Deploying the vSEC Gateway

In This Section:

Preparing a Managed Device

ACI supports physical and virtual L4-L7 devices.

For physical devices, use Check Point Appliances. To more information and to verify appliance compatibility, see the R80 vSEC for Cisco ACI Release Notes.

For virtual devices, use Check Point vSEC virtual edition for VMware. For more information, see sk104859.

In the vSEC for ACI model, the L4-L7 devices are mapped to VSX Security Gateways that serve as concrete devices.

When you do the service insertion, the Cisco APIC server supports and provisions virtual systems. See Basic Service Insertion Overview.

Deploying the vSEC Gateway for Virtual Devices

To deploy the vSEC Gateway (virtual devices):

Connect the device to the ACI fabric.
Make sure that:
- The VM computes the resources suite sizing assessment.
- VM is assigned with at least three vNICs.
- Uplinks of the ESX that hosts the vSEC VE VM are connected to at least one leaf switch.
- The VM that hosts the vSEC Virtual Edition VM is controlled by vCenter, which is integrated to APIC (VMM).
Install R77.30 Gaia and Jumbo Hotfix.
- For R77.30, the Gaia image is available at sk104859.
- The latest R77.30 Jumbo Hotfix is available at sk106162.
In SmartConsole, configure the Gateway as VSX Gateway or VSX cluster based on the VSX Administration Guide.
Verify the SIC and connectivity between the VS0 and the R80 Security Management Server.
These ports are allowed by intermediate devices which inspect the management connections. For more information, see sk52421.

Notes:
- If the configuration file does not exist on the machine, it must be created.
- Reboot is required for the action to occur.

Deploying the vSEC Gateway for Physical Devices

To deploy the vSEC Gateway (physical devices):

Connect the device to the ACI fabric and to at least one leaf.
Verify the appliance suites sizing assessment.
Install R77.30 Gaia and Jumbo Hotfix.
- For R77.30, the Gaia image is available at sk104859.
- The latest R77.30 Jumbo Hotfix is available at sk106162.
In SmartConsole, configure the Gateway as VSX Gateway or VSX cluster based on the VSX Administration Guide.
Verify the SIC and connectivity between VS0 and the R80 Security Management Server.
These ports are allowed by intermediate devices which inspect the management connections. For more information, see sk52421.
For Cluster deployment only: ClusterXL ARP forwarding mechanism must be disabled. Connect to each of the cluster members and use Expert Mode to add this configuration line to $FWDIR/modules/fwkern.conf file: fwha_enable_arp_resend = 0
Notes:
- If the configuration file does not exist on the machine, it must be created.
- Reboot is required for the action to occur.

Deploying vSEC Controller Enforcer Hotfix on R77.30

Install the vSEC Controller Enforcer Hotfix on R77.30 Security Gateways with CPUSE, online or offline.

To install the Hotfix on R77.30 Security Gateways with CPUSE online:

Open the Gaia Portal > Upgrades (CPUSE).
Click Status and Actions.
Select the R77.30 vSEC Controller Enforcer Hotfix package.
Click the More button on the toolbar.
Click Verifier.
Select the vSEC Controller Enforcer Hotfix package.
Click Install Update.
The online installation starts immediately. The gateway reboots when installation is complete.

To install the Hotfix on R77.30 Security Gateways with CPUSE offline:

Install the latest build of CPUSE Agent from sk92449.
See Section 3 to find the latest CPUSE build, and Section 4-A to download and import a CPUSE package.
Open the Gaia Portal > Upgrades (CPUSE).
Click Status and Actions.
Click Import Package.
The Import Package window opens.
Click Browse and go to the CPUSE package (offline TGZ file or exported TAR file).
Click Upload.
Above the list of all software packages, click Showing Recommended packages, and select All.
Select the imported package.
Click More.
Click Verifier.
Select this package and click Install Update.
The offline installation starts immediately. The gateway reboots when installation is complete.

Supported Use Cases

vSEC for ACI solution supports L2 (GoThrough, transparent), and L3 (GoTo, routed) service function modes.

Before you start the deployment, we recommend that you designate the application profiles, network paths, and contracts that require security service, and determine the optimal insertion method. These considerations are specified in the vSEC for ACI TDM document.

ACI deployment topology example:

Basic Service Insertion Overview

To insert a service installation into the ACI fabric (best practice):

Add the APIC as a data center server object to the R80 Security Management Server. To learn more, see the vSEC Controller R80 Administration Guide.
Create at least one policy package for each tenant.
The APIC service insertion process uses the policy package as the Security Policy Name parameter.
Upload the device package. See Uploading the vSEC Device Package.
Create a logical device for each managed L4-L7 VSX Gateway. See Adding an L4-L7 Device.
Create a service graph template. See Creating an L4-L7 Service Graph Template.
Apply the service graph to each contract in the fabric that requires security service. See Applying the Service Graph to a Contract.

Uploading the vSEC Device Package

You must install the vSEC device package on Cisco APICs to enable the insertion of managed L4-L7 Check Point devices. The vSEC device package is compatible with APIC from version 1.2.

You can manually upload the vSEC device package into the Cisco APIC. See the Cisco Administration Guide, Installing Device Packages. You can do this automatically with the vsec_config utility.

To configure a device package username and password:

Connect to R80 Security Management Server through CLI.
Run vsec_config utility > Cisco ACI configuration > Server Credentials > set Username and set password.
In a Multi-Domain deployment, run vsec_config from a Multi-Domain context.

To automatically upload a device package:

Note - To upload the device package directly from the Check Point Security Management Server, verify that the credentials used to integrate vSEC controller with Cisco APIC allow device package upload.

In SmartConsole, add the APIC as a data center server object to the R80 Security Management Server.
To learn more, see the vSEC Controller R80 Administration Guide.
Connect to R80 Security Management Server through CLI.
From gclish, run vsec_config utility > Cisco ACI configuration > Install device package.
If more than one Cisco APIC data center object exists, select the Data Center Server which represents the specified Cisco APIC server.

In Multi Domain deployment, use the domain context to upload the package.
Make sure the device package is successfully installed on the Cisco APIC.
1. From a browser, connect to the Cisco APIC server.
2. Go to L4-L7 services > packages.

Notes:

For Management HA deployment, the vsec_config command must be executed on the "standby" server to activate the vSEC for ACI service.
For Multi-Domain Management HA, execute the command in Multi-Domain context.

Adding an L4-L7 Device

When you configure a new device, it must be part of a domain that assigns dynamic VLANs.

Note - When you change the password for a device, the password for the concrete device under the main device does not change automatically.

To add an L4-L7 device:

In the APIC server web UI, select the designated tenant: L4-L7 Services > L4-L7 Devices > ACTIONS > Create L4-L7 devices.
Configure the properties in the table below.
Click Next and Finish, to confirm the creation of the L4-L7 Check Point device.


General
Managed	Make sure this option is selected.
Name	Use the exact VSX object name which you created in SmartConsole.
Service Type	Select Firewall.
Device Type	Select PHYSICAL for a Check Point appliance or VIRTUAL for vSEC virtual edition.
Domain	Select the physical or VMM domain where the VSX gateway is deployed.
Mode	Select Single node for single VSX gateway. Select HA cluster for VSX cluster based solution.
Device Package	Select gateway Device Package from the drop down list.
Model	Select the relevant model for all Check Point appliances: vSEC-Virtual – For VSX Gateway that use vSEC Check Point 5400 – 5400 Check Point appliance Check Point 5600 - 5600 Check Point appliance Check Point 5800 - 5800 Check Point appliance Check Point 15400 - 15400 Check Point appliance Check Point 15600 - 15600 Check Point appliance Check Point 23500 - 23500 Check Point appliance Check Point 23800 - 23800 Check Point appliance Check Point 4400 - 4400 Check Point appliance Check Point 4600 -4600 Check Point appliance Check Point 4800 - 4800 Check Point appliance Check Point 12200 - 12200 Check Point appliance Check Point 12400- 12400 Check Point appliance Check Point 12600 12600 - Check Point appliance Check Point 13500 - Check Point appliance Check Point 13800 Check Point appliance Unknown – For other platforms (open server)
Function Type	Select GoTo for routed (L3) mode use case. Select GoThrough for transparent (L2) mode use case.
Connectivity
APIC to Device Management Connectivity	Configure according to environment design. Check Point recommends you use Out Of Band connectivity for management connections.
Credentials
Username	Enter the username provided in `vsec_config` wizard.
Password	Enter the password provided in `vsec_config` wizard.
Device 1 (and Device 2 when High Availability cluster is selected)
Management IP address	Enter the IP address of the Check Point Security Management Server. For management HA, use the primary server IP address.
Management Port	Select https.
VM (relevant to 'VIRTUAL ' device type only)	Select the vSEC Virtual Edition VM used to inspect the traffic.
Chassis	(leave blank)
Device Interfaces	Physical domain: Name - From the drop down list, select the interface name of the appliance. For bond or extension interface, manually enter the interface name as shown in Gaia interfaces list. Path - Select the leaf port(s) to where the interfaces are connected. Virtual domain: Name - Select the interface name of the appliance from the drop down list. VNIC – Select the vNIC mapped to the interface. Path - Needed for route peering only. Select the leaf port(s) to where the interfaces are connected. Note - The mapping of the Name and vNIC must be verified on the vSEC Virtual Edition VM, as there is no guarantee that , for example, "eth0" is mapped to "Virtual adapter 1".
Cluster
Management IP address	Enter the Check Point Security Management Server IP address. For Management High Availability, use the primary server IP address.
Management Port	Select https.
Device Manager	For Management High Availability, select the device manager configured. For more information, see Configuring Management HA Integration. For others, leave blank.
Cluster Interfaces	Physical device: Type –Select Consumer or Provider topology. Name – For Consumer, enter consumer. For Provider, enter provider. Concrete interfaces – Select the applicable appliance interface name. Virtual device: Type –Select Consumer, Provider, or Consumer and Provider according to topology. Name – Enter the name of the interface. Concrete interfaces – Select the applicable VM interface name.

Creating an L4-L7 Service Graph Template

To create an L4-L7 Service Graph template:

In the APIC server web UI, select the designated tenant: L4-L7 Services > L4-L7 Service Graph Templates > ACTIONS > Create L4-L7 Service Graph Template.
Create a service node: drag and drop the vSEC device from the device cluster table to the Work pane.
Configure the properties in the table below.
Click SUBMIT.

Property	Action
Graph Name	Enter the graph name.
Graph Type	Select the graph creation options: Create A New One Clone An Existing One When Clone An Existing One is selected, enter the graph template if you select clone.
Type	Select the graph type based on the design considerations: Transparent Mode - for L2 Routed Mode - for L3
Profile	Select the default profile provided.

Applying the Service Graph to a Contract

When you apply a service graph describing a Check Point L4-L7 device insertion, a Virtual System is created automatically or an existing Virtual System is added with interfaces and routes based on the configured parameters.

For a directly connected (General) insertion, any new interface configured for the device (that connects it to the bridge domain that contains the EPG) is automatically added to the Virtual System.

Note - Directly connected (L2 adjacency) insertion requires enabling ARP Flooding on the Bridge Domains connected to the L4-L7 Device.

To apply the service graph to a contract:

In the APIC server web UI, select the designated tenant: L4-L7 Services > L4-L7 Service Graph Templates.
Right click on the service graph you want to apply, and select Apply L4-L7 Service Graph Template.
Enter the EPGs Information and Contract Information (see below).
Click Next, and configure the consumer, provider, and route (see below).
Click Next and select the All Parameters tab.
Enter the device parameters to start the insertion (see below).
Click Finish.

EPGs and Contract Information

Property	Action

EPGs Information
Consumer EPG/External Network	Select the consumer EPG name or the external network name.
Provider EPG/External Network	Select the provider EPG name or external network name.
Contract Information
Contract	Select one of these options: Create A New One Choose An Existing One
Contract Name (new contract only)	Enter the contract name.
No Filter (new contract only)	If No Filter is selected, the contract applies to all traffic types and security is enforced only based on the Check Point security policy installed on the device. If No Filter is unchecked, the Filter Entries table opens and shows the ACI filters you can add before Check Point inspection.
Existing Contracts with Subject	The contract subject name.

Consumer, Provider, and Route Configurations

Property	Action
Graph Template	Verify the graph template name.
Consumer Connector	General – Used to configure a directly connected (L2 adjacency) service insertion. In this mode, the routed or transparent service interface is connected directly to BD that contains the protected EPG. In General mode, configure the Broadcast domain that is connected to the device on the consumer interface, and select Cluster Interface consumer. Virtual Deployment - Select the corresponding interface name. Route Peering – Used to configure route peering (L3 out) service insertion. In this mode, the device learns networks through static or dynamic routing, and traffic is steered to the device through the external L3 network. In Route Peering mode, you configure the L3 external network connected to the device on the consumer interface, and select Cluster Interface consumer.
Provider Connector	General – Used to configure a directly connected (L2 adjacency) service insertion. In this mode, the routed or transparent service interface is connected directly to BD that contains the protected EPG. In General mode, configure the BD connected to the device on the provider interface and select Cluster Interface provider. Virtual Deployment - Select the corresponding interface name. Route Peering – Used to configure route peering (L3 out) service insertion. In this mode, the device learns networks through static or dynamic routing and traffic is steered to the device through the external L3 network. In Route Peering mode, configure the L3 external network connected to the device on the provider interface and select Cluster Interface provider.
Routing Config (Route Peering only)	Select: Router Config The relevant L3 External Network Cluster Interface L3 External Network – An External EPG that is configured under APIC External Routed Networks. To learn more, see the Cisco ACI Administration Guide. Cluster Interface – Logical Device Connector

Device Parameters

Parameter	Function
Consumer Facing Address	Configures the network interfaces IP address and prefix for the consumer and provider interfaces. Use this format: X.X.X.X/mask-length, for example: 192.168.1.1/24
Provider Facing Address
Instance Name	Used for instantiation of a new VS on the VSX gateway. For an instance that runs the required policy already exists on the device, the existing instance is modified, and a new instance is not created. If you specify a different name, it forces a new VS instance (the default is empty – meaning according to APIC logic).
Security Domain	Required for Multi Domain Management deployment (the default is no MDM). Specifies the domain server name that contains the device.
Security Policy Name	Determines the policy package that is installed on the security instance. The policy package must exist on the Security Management Server.
Route Entry	Static routes are added to the VS routing table. Multiple routing entries may be added. Static route entries include: Destination address Next Hop Gateway Note - To set Default static route, use 0.0.0.0/0 on the Destination Address field

Configuring Management High Availability Integration

To configure Management High Availability integration, you must create a Device Manager.

To configure Management High Availability integration:

In the APIC server WebUI, L4-L7 tab, Inventory section, select Device Manager Types > ACTIONS > Create Device Manager Type.
For these parameters, enter the information as it shows on the Check Point L4-L7 Service Device.
- Vendor
- Model
- Version
For L4-L7 Service Device Type, select Check Point L4-L7 Service Device.
In the APIC server web UI, Select the designated tenant > L4-L7 Services > Device Managers > ACTIONS > Create Device Manager.
For Device Manager Name, enter as it appears on Check Point L4-L7 Service Device.
For Device Manager Type, select the Device Manager Type from Step 1.
For Management, in the table, enter the Managements details:
- Host - Management IP
- Port - Management Port (443)
Enter the Management Username and Password. These credentials were set on the vsec_config command and are the same as the ones used in Adding an L4-L7 Device.
Confirm the password.
Note - Only Management High Availability with two devices is supported.
Follow the instructions in Adding an L4-L7 Device to create an L4-L7 device.
Note - The Management IP address defined in Adding an L4-L7 Device is treated as the primary management.
Use the Check Point Administration Guide to continue with the Management High Availability settings.

Configuring Multi-Domain Server Integration

The Cisco ACI solution is VSX based.

You can select the domain that holds and manages the VS.

You must configure the domain in the Service Parameters to integrate the solution with Check Point Multi-Domain Server.

To configure the domain in the Service Parameters:

Install Multi-Domain Server.
When you configure service parameters, select the domain that is used to host the applicable VS object.
Note - The domain name is part of the VS object name that is provisioned by the APIC.

Removing Service Insertion

Before you remove a tenant, we recommend that you remove all service graphs from the contracts. APIC removes tenants by best effort, which can leave configuration and constructs in the tenant (such as service graphs), that you would have removed.

When you remove a service graph used to insert a Check Point device, interfaces and routes configured by APIC on the inserted Virtual System are also removed. When you remove all service graphs attachments that render a specific Virtual System, that Virtual System is also removed entirely, including from the Security Management Server.

To remove Service Insertion:

In the APIC server web UI, click Select the designated tenant > Security Policies > Contracts.
Select the contract between the EPGs in which the service is currently inserted.
Select the subject with the Service Graph of the relevant L4-L7 Device.
Remove the Service Graph.

Removing L4-L7 Managed Devices

To remove L4-L7 managed devices:

Remove all service insertions related to the L4-L7 device you want to remove (see Removing Service Insertion).
In the APIC server web UI, select the designated tenant > L4-L7 Services.
Note - Make sure that there are no entries that are related to the L4-L7 device you want to remove in the Deployed Devices section and in the Deployed Graph Instances sections.
In the APIC server web UI, select the designated tenant > L4-L7 Services > Device Selection Policies, and remove all the entries related to the L4-L7 device.
In the APIC server web UI, select the designated tenant > L4-L7 Service Parameters, and remove all the entries that use the Graph Templates that use the L4-L7 device.
In the APIC server web UI, select the designated tenant > L4-L7 Services > L4-L7 Service Graph Templates, and remove all the Graph Templates that use the L4-L7 device.
In the APIC server web UI, select the designated tenant > L4-L7 Services > L4-L7 Devices, and delete the device.

Troubleshooting and Fault Handling

You can view reported faults from Check Point vSEC for ACI solution on the APIC Server Web UI.

The faults show on:

The created L4-L7 Device page in the APIC Server Web UI.
To view these faults, select the designated tenant > L4-L7 Services > L4-L7 Devices, and select the L4-L7 device.
The Deployed Device page in the APIC Server Web UI.
To view these faults, select the designated tenant > L4-L7 Services > Deployed Devices, and select the L4-L7 device instance.

To make sure the L4-L7 vSEC service insertion provisioning works properly, there must always be communication between the APIC and the Management and between the Management and the Gateways.

Before you start the troubleshooting process:

Make sure there is communication between the APIC and the Management and between the Management and the Gateways.
Close all VSX and Virtual System objects in SmartConsole and publish your changes.
Make sure the Management and the gateway have a valid license installed.

These are the main faults that can occur when you do the L4-L7 vSEC service insertion:

Message	Fault meaning	Mitigation
`Missing credentials. Please verify that you have entered the username and password.`	You try to send an empty user or password in the L4-L7 Device (often, this is an error with an APIC API).	Make sure the username and password fields are not empty. Make sure the XML representation does not have a deleted status.
`Failed to connect to the vSEC service.`	One of these happened: Connection timed out. The L4-L7 Device is not reachable. There is no route to the host. The service is busy.	Make sure the APIC CLI can ping the device. If the device is reachable with ping, and the fault message persists, the service is probably busy. Try to query the device again after a few minutes.
`Failed to verify Security Gateway objects information.`	There was a problem when you try to retrieve the device information from Check Point Security Management Server.	Make sure the Security Management Server is up and running. Make sure that the management IP and port are set correctly on the APIC. Make sure VSX is up and running.
`Security Gateway objects not defined in Check Point Security Management Server.`	The device name (VSX object name) is not defined on Check Point Security Management Server.	Use SmartConsole to verify the VSX device configuration. Make sure the device name on the APIC matches the name of the VSX on SmartConsole.
`Authentication failed.`	The username and password do not match. Access to Check Point Security Management Server denied.	Verify user name and password are set correctly on the APIC L4-L7 device configuration and in `vsec_config` utility. For Management HA – Verify user name and password are set correctly on the APIC Device Manager.
`Service is not available. Please check that the vSEC service is up and running.`	APIC failed to communicate with Check Point Security Management Server.	Make sure Management is up and running and `vsec_config` command was executed to enable vSEC for ACI.
`Pending deployment: Graph rendering is in progress. If this fault persists, refer to the Troubleshooting and Faults section in the Administration Guide.`	This fault is sent when new settings are deployed on Check Point Security Management Server. Fault should be cleared automatically by APIC (or manually by re-query)	If this fault persists, try to Re-Query for Device Validation. If the fault is not cleared contact Check Point Support.
`Pending deployment: ERROR: Failed to add Virtual System.`	This fault is sent when Virtual System creation failed.	Make sure Management server is up and running, management IP and port are correct and database is not locked. Make sure VSX is up and running and has a valid policy.
`Pending deployment: ERROR: VSX does not exist.`	This fault is sent when there was a failure when you try to read the VSX information from the database.	Make sure there is connectivity between Check Point Security Management Server and the gateway.
`Pending deployment: ERROR: Failed to install policy.`	This fault is sent when policy installation on the Virtual System failed.	Verify software blades are activated correctly and license is valid.
`Pending deployment: ERROR: Failed to enable IDA API.`	This fault is sent when enable of the IDA blade on the Virtual System failed.	Activate IDA API manually by issuing `pdp api enable` command on the gateway. If issue persists, contact Check Point Support.
`Pending deployment: ERROR: Failed to remove Virtual System.`	This fault is sent when an attempt to remove the Virtual System failed.	Check the Virtual System settings. Make sure the Virtual System configuration is aligned with the device parameter configuration on the APIC. Make sure there is connectivity between Check Point Security Management Server and the gateway.
`Pending deployment: ERROR: Database is locked. Please close all VSX & VS objects in SmartConsole.`	This fault is sent when the database is locked.	Close all VSX and VS objects in SmartConsole and publish your changes.
`Pending deployment: ERROR: Security Management Server is not active.`	This fault is sent when management is not active.	Make sure Management is active. Management HA - Make sure there is an access to the active Management.
`Pending deployment: ERROR: Unknown status.`	General error sent from Check Point Security Management Server.	Contact Check Point Support.
`Pending deployment: ERROR: Unknown command.`	This fault is sent if the wrong input is sent to Check Point Security Management Server.	Contact Check Point Support.
`Pending deployment: ERROR: Bad configuration.`	This fault is sent if the wrong input is sent to Check Point Security Management Server.	Contact Check Point Support.
`Pending deployment: ERROR: Failed to add interface.`	This fault is sent if there was a problem when you try to add a new interface to the Virtual System.	Check the Virtual System settings and verify that there is no conflict with another interface IP address. Make sure there is connectivity between Check Point Security Management Server and the gateway.
`Pending deployment: ERROR: Failed to add interface to bridge.`	This fault is sent if there was a problem when you try to add a new interface to the VSBM (GoThrough).	Check the configuration on the APIC. Make sure there is no conflict in the interface configuration you want to create on the Virtual System, on the device parameter settings.
`Pending deployment: ERROR: Failed to remove interface.`	This fault is sent if there was a problem when you try to remove an interface.	Check the Virtual System settings. Make sure the Virtual System configuration is aligned with the device parameter configuration on the APIC.
`Pending deployment: ERROR: Failed to set Virtual System main address.`	This fault is sent if there was a problem when you try to set a Virtual System main IP.	Check the Virtual System settings. Make sure the Virtual System configuration is aligned with the device parameter configuration on the APIC.
`Pending deployment: ERROR: failed to set Domain Server Context.`	This fault is sent if there was a problem when you set the Domain Server context.	Check the Virtual System settings. Check the device parameters on the APIC and verify that the Domain Server is correctly defined.
`Pending deployment: ERROR: Failed to establish Management API session.`	This fault is sent when there was a failure when you try to establish Management API session.	Contact Check Point Support.
`Pending deployment: ERROR: Failed to establish VSX provisioning session.`	This fault is sent when there was a failure when you try to establish VSX provisioning session.	Contact Check Point Support.
`Pending deployment: ERROR: Virtual System name is not in valid format.`	This fault is sent when Check Point Security Management Server receives a Virtual System name that is not in a valid format.	Make sure Virtual System name was not edited manually for managed VSX device. Remove the Virtual System and retry.
`Pending deployment: ERROR: Failed to switch to Domain Server.`	This fault is sent when there was a failure while trying to switch to the Domain Server context.	Contact Check Point Support.
`Unhandled response from server. Please verify management address and port are correct. If issue persists, please contact Check Point Support.`	This fault is sent when there was a failure when you try to connect to Check Point Security Management Server.	Verify the management address and port are correct. If the issue persists, contact Check Point.
`Cluster name is invalid.`	L4-L7 Device name is not in a valid format.	The Device name must contain only these characters: "-.0-9A-Z_a-z" and must not contain the "--" combination.
`Wrong number of interfaces` <number of interfaces>	This fault is sent when the number of interfaces defined for the L4-L7 Device cluster is not two (For "Device Type: PHYSICAL" only).	Check the interface configuration on the L4-L7 Device Cluster.
`Inconsistent interface configuration for` "<Interface Name>"	This fault is sent when the interface information is not sent in the expected format.	Contact Check Point Support.
`Interface name is invalid.`	This fault is sent when the interface name is not in a valid format.	The interface name can contain only these characters: "-.0-9A-Z_a-z" and must not contain the "--" combination.
`Next Hop Gateway address` <Address> `is not suitable to neither network address of device interfaces.`	This fault is sent when the Next Hop Gateway address, set on the device parameter configuration, is not one of the device interface addresses.	Check the interfaces and route settings on the device parameter configuration on the APIC. The Next Hop Gateway address must be one of the network interface addresses.
`Route Entry is missing a value for Destination-Address.`	This fault is sent when the route Destination Address is missing.	Check the route settings on the device parameters configuration on the APIC.
`Missing device interface IP address parameter.`	This fault is sent when the interface address is missing.	Check the interface settings on the device parameter configuration on the APIC.
`Failed deployment: Unsupported command:` "<command>"`.`	This fault is sent when the wrong type of provisioning command arrives at the Security Management Server.	Contact Check Point Support.
`Failed deployment: Invalid configuration.`	This fault is sent when the content of the provisioning command that arrives at the Security Management Server is not what is expected.	Contact Check Point Support.
`Failed deployment: VS name length exceeded 100 characters.`	This fault is sent if the Virtual System name exceeded the maximum allowed name length.	As we set the name automatically, these name combinations should not exceed 100 characters: Non Multi-Domain <VSX name>-<Instance-Name>-<Security-Policy-Name> Multi-Domain <VSX Name>-<Instance-Name>-<Security-Domain>
`Failed deployment: Invalid IP addresses and netmask.`	This fault is sent if there is a problem in the IP address and netmask set on the device parameter configuration.	Check the interface settings on the device parameter configuration.
`Failed deployment: Duplicate VLAN.`	This fault is sent if two different Virtual Systems try to use the same interface.	All EPGs are part of the same BD and are assigned the same interface by the fabric. A single sub-interface is created on the VSX. The sub-interface cannot be shared between Virtual Systems. On the APIC: Check the Deployed Graph Instances. Check the settings on the device parameter configuration.
`Failed deployment: Overlapping addresses.`	This fault is sent if the provisioning assigned the same IP addresses to two different interfaces on a Virtual System.	Check the interface settings on the device parameter configuration.

Note - For faults related to vSEC L4-L7 service insertion not listed in this table, contact Check Point Support.

Multi-Tenancy

Check Point vSEC for ACI supports multi-tenancy. It uses Check Point VSX on the gateway side, and multi-domain management on the Security Management Server side.

With the VSX Security Gateway infrastructure, Virtual Systems are created automatically by APIC instruction and configured to process the designated traffic.

Virtual Systems are completely separated instances that can run their own security policy and networking configuration.

Virtual Systems contained by the same L4-L7 device can be deployed on separate tenants.