Configuration Parameters

This section provides a list of the configuration parameters that can be adjusted. The configuration parameters are in the vsec.conf file.

Locations of the vsec.conf file:

On a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

$FWDIR/conf/vsec.conf
On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.:

$MDSDIR/conf/vsec.conf

Important - All configuration values are read from the vsec.conf file only when CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. is loaded. If you change one of the parameters, you must restart the CloudGuard Controller with the "vsec stop ; vsec start" commands.

Copy

# ports for mgmt<-->Controller communications
# Do not change
wsPort=999
wsTaggerPort=1004


# delay time (secs) between GW policy update cycles
# Default value: 10
enforcementUpdateIntervalTime=10


# TTL (mins) for objects expiration on GW in case there are no updates 
# from the Controller
# min value=5
# max value=43200
# Default value: 10080
enforcementSessionTimeoutInMinutes=10080


# Update interval on changes of properties of imported data center in 
# the mgmt/SmartConsole
# This value is used by the mgmt to pull changes from Controller
# When changing this value, mgmt need to restart
# Default value: 30
autoUpdateIntervalInSeconds=30


# Number of GWs to update policy concurrently. Increasing to too high
# value will increase load on the server
# Default value: 5
enforcementThreadPool=5


# If to use the Gaia proxy when connecting to Data Centers.
# Enabling this will affect all on-premise data centers and can cause 
# connectivity issues.
# This setting is relevant only to on-premise data centers
# Default value: false
useSystemProxy=false 


# Interval (secs) for fetching the Gaia proxy settings for connections 
# to data centers when 'useSystemProxy' is set to true
# Default value: 60
systemProxyUpdateIntervalSeconds=60


# Number of retries and delay (secs) between retries when sending 
# policy updates to the GW
# Default value: 3, 3
sendAndRunScriptRetryTimes=3
sendAndRunScriptRetrySleep=3


# Delay time (secs) between successfull Data Center scan intervals.
# This is a global setting that will be applied only to Data Centers 
# without this setting
# Default value: 30
global.scannerInterval=30


# Maximum timeout (milliseconds) for establishing a connection with a 
# Data Center.
# This is a global setting that will be applied only to data centers 
# without this setting
# Default value: 30000
global.connectTimeoutInMilliseconds=30000


# Maximum timeout (milliseconds) when reading data from Data Center APIs
# This is a global setting that will be applied only to data centers 
# without this setting
# Default value: 120000
global.readTimeoutInMilliseconds=120000


# ACI Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 30000, 120000
apic.scannerInterval=30
apic.connectTimeoutInMilliseconds=30000
apic.readTimeoutInMilliseconds=120000


# NSX-V Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 30000, 120000
nsx.scannerInterval=30
nsx.connectTimeoutInMilliseconds=30000
nsx.readTimeoutInMilliseconds=120000


# NSX-T Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 30000, 120000
nsxt.scannerInterval=30
nsxt.connectTimeoutInMilliseconds=30000
nsxt.readTimeoutInMilliseconds=120000


# OpenStack Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 30000, 120000
openstack.scannerInterval=30
openstack.connectTimeoutInMilliseconds=30000
openstack.readTimeoutInMilliseconds=120000


# vCenter Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 30000, 120000
vcenter.scannerInterval=30
vcenter.connectTimeoutInMilliseconds=30000
vcenter.readTimeoutInMilliseconds=120000


# AWS Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# Default value: 30, 60000
aws.scannerInterval=30
aws.connectTimeoutInMilliseconds=60000


# Azure Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# Default value: 30, 60000
azure.scannerInterval=30
azure.connectTimeoutInMilliseconds=60000


# AzureAD Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# Default value: 30, 300000
azure_ad.scannerInterval=30
azure_ad.connectTimeoutInMilliseconds=300000


# Updatable Objects Data Center configuration values. 
# Overrides:
# global.scannerInterval
# Default value: 300
onlineservices.scannerInterval=300


# Google Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# Default value: 30, 60000
google.scannerInterval=30
google.connectTimeoutInMilliseconds=60000


# Kubernetes Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 60000, 120000
kubernetes.scannerInterval=30
kubernetes.connectTimeoutInMilliseconds=60000
kubernetes.readTimeoutInMilliseconds=120000
# show or hide specific Kubernetes types of assets
kubernetes.displayServiceLabels=false
kubernetes.displayServices=false
kubernetes.displayNodes=false
kubernetes.displayNodeLabels=false
kubernetes.displayPods=false



# ISE Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 60000, 120000
ise.scannerInterval=30
ise.connectTimeoutInMilliseconds=60000
ise.readTimeoutInMilliseconds=120000
# number of concurrent worker threads that poll data from the ISE server
ise.threadPoolSize=2
# the page size argument when calling ISE /sgt API
ise.maxPageSize=100


# Nuage Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 60000, 120000
nuage.scannerInterval=30
nuage.connectTimeoutInMilliseconds=60000
nuage.readTimeoutInMilliseconds=120000


# IoTDiscovery scanner config
iotdiscovery.handleFirstPolicyRequestOnly=true
iotdiscovery.validPolicyPorts=["any", "ssh", "ftp", "telnet", "http", "https"]
iotdiscovery.validPolicyProtocols=["any", "tcp", "udp", "icmp", "igmp"]
iotdiscovery.validPolicyProperties=["src", "dst", "name", "action", "service", "port", "protocol", "application"]
# policySource options: VISIBILITY_RULES, VENDOR, CHECKPOINT_BASELINE
iotdiscovery.policySource=VENDOR


# Check Point Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 60000, 120000
checkpoint.scannerInterval=30
checkpoint.connectTimeoutInMilliseconds=60000
checkpoint.readTimeoutInMilliseconds=120000


# Generic Data Center scanner config
ctf.scannerInterval=60
ctf.deleteTemporaryFiles=true
ctf.ignoreInvalidContent=false
ctf.scanningLogsOn=false
ctf.scanFlatListFiles=false

In version R81.10 with Jumbo HFA Take 95 and higher:

Added support for sending Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. VIP address on the Data Plane (PRJ-43925, PRHF-27357.)

This feature enables Data Center updates to clusters with MDPS-enabled where cluster members primary IP addresses are on Management Plane and VIP address is on the Data Plane.

Copy

# In version R81.10 with Jumbo HFA Take 95 and higher:
# Send Data Center updates from the CloudGuard Controller to the main IP address of Active member
# on the Management Plane instead of the cluster VIP address on the Data Plane
updateClusterMemberAndNotVip=true