3 Click Install for all clusters where you install NSX.
Removing an ESXi Server from an ESXi Cluster

To remove a host from a cluster:
Step Description
1 In the vSphere Web Client, go to Hosts and Clusters.
2 Select the ESXi server and click Actions > Maintenance Mode > Enter Maintenance
Mode.
3 Move the ESXi server from the cluster to a Data Center.
4 Select the host and click Actions > Exit Maintenance Mode.
5 Reboot the ESXi server.

If you did not enable Automatic Provisioning, remove the Cluster Member in
SmartConsole.
NSX Grouping Objects

With the Grouping feature, you can create custom containers and assign resources, such as Virtual
Machines and network adapters, for CloudGuard Service protection. After a group is defined, you can add
the group as source or destination to a firewall rule.
Creating a Security Group

To create a Security Group:
Step Description
1 In the vSphere Web Client, go to Networking and Security > Service Composer > Security
Groups .
2 Click the New Security Group icon.

The New Security Group wizard opens.
3 Enter a name and description for the new Security Group.

Step Description
4 Click Next.
5 Define dynamic memberships and objects.

Select objects in the Select objects to include and Select objects to exclude pages.
Objects that you select are always included in the Security Group, even if these objects do
not match the dynamic membership specifications.
Note - You can include other Security Groups in your new Security Group.
Creating a CloudGuard Gateway IP Address Pool

Best Practice:
Create an IP address pool to automatically assign management interface IP addresses.
To create an IP address pool:
Step Description
2 Click Networking & Security > NSX Managers.
3 In Name, click the NSX Manager.
4 Click Manage.
5 Click Grouping Objects > IP Pool .
6 Click Add New IP Pool.
7 Enter a name for the IP pool and its default gateway.
8 Enter the primary and secondary DNS, DNS suffix and prefix length.
9 Enter the IP address ranges to include in the pool.
10 Click OK.
Creating an IP Set
To create an IP Set:
Step Description
2 Click Networking & Security > NSX Managers .

Step Description
3 In Name, click the NSX Manager.
4 Click Grouping Objects > IP Sets .
5 Click Add new IP Set (+).
6 In the Add IP Addresses window, enter a name, description and IP address for the
new Security Group.
This IP address is redirected to the CloudGuard Gateway.
7 Add the new IP Set to the Security Group.
vMotion
vMotion lets you migrate active Virtual Machines between ESXi servers.
Configure network interfaces on source and target ESXi servers. Configure each ESXi server with at least
one network interface for vMotion traffic. To secure data transfer, make sure only trusted parties access
the vMotion network. Additional bandwidth significantly improves vMotion performance. When you migrate
a Virtual Machine with vMotion without using shared storage, the virtual disk contents are also transferred
over the network.
Configure the Virtual Networks on vMotion enabled ESXi server:
n On each ESXi server, configure a VMkernel port group for vMotion.

n Make sure the Virtual Machines can access the same subnets on source and destination ESXi
server.
n If you use standard switches for networking, make sure the Virtual Machine port group network
labels are consistent across ESXi servers. During a vMotion migration, the vCenter server
assigns Virtual Machines to port groups based on matching network labels.
n If you use vSphere Distributed Switches for networking, make sure source and destination ESXi
server are members of all vSphere Distributed Switches used by Virtual Machines.
For minimum impact on connectivity, applications, and security:
n The VMware distributed firewall on the target ESXi server handles existing connections until they
are closed or reset.
n The CloudGuard service that runs on the target ESXi server secures new connections to and
from the migrated Virtual Machine.
Important:
The HTTPS connection and the Control connection must be initialized again after vMotion. Initialize the
sessions of existing connections that need a control channel, in addition to the data channel.

Step 5: Providing the URL OVF Path

Install the OVF files to configure the Security Gateway. The CloudGuard Gateway package includes these
files:
n <file_name>.ovf
n <file_name>.vmdk
n <file_name>.mf
After you download the OVF file, create the default file location. Step 3 below shows the default file location
that Check Point recommends on the Security Management Server or Multi-Domain Server.
You can also save it to another file location that is more appropriate for your system.
To download the OVF files:
Step Description
1 Extract the package and make sure it contains the OVF, VMDK, and MF files.
2 Copy the files to the ve folder or select your own location. The default file location is:
n Security Management Server: $FWDIR/VE/jetty/ve/

n Multi-Domain Server: $MDS_TEMPLATE/VE/jetty/ve/
Note - Make sure that you copy the files to the Multi-Domain Server and not to a
Domain Management Server.
n Third Party Server: You can copy the files to an HTTP server that can access the
vCenter server.
n Run the md5sum command to validate the integrity of the file you copied.
Best Practice:
For Management High Availability, put CloudGuard OVF files on a

third-party server.
3 Update the URL of the CloudGuard Gateway OVF. Set this URL to the file name with
the ovf extension. You can have multiple OVFs.
If you receive an error message when you try to register service, the file could be in a different location.
For more information, see "Troubleshooting and Best Practices" on page 41.
Use Case - Manually Selecting the OVF File Location

An administrator has a High Availability environment. He wants to store the SVM image on a distributed
data store so his clients can have access to the files at any time.
After the administrator has downloaded the files, he can select the location of the folder.

To manually manage the OVF:
Step Description

Server.
2 Log in to Gaia Clish or Expert mode.
3 Run:
cloudguard_config
4 Select VMware Configuration > Change Global configuration > Manage Service
OVFs .
From this menu you can Add OVF, Delete OVF, and Change default OVF.
Step 6: Configuring the Management Server

Create Data Center objects in SmartConsole to connect to the NSX Manager and the vCenter server.
Before you create a Data Center object, do the following:
Step Description
2 Run:
cloudguard on
To create a Data Center Object:
Step Description
1 Enter your NSX Manager or vCenter credentials and connection properties.
2 Click Test Connection.

If the server was not approved, a certificate window opens. Click Trust to confirm the
certificate.
3 When the connection status is Connected, click OK.

Note - If the connection status is not connected, troubleshoot this issue before you
continue. See "Service Registration: Not connected to a known vCenter" on page 41.

Configuring the Security Management Server or Multi-

Domain Server Properties
Log in to Expert Mode to run the command cloudguard_config
To configure the Security Management Server or Multi-Domain Server properties:
Step Description
1 Make sure you are connected to the Data Center server.

Server.
4 On a Multi-Domain Server, go to the context of each applicable Domain Management

Server:
mdsenv <IP address or Name of the Domain Management Server>
5 Run:
cloudguard_config
6 Select VMware Configuration.
7 Enter y to accept the default settings or n to configure manually.
8 Enter the Service Manager IP Address (IP Address of the Security Management Server
or Multi-Domain Server that is routable from the NSX Manager).
Note - In a Multi-Domain Server environment, enter the IP address of the applicable
Domain Management Server.
9 Enter the URL of the CloudGuard OVF file.

When you upload the OVF to the Security Management Server or Multi-Domain
Server, the default URL is defined as:
https://<Server_IP_Address>:<Server_Port>/ve/<OVF_File_Name>
If you upload the OVF to a different location, enter the correct URL.
10 To register the CloudGuard service now, enter y . To register at another time, enter n.

Step 7: Registering a New CloudGuard Gateway

Service
To register a new CloudGuard Gateway Service:
Step Description
1 Make sure you are connected to the Data Center server.

Server.
4 On a Multi-Domain Server only, go to the context of each applicable Domain

Management Server:
5 Run:
cloudguard_config
6 Register the service - with a default configuration, or a manual configuration as

described below
To register the service with a default configuration:
Step Description
1 Enter y for the default configuration, or n for manual configuration.
4 Enter y to register the service.
If this is the first registered service, select a management administrator and enter the correct password to
continue. These credentials are given to the NSX Manager that uses the credentials as identification for all
the operations done by the Security Management Server or Multi-Domain Server.
Make sure the administrator has Management API login permission.
In a Multi-Domain Server environment, make sure the administrator has permissions on the relevant
domain for the Domain Management Server.

If you have to change the administrator, or if the administrator password has changed, update the
credentials. Go to:
Step Description
2 Run:
cloudguard_config
3 Select VMware configuration > Change Global Configuration > Service Manager
Credentials .
To register the service with a manual configuration:
Step Description
1 Enter n for manual configuration.
2 Select the OVF.
3 Enter a Service Name.

Note - The name must be unique and have less than 34 characters. The default name
is Check Point CloudGuard Service.
4 Select how you want to register the service.

n Tap/Monitor Mode
n Inspection Mode (to register as a CloudGuard Gateway)
5 Configure IPv6 Support (see "Configuring IPv6 Support" on the next page).
6 Configure Failure Policy (for the Inspection Mode only).

Fail close is the default policy and all packets are dropped. If you choose Fail open, all
packets are accepted.
The Failure Policy determines if packets are allowed or dropped when the ESXi kernel
cannot communicate with the CloudGuard Gateway agent. This can occur when the
CloudGuard Gateway is down, restarts, or has an unexpected error. You can change
the policy later in "Configuring IPv6 Support" on the next page
7 There are two options:
n Enter y to automatically create the CloudGuard Gateway objects on the Security

Management Server or Multi-Domain Server and to automatically assign the IP
gateway address from the NSX IP pool
n Enter n to manually create objects. Then, enter y to automatically assign to the
CloudGuard Gateway an IP address from the NSX IP pool, or n, to set the IP
address manually.

Step Description
10 Enter y to register the service.
Configuring Tap/Monitor Mode

When you register a service with the Tap/Monitor Mode, CloudGuard Gateway for NSX can listen to traffic
that is redirected to it, without interfering with the traffic.
The original packets continue on their path through the network, and a duplicate packet is sent to the
CloudGuard Gateway enabled with the Tap/Monitor Mode.
When to use this mode:
n As a permanent part of your deployment to monitor the use of applications in your organization.
n As an evaluation tool for the capabilities of the Application Control and IPS blades, before you
decide to purchase them.
n To create security check-up reports.
You can use Tap Mode combined with Threat Prevention Tagging to share security events with NSX
Manager and achieve prevention, without deploying the solution inline.
Notes:
n A CloudGuard Gateway for NSX deployed in this mode does not enforce Security Policy or
perform any active operation, such as prevent/drop/reject. Therefore, you can use it only to
evaluate the monitoring and detection capabilities of the software blades.
See sk101670 for the supported software blades > Section [2] Support for Security Gateway
blades.
n All duplicate packets that arrive at the monitor interface of the Security Gateway are terminated
and are not forwarded.
See sk101670 for the Monitor Mode limitations > Section [5] Limitations (other than the Known
Limitations for CloudGuard Gateway for NSX ).
Configuring IPv6 Support

If you want the service to support IPv6 traffic, select On.
Note - You can change this setting at any time. See the R80.10 Gaia Administration Guide - Chapter
System Management - Section System Configuration.
If you want to optimize service, select y . If you selected to optimize:
n The service can use all cores that are used to inspect IPv4, to inspect IPv6 also. If you do not choose
to optimize, only a maximum of two cores are used to inspect IPv6 traffic.
On each CloudGuard Gateway, you can configure the number of IPv6 CoreXL FW instances to
inspect IPv6 traffic.

Run cpconfig, select Check Point CoreXL, and follow the on-screen instructions.
n Most of the traffic passing through the CloudGuard Gateway is IPv6 traffic.
Changing the Failure Policy

To change the failure policy:
Step Description

Server.

Management Server:
4 Run:
cloudguard_config
5 Select VMware Configuration > Manage Register Service > Change Failure
Policy .
6 Select the appropriate NSX Manager.
7 Select the Check Point CloudGuard service.
The Current Failure Policy shows. Enter y to change the policy, or n to keep it.
Important:
The change of policy is reflected immediately on the service profile of each service, but is not
reflected in the ESXi Rule Base.
To update the rules on ESXi, disable the redirection rules. When you disable the redirection rules, traffic
no longer reaches the CloudGuard Gateway, and the traffic is not inspected until you enable the
redirection rules again.
To change the failure policy on ESXi, disable the redirection rules and then enable them again.
Note:
This operation is disruptive to the CloudGuard Gateway operation and can cause connectivity issues
with the connections that were started before the redirection is re-enabled.
Automatic Provisioning of CloudGuard Objects

Automatic Provisioning handles these actions on CloudGuard objects:

n Creates CloudGuard objects (Clusters or Gateways) on the Security Management Server or Multi-
Domain Server when it receives a notification from the NSX Server.
n Automatically initializes SIC between the CloudGuard Gateway and the Security Management
Server or Multi-Domain Server.
n Installs the policy on new Security Gateways if the CloudGuard Cluster Object already has a policy.
To enable Automatic Provisioning:
Step Description
1 When you register the service, follow the on-screen steps and confirm, to automatically
create objects. See "Step 7: Registering a New CloudGuard Gateway Service" on
page 23
2 Deploy the CloudGuard Security Gateway with the vSphere Web Client. See
"Deploying CloudGuard Gateway" on page 30.
Uninstalling the CloudGuard Gateway Service

Important - Do not use this procedure for an upgrade.
Uninstall the CloudGuard Gateway service before you uninstall CloudGuard from the Security
To uninstall the CloudGuard Gateway Service:
Step Description
1 In the vSphere Web Client, go to Networking and Security > Service Composer >
Security Policies .
2 Select the policy.
3 Click Actions > Delete.
4 In the vSphere Web Client, go to Home > Networking and Security > Installation >
Service Deployments .
5 Select the service and click Delete service deployment (X).

Server.

Management Server:

Step Description
9 Run:
cloudguard_config
10 Select VMware Configuration > Manage Registered Services > Remove Service.
11 Select NSX and the services to delete from the list.
Automatic Provisioning in SmartConsole

n If you did not enable Automatic Provisioning, delete the cluster object.
n If you did enable Automatic Provisioning, wait for the objects to be deleted from SmartConsole.
Note:
After you unregister all the services in a High Availability environment, run:
cpved off
This stops the process on the Security Management Server or Multi-Domain Server, from which you did
not remove the service.
Management High Availability Failover

Failover from an Active Management Server (Security Management Server or Multi-Domain Server) to the
Standby Management Server is done manually. You must manually synchronize the Management Servers
before and after failover. To learn more, see the section Synchronization Procedures in the relevant
Security Management Administration Guide.
Note:
In a Multi-Domain Server environment, synchronize only the Domain Management Server that you
change to Active. This must be done for every Domain Management Server that you change to Active.
To manually failover a Management Server:
Step Description
1 In SmartConsole, go to Menu > Management High Availability.

The High Availability Status window shows.
2 Change the Active Management Server to Standby.
3 Change the Standby Management Server to Active.

Server.

Step Description

Management Server:
7 Run:
cloudguard_config
8 Select VMware Configuration > Change Global Parameters > Service Manager IP
Address .
9 Enter the new Management Server's IP address.

This is the IP Address of the Security Management Server or Multi-Domain Server,
which is routable from NSX.
The NSX can now send notifications to the new Active Management Server.
10 For each Domain Management Server, which already has the CloudGuard service
deployed, run:
cpved register
11 If the CloudGuard Gateway OVF URL is on your new Active Management Server:
a. Run:
cloudguard_config
b. Select VMware Configuration> Change Global Parameters > Manage Service
OVFs > Add OVF.
c. Enter the OVF URL in this format:
https://<IP_Address>:<Port>/ve/<OVF_File_Name>.ovf
You can set the new OVF as default, or manually choose it on registration.
12 Repeat Steps 1 and 2 to synchronize the Management Servers.
To learn more about failover, see the section Changing a Server to Active or Standby in the relevant
Security Management Administration Guide
Best Practice:
In a Management High Availability environment, store the CloudGuard OVF files on a

third-party web server.
Note:
If you update the OVF URL now, it affects only future service registrations.

Step 8: Deploying and Configuring CloudGuard

Security Gateway for NSX
Check Point CloudGuard Gateway enforces adaptive security across virtual environments. It applies
advanced Threat Prevention to block threats inside the Data Center, and micro-segmentation for access
control inside the virtual environment.
Deploying CloudGuard Gateway

After you complete service registration (see "Step 7: Registering a New CloudGuard Gateway Service" on
page 23), you can deploy the CloudGuard Gateway with the vSphere Web Client.
Deploying the Service

This procedure uses an Agent VM (see "Configuring Agent VM Host Settings" on page 16), for an
environment with a local datastore.
Before you begin:
n Make sure you prepared the vCenter cluster before you deploy the service on it (see "Preparing
the ESXi Cluster for CloudGuard Service Deployment" on page 16).
n If you use an external datastore, make sure you know its details.
To deploy the service:
Step Description
1 Select Installation > Service Deployments .
2 Click New Service (+ ), and select the service you created (see "Step 7: Registering
a New CloudGuard Gateway Service" on page 23).
3 Select the cluster where the service is deployed.
4 Select one of these as the SVM's datastore:

n Specified on-host - Install the SVM on the datastore.
n Select a datastore that is available to all ESXi hosts in the cluster.
5 Select one of these management interface port groups:

n Specified on-host - The SVM uses the port group defined in the Agent VM
Host Settings (see "Configuring Agent VM Host Settings" on page 16).
n Select a distributed port group if you did not configure an Agent VM.

Step Description
6 If you enabled the Automatic IP Pool feature (see "Step 7: Registering a New
CloudGuard Gateway Service" on page 23), or the Automatic Provisioning feature
(see "Automatic Provisioning of CloudGuard Objects" on page 26).
a. Click Change in the IP Assignment column of the service.

b. In the Select an Assignment Mode window, select User IP Pool and then
select an existing IP pool or create a new one.
c. Click OK.
7 Click Finish.
The system copies the OVF to the vCenter, and deploys it to all ESXi hosts on the selected clusters.
See the Installation Status in the Service Deployments tab to monitor the progress of the deployment
from the vSphere client.
If the Installation Status does not succeed:
n Click Failed to see the reason for the failure.

n Click Resolve to resolve the issues.
Note:
If the Enable Agent task shows an error with the message "Cannot complete the operation",
you can safely ignore it. This is a known VMware limitation.
When installation completes, the CloudGuard Gateway automatically reboots.
Configuring NSX to Redirect Traffic to the CloudGuard Gateway

This procedure describes basic steps to configure a Security Group. See the VMware documentation for
conceptual information, detailed procedures, and explanations of the different objects and options.
Configure the NSX security policy to redirect traffic to Check Point entities. Create rules in this policy, in
pairs:
n Rule for traffic from the Security Group (Source = Security Group)
n Rule for traffic to the Security Group (Destination = Security Group)
Notes:
n You can also configure redirection rules from Partner security services > Firewall .
n Connections that are already open when the redirection starts, may be dropped.

Creating Security Policy

To create and apply a new Security Policy:
Step Description
1 In the vSphere Web Client, click Networking and Security > Service Composer >
Security Policies .
2 Select the Create Security Policy icon.

The New Security Policy wizard opens.
3 Click Next until the Network Introspection Services page shows.
4 Click the Add Network Introspection Service icon (+ ).
5 Enter the <from_rule_name> and description.
6 Select your Service Name and Profile that was created during registration.
7 Set Destination to Any .
8 Set Source to Policy's Security Groups > OK.
9 Add a new rule: enter the <to_rule_name> and description.
10 In the Network Introspection Services page, change the Source parameter to Any .
The Destination parameter changes to Policy's Security Groups .
11 Select your Service Name and Profile that was created during registration.
12 Click OK > Finish.
13 Select the new Security Policy and click Apply Policy .
14 In the Apply Policy window, select the Security Group and click OK.
Note:
Do not apply the security policy to more than one group that contains the same Virtual
Machine.
Excluding Virtual Machines from Distributed Firewall Protection

You can exclude a set of Virtual Machines from distributed firewall protection. For a Virtual Machine with
multiple vNICs, all are excluded from firewall protection. NSX Manager and service Virtual Machines are
automatically excluded from firewall protection.

To exclude Virtual Machines from distributed firewall protection:
Step Description
2 Click Networking & Security .
3 Click NSX Managers .
4 In the Name column, click an NSX Manager.
5 Click the Manage tab and then click the Exclusion List tab.
6 Click Add (+), and type the name of the Virtual Machine you want to exclude.
7 Click Add > OK.
Preventing Traffic Redirection to the CloudGuard Service

To prevent traffic redirection to the CloudGuard service:
Step Description
1 In the vSphere Web Client, open Networking & Security > Firewall .
2 Click the Partner security services tab.
3 If you want to add a rule, click Add rule (+) above the redirection rule.
A new any-allow rule is added at the top of the section.
4 In the Name of the new rule, click Edit, and enter a rule name.
5 Enter the rule Source, Destination, and Service.
6 In the Action of the new rule, click Edit.
a. In Action, select Do not redirect.

b. In Redirect To, select the service profile of the CloudGuard NSX Service.
c. Select the direction for not redirect: In, Out, or In/Out
d. Select the packet type to not redirect: IPv4, IPv6, or Any
e. Select log actions that you want.
f. Click OK > Publish Changes .

NSX IP Mappings for Virtual Machines

NSX redirection policies based on Virtual Machine names or other dynamic attributes, require IP mapping
of the Virtual Machines.
You can map IP addresses in different ways:
n From version VMware NSX 6.2, use NSX SpoofGuard DHCP snooping or ARP snooping abilities.
These features allow NSX to enforce IP address-based security rules on Virtual Machines with no
VMware Tools installed. See sk109460.
n Use an IP set to redirect traffic from a Virtual Machine without VMware tools. To redirect traffic for
IP Sets, enable SpoofGuard and add the Inactive Virtual NIC IP address to the Approved IP list.
Best Practice:
To make sure that all traffic goes through CloudGuard Security Gateway, install
VMware Tools on each Virtual Machine. Make sure that VMware Tools are running
correctly.
Note:
From NSX 6.4, you do not have to install VMware Tools to redirect traffic.
To enable SpoofGuard for the Port Group:
Step Description
1 Open Home > Networking & Security .
2 In the SpoofGuard panel, add a new policy or select an existing policy.
3 In the Policy > Settings panel, enable SpoofGuard.
4 In the Policy > Select Networks panel, click (+).
5 Select the Port Group from the list.
6 In the lower section of the SpoofGuard pane, select Inactive Virtual NICs from the
View list.
7 Select the Virtual NIC.
8 Enter the Virtual NIC IP address in the Approved IP field.

This creates a policy exception that enables traffic redirection to an approved IP
address.
Manually Creating CloudGuard Cluster Objects

This procedure is not necessary if you enabled Automatic Provisioning of CloudGuard objects.
Create a cluster object with CloudGuard Gateway members. Each CloudGuard Gateway gets the license
attached to the cluster.

Step 1: Create a network object to represent the cluster:
Step Description
1 Go to SmartConsole > Objects Explorer > More Object Types > Network Objects >
Gateways and Servers > Cluster > New Cluster.
2 Select Classic mode.
3 In the Gateway Cluster properties, enter a Name for the cluster.
4 Enter the cluster IP address .

The cluster IP address is only used for the definition of the object.
5 In General Properties > Network Security :
a. Make sure that the ClusterXL and IPSec VPN Software Blades are deselected.
b. Change the version to R80.10.
6 In the 3rd Party Configuration window, make sure Hide Cluster Members outgoing
traffic behind Clusters IP address is not selected.
7 In the Network Management [+] tab, make sure Enable Extended Cluster
AntiSpoofing is not selected.
8 In General Properties > Network Security tab, select Software Blades .
Note:
Before you add a CloudGuard Gateway instance to the CloudGuard cluster:

n Make sure that there is connectivity between the Cluster Member and the Security Management
n Resolve connectivity issues before you continue.
n Make sure that you coordinate the Date, Time and Timezone settings between the Security
Management Server or Multi-Domain Server and the CloudGuard Gateway.
Step 2: Add CloudGuard Gateway instances as Cluster Members:
Step Description
1 From the Objects Explorer > in the Search box, type the name of your cluster.
2 Double-click and the Gateway Cluster Properties window shows.
3 Select Cluster Members > Add > New Cluster Member.
4 In the Cluster Member Properties window in the General tab, enter a Name and IP
address .

Step Description
5 Click Communication and enter the SIC internal communication password.
6 Click Initialize and wait for the Trust state to change to Trust established.
Step 3: Configure the topology of Cluster Members:
Step Description
1 From the Objects Explorer > in the Search box, type the name of your cluster.
2 Double-click and the Gateway Cluster Properties window shows.
3 Select Network Management [+] > Get Interfaceseth0 shows.
4 Select Network Management [+] > Action > New Interface.
5 In Object Name, enter: eth1
6 In General , change Network Type to Sync .
7 In Members IPs , click Modify , and for each member, enter an IPv4 Address and Net
Mask .
This IP address is only used to create the cluster object. It is not the real IP address of
the CloudGuard Gateway.
8 Select Topology > Modify > Override.
a. Select Network defined by the interface IP and Net Mask .

b. Select Perform Anti-Spoofing based on interface topology .
Multi-Tenancy Support
CloudGuard supports multi-tenant protection on ESXi. That means it can protect multiple customers or
organizations as well as departments or business units that share the same ESXi cluster.
Depending on the requirements, these solutions may provide multi-tenant protection:
1. Dedicated cluster for each tenant.
Each tenant's traffic is handled by a single service deployed on the cluster, enforcing the Security
Policy that applies to the security groups for the specific tenant.
2. Tenants share the same cluster.
This solution requires a service registration for each tenant. Manage each tenant through a different
service. To control the tenant traffic redirection, separate security groups have to be created for
each tenant (see, "Creating a Security Group" on page 17).

To configure multiple services on a cluster:
Step Description
1 Register a new service with a unique name that identifies the tenant, see "Step 7:
Registering a New CloudGuard Gateway Service" on page 23
2 Deploy the service on the required cluster, see "Deploying CloudGuard Gateway" on
page 30
A service instance is added to each host in the cluster.
3 Create a new security group for the tenant. Include all objects that require protection,
see "Creating a Security Group" on page 17
4 Redirect each tenant's traffic through the designated service, see "Requirements for
VMware Tools" on page 9
Manual Activation of the CloudGuard Gateway

This procedure is not necessary if you configured the system for Automatic Provisioning of CloudGuard
Objects or Automatic Assignment of IP addresses to CloudGuard Gateways.
To enable the Service Virtual Machine after installation:
Step Description
1 Log in to each CloudGuard Gateway instance with a console and run these
commands:
# set interface eth0 ipv4-address <ip> mask-length <length>

# set static-route default nexthop gateway address <default_
gw_ip> on
# save config
2 Configure the CloudGuard cluster and Gateway objects in SmartConsole. See

"Manually Creating CloudGuard Cluster Objects" on page 34.

Configuring Threat Prevention for CloudGuard
Configuring Threat Prevention for

CloudGuard
Configuring Identity Awareness in CloudGuard
Configure CloudGuard to use Identity Awareness to see Security Group details in the CloudGuard logs.
See Activating the Identity Awareness Blades.
If you do not have the Identity Awareness blade enabled, enable Terminal Servers.
Step Description
1 From SmartConsole, click the Gateways & Servers tab.
2 Double-click the CloudGuard Gateway cluster.

The Gateway Cluster Properties > General Properties window opens.
3 In the Network Security tab, enable the Identity Awareness Software Blade.
The Identity Awareness Configuration window shows.
4 Select Terminal Servers only > Next.
5 Select I do not wish to configure an Active Directory at this time > Next > Finish.
6 Go to the Identity Awareness tab. Select Identity Web API > Setting.
The Identity Awareness API Setting window shows.
7 Click Edit
8 On the Accessibility tab, click Through all interfaces > OK.
9 In Authorized Client, add the host with this IP address: 127.0.0.1
10 Click Generate > OK.
11 Install policy.
Configuring Application Control Policy

To use the Application Control Software Blade in CloudGuard:
In SmartConsole, select Any to confirm Application Control and URL Filtering rules.

Configuring Anti-Virus Policy

To use the Anti-Virus Software Blade in CloudGuard for NSX, create a new profile in SmartConsole.
Note - This is the profile that you use in the Threat Prevention Policy.
Step Description
1 Click Threat Prevention > Threat Tools > Profiles .
2 Select your profile.
3 Click Anti-Virus and select Inspect incoming and outgoing files .
Configuring Threat Emulation

Threat Emulation is a cloud service that copies files on to a Virtual Machine and reports the results to a
POD. Threat Emulation requires more disk space on the CloudGuard Security Gateway.
If you see alerts about disk space, see sk92907.
To add more space, see sk94671.

To run Threat Emulation:
Step Description
1 In Threat Prevention > Threat Tools > Profiles .
2 Select your profile.
3 Click Threat Emulation> General > Inspect incoming and outgoing files .
4 Click OK.
If you see a SIC error during activation, disregard it.

Note:
The Threat Emulation blade does not support Local Emulation.
Configuring HTTPS Inspection

Enable HTTPS Inspection on the CloudGuard Cluster so you can use HTTPS Inspection on the
CloudGuard Security Gateway.

To enable HTTPS Inspection:
Step Description
1 Click HTTPS Inspection > Open HTTPS Inspection in SmartConsole.
2 Select Destination, and clear the Internet.

Any is shown as the Destination.
Licensing CloudGuard Gateway for NSX

Attach the CloudGuard Gateway license to a cluster. Every CloudGuard Gateway that is part of this cluster
is automatically updated with the license. Purchase a license for the number of physical CPUs on the
clusters and for the IP address of the Security Management Server or Multi-Domain Server.
To license CloudGuard:
n Attach your CloudGuard license to the Security Management Server or Multi-Domain Server with
SmartUpdate.
To attach the license to a cluster with the cloudguard_config utility:
Step Description

Management Server:
3 Run:
cloudguard_config
4 Select VMware Configuration > Licensing.
5 Select the CloudGuard license.
6 Select a CloudGuard cluster.

Troubleshooting and Best Practices

These are some errors that you can experience. For more troubleshooting information, see the sk111060
- ATRG: vSEC / CloudGuard for VMware NSX.
Service Registration: Not connected to a known

vCenter
Symptom
This error shows when you select an NSX Security Gateway for Service Registration:
The NSX Manager you selected is not connected to a known vCenter
Solution
Make sure that the host name of the vCenter (which was registered to the NSX Manager) is used when
creating the vCenter Data Center object. If the names are different, then the CloudGuard CLI cannot
recognize the connection between the NSX Management Server and the vCenter Server.
Service Registration: Failed to Create Service

Symptom
This error shows:
Error during rest callback

n "PUT to the registered ServiceManager at:https://<Service Manager
IP>/vmware/2.0/si/serviceprofile/serviceprofile-<ID> caused by :
I/O error: No route to host; nested exception is
java.net.NoRouteToHostException: No route to host."
n "PUT to the registered ServiceManager at : https:<Service Manager
URL>/vmware/2.0/si/serviceprofile/serviceprofile-55 caused by :
I/O error: Connection refused; nested exception is
java.net.ConnectException: Connection refused."
n "Failed to create service"
Solution
Make sure that the NSX Manager and the Security Management Server or Multi-Domain Server can
communicate using port 443.

Service Registration: Failed to Locate OVF File

Symptom
This message shows:
OVF file https://<IP_Address>:<Port>/ve/Security_Gateway_R80_

10CloudGuard.ovf is inaccessible or doesn't exist. resolve the issue
or choose different OVF
Solution
n Make sure you have a /ve folder is configured.

n You can also download the OVF file to a different folder location.
Go to CloudGuard VMware Service Manager > Change Global Configuration > Manage
Service OVF's and configure as necessary.
Service Deployment Failure

Symptom
This error shows when there is a service deployment failure:
"Error Service deployment failed with the message

Installation of deployment unit failed, please check if ovf/vib urls
are accessible, in correct format and all the properties in ovf
environment have been configured in service attributes. Please check
logs for details."
Solution
Make sure the OVF files can be reached from the vCenter Server.
Make sure you are using the correct OVF files.
To confirm that the OVF files can be reached:
1. In the VMware vSphere Web Client, navigate to Home > Networking and Security > Installation
> Service Deployments .
2. Click on Status in the Installation status column of the relevant service.
3. Click Resolve to power on the CloudGuard Gateway.
Cannot Call Security Solution

Symptom
This error shows when you cannot call a security solution:

Error "Unable to call security solution , please check security

solution configuration: Error during REST callback : PUT to the
registered ServiceManager at : https://<Service Manager
Address>/vmware/2.0/agents/ caused by : I/O error: No route to host;
nested exception is java.net.NoRouteToHostException: No route to
host. Deployment Plugin execution failed"
Cause
The NSX Manager Server failed to correctly communicate with the Check Point Security Management
Next steps:
Step Description
1 Make sure the Check Point Security Management Server or Multi-Domain Server is
powered on.
2 Make sure the Security Management Server or Multi-Domain Server process is up and
running:
netstat -nap | grep 8443
3 Make sure the NSX Manager Server can communicate with the Security Management
Server or Multi-Domain Server using port 443. Communication to the Check Point
Security Management Server or Multi-Domain Server goes to port 443, and then is
redirected to port 8443. Port 8443 is used by the Security Management Server or Multi-
Domain Server process.
Agent VM on Host is Expected to be Powered

On
Symptom
This error shows when there is a powered off CloudGuard Gateway Virtual Machine on one of the
hosts:
Agent VM {vSEC Gateway VM NAME} on host {host} is expected to be

powered on ({agencyName})
Solution:
Step Description
1 In the VMware vSphere Web Client, go to Home > Networking and Security >
Installation > Service Deployments .
2 Click Status in the Installation status column of the relevant service.

Step Description
3 Click Resolve to turn on the CloudGuard Gateway.
Agent VM is Missing on Host

Symptom
This error shows when there is an ESXi host server without a CloudGuard Gateway deployed on it:
Agent VM is missing on host {host.name} ({agencyName})
Solution:
Step Description
1 In the VMware vSphere Web Client, open Home > Networking and Security >
3 Click Resolve to try the CloudGuard Gateway deployment again.
Agent VM Settings on Host are Missing

Symptom
This error shows:
No agent datastore/network configuration on host
Solution:
The CloudGuard Gateway cannot be deployed, due to missing host server configurations. Set Agent
VM settings. See "Configuring Agent VM Host Settings" on page 16.
If the Service VM agent is not deployed, follow these steps to re-initiate the deployment:
Step Description
1 In the VMware vSphere Web Client, open Home > Networking and Security >
3 Click Resolve to try the CloudGuard Gateway deployment.

Automatic Provisioning Failed to Create

Management Network Objects
Symptom
After three failures, the auto provisioning feature stops trying to create objects in SmartConsole. Every
10 minutes all the deployed CloudGuard Gateways are matched with the NSX Manager database and
created or deleted.
This error shows:
Error Failed creating cluster object. Maximum retries exceeded for

object. Please configure the object manually
Solution:
Step Description
1 Edit the ObjectsMap.C file.

Set retries_leftto 999.
2 Make sure the Security Management Server or Multi-Domain Server and the
CloudGuard Gateway have the same date, time, and timezone.
Run: show {timezone | time | date}
If they are not the same, run: set{timezone | time | date}
3 Remove failed objects in SmartConsole or the GuiDBedit Tool.
4 Reset SIC initialization. On the CloudGuard Gateway, run:

cp_conf sic init<Secret One-Time Password>
5 Wait at least ten minutes for the objects to be created.

Cloudguard For NSX: Administration Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloudguard For NSX: Administration Guide

Uploaded by

Copyright:

Available Formats

28 October

CLOUDGUARD FOR NSX

CloudGuard for NSX Administration Guide | 2

Step 7: Registering a New CloudGuard Gateway Service 23

CloudGuard for NSX Administration Guide | 3

Agent VM Settings on Host are Missing 44

CloudGuard for NSX Administration Guide | 4

CloudGuard for NSX Administration Guide | 5

Security Group for NSX

Threat Prevention Tagging

CloudGuard for NSX Administration Guide | 6

CloudGuard for NSX Administration Guide | 7

Basic Deployment with Hypervisor mode

Item Entity Description

1 ESXi host The physical infrastructure is multiple ESXi hosts in an ESXi

3 vCenter Server vCenter manages ESXi hosts.

CloudGuard for NSX Administration Guide | 8

Item Entity Description

4 CloudGuard Gateway Inspects traffic:

5 VMs Virtual Machines.

6 Protected Security Group Collection of vSphere objects protected by NSX.

8 Physical Security Gateway Physical enforcement point.

ESXi Host Security Considerations

n Use a separate secured network for the vSphere server management.

Requirements for VMware Tools

From NSX 6.4, there is no need to install VMware Tools.

CloudGuard for NSX Administration Guide | 9

Workflow for Upgrading and

For first time installation

"Step 3: Upgrading the CloudGuard Gateway for NSX " on page 12

"Step 4: Configuring the VMware Components" on page 15

"Step 5: Providing the URL OVF Path" on page 20

"Step 6: Configuring the Management Server" on page 21

"Step 7: Registering a New CloudGuard Gateway Service" on page 23

Step 1: Installing the CloudGuard Service

CloudGuard for NSX Administration Guide | 10

Step 2: Upgrading the CloudGuard Service

Install the CloudGuard Service Registration v7.

Using CPUSE to Install the Management Server Hotfix

For detailed instructions about CPUSE, see sk92449.

To install a Management Server Hotfix with CPUSE online:

4 Right-click the Hotfix package and select Verifier.

5 Left-click the Hotfix package and click Install Update.

To install a Management ServerHotfix with CPUSE offline:

1 Download this package from sk114518 to your computer.

CloudGuard for NSX Administration Guide | 11

4 Select Import Package.

5 Click Browse and select the Management Server Hotfix package.

8 Right-click the Hotfix package and select Verifier.

9 Left-click the Hotfix package and click Install Update.

Uninstalling the Hotfix

4 Left-click the Hotfix package.

Step 3: Upgrading the CloudGuard Gateway for

CloudGuard for NSX Administration Guide | 12

Upgrading the CloudGuard Gateway with the CLI

1 Connect to the command line on the Security Management Server or Multi-Domain

2 Log in to the Expert mode.

5 Select the Service you want to upgrade.

6 Select the Cluster you want to upgrade.

CloudGuard for NSX Administration Guide | 13

9 Enter and confirm the SIC one-time password.

To register the service: