Configuration Parameters
The CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. uses configuration parameters that can be adjusted to your specific needs.
This section provides a list of the configuration parameters including their description, minimum and maximum value, and the command to force the parameter's update.
CloudGuard Controller can be configured through various parameters in the vsec.conf file. See the vsec.conf
file for more information.
Locations of the vsec.conf
file:
-
$FWDIR/conf/vsec.conf
-
$MDSDIR/conf/vsec.conf
|
Important - All configuration values are read from the vsec.conf file only when CloudGuard Controller is loaded. If you change one of the parameters, you must restart the CloudGuard Controller with the " |
# ports for mgmt<-->Controller communications
# Do not change
wsPort=999
wsTaggerPort=1004
# delay time (secs) between GW policy update cycles
# Default value: 10
enforcementUpdateIntervalTime=10
# TTL (mins) for objects expiration on GW in case there are no updates
# from the Controller
# min value=5
# max value=43200
# Default value: 10080
enforcementSessionTimeoutInMinutes=10080
# Update interval on changes of properties of imported data center in
# the mgmt/SmartConsole
# This value is used by the mgmt to pull changes from Controller
# When changing this value, mgmt need to restart
# Default value: 30
autoUpdateIntervalInSeconds=30
# Number of GWs to update policy concurrently. Increasing to too high
# value will increase load on the server
# Default value: 5
enforcementThreadPool=5
# If to use the Gaia proxy when connecting to Data Centers.
# Enabling this will affect all on-premise data centers and can cause
# connectivity issues.
# This setting is relevant only to on-premise data centers
# Default value: false
useSystemProxy=false
# Interval (secs) for fetching the Gaia proxy settings for connections
# to data centers when 'useSystemProxy' is set to true
# Default value: 60
systemProxyUpdateIntervalSeconds=60
# Number of retries and delay (secs) between retries when sending
# policy updates to the GW
# Default value: 3, 3
sendAndRunScriptRetryTimes=3
sendAndRunScriptRetrySleep=3
# Number of retries and delay (milliseconds) between retries when doing
# API calls to NSXT data center
# Default value: 5, 1000
failAPIRetryNumber=5
failAPIRetrySleepInMilliseconds=1000
# Controll Data Center scanning on Standby domain in mgmt-ha environment.
# In mgmt-ha only the Controller on the Active domain is pushing policy
# updates to the GWs so there is no real need for the Controller on the
# Standby domain to scan the data centers consume system resources.
# When the Standby domain will be promoted to Active, the Controller on
# that new-Active domain will automatocally start pushing policy updates
# to the GWs
# Default value: false
scanStandbyManagement=false
# Delay time (secs) between successfull Data Center scan intervals.
# This is a global setting that will be applied only to Data Centers
# without this setting
# Default value: 30
global.scannerInterval=30
# Upper limit value (secs) for delay between failed Data Center scan
# intervals. When Data Center scan fails, the delay between further
# scans will growth gradually up to this value.
# Default value: 300
global.scanSleepUpperLimitInSeconds=300
# Maximum timeout (milliseconds) for establishing a connection with a
# Data Center.
# This is a global setting that will be applied only to data centers
# without this setting
# Default value: 5000000
global.connectTimeoutInMilliseconds=5000000
# Maximum timeout (milliseconds) when reading data from Data Center APIs
# This is a global setting that will be applied only to data centers
# without this setting
# Default value: 120000
global.readTimeoutInMilliseconds=120000
# ACI Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
apic.scannerInterval=30
apic.scanSleepUpperLimitInSeconds=300
apic.connectTimeoutInMilliseconds=5000000
apic.readTimeoutInMilliseconds=120000
# NSX-V Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
nsx.scannerInterval=30
nsx.scanSleepUpperLimitInSeconds=300
nsx.connectTimeoutInMilliseconds=5000000
nsx.readTimeoutInMilliseconds=120000
# NSX-T Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
nsxt.scannerInterval=30
nsxt.scanSleepUpperLimitInSeconds=300
nsxt.connectTimeoutInMilliseconds=5000000
nsxt.readTimeoutInMilliseconds=120000
# Nutanix Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
nutanix.scannerInterval=30
nutanix.scanSleepUpperLimitInSeconds=300
nutanix.connectTimeoutInMilliseconds=5000000
nutanix.readTimeoutInMilliseconds=120000
# OpenStack Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
openstack.scannerInterval=30
openstack.scanSleepUpperLimitInSeconds=300
openstack.connectTimeoutInMilliseconds=5000000
openstack.readTimeoutInMilliseconds=120000
# vCenter Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
vcenter.scannerInterval=30
vcenter.scanSleepUpperLimitInSeconds=300
vcenter.connectTimeoutInMilliseconds=5000000
vcenter.readTimeoutInMilliseconds=120000
# AWS Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# Default value: 30, 300, 5000000
aws.scannerInterval=30
aws.scanSleepUpperLimitInSeconds=300
aws.connectTimeoutInMilliseconds=5000000
# Azure Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# Default value: 30, 300, 5000000
azure.scannerInterval=30
azure.scanSleepUpperLimitInSeconds=300
azure.connectTimeoutInMilliseconds=5000000
# AzureAD Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# Default value: 30, 300, 5000000
azure_ad.scannerInterval=30
azure_ad.scanSleepUpperLimitInSeconds=300
azure_ad.connectTimeoutInMilliseconds=5000000
# Updatable Objects Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# Default value: 300, 300
onlineservices.scannerInterval=300
onlineservices.scanSleepUpperLimitInSeconds=300
# Google Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# Default value: 30, 300, 5000000
google.scannerInterval=30
google.scanSleepUpperLimitInSeconds=300
google.connectTimeoutInMilliseconds=5000000
# oracle (OCI) Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# Default value: 30, 300, 5000000
oracle.scannerInterval=30
oracle.scanSleepUpperLimitInSeconds=300
oracle.connectTimeoutInMilliseconds=5000000
# Kubernetes Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
kubernetes.scannerInterval=30
kubernetes.scanSleepUpperLimitInSeconds=300
kubernetes.connectTimeoutInMilliseconds=5000000
kubernetes.readTimeoutInMilliseconds=120000
# show or hide specific Kubernetes types of assets
kubernetes.displayServiceLabels=true
kubernetes.displayServices=true
kubernetes.displayNodes=true
kubernetes.displayNodeLabels=true
kubernetes.displayPods=true
# ISE Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
ise.scannerInterval=30
ise.scanSleepUpperLimitInSeconds=300
ise.connectTimeoutInMilliseconds=5000000
ise.readTimeoutInMilliseconds=120000
# number of concurrent worker threads that poll data from the ISE server
ise.threadPoolSize=2
# the page size argument when calling ISE /sgt API
ise.maxPageSize=100
# Nuage Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 60000, 120000
nuage.scannerInterval=30
nuage.scanSleepUpperLimitInSeconds=300
nuage.connectTimeoutInMilliseconds=5000000
nuage.readTimeoutInMilliseconds=120000
# IoTDiscovery scanner config
iotdiscovery.handleFirstPolicyRequestOnly=false
iotdiscovery.applyAccountingToRules=true
iotdiscovery.validPolicyPorts=["any", "ssh", "ftp", "telnet", "http", "https"]
iotdiscovery.validPolicyProtocols=["any", "tcp", "udp", "icmp", "igmp"]
iotdiscovery.validPolicyProperties=["src", "dst", "name", "action", "service", "port", "protocol", "application"]
# policySource options: VISIBILITY_RULES, VENDOR, CHECKPOINT_BASELINE
iotdiscovery.policySource=VENDOR
# Check Point Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 60000, 120000
checkpoint.scannerInterval=30
checkpoint.scanSleepUpperLimitInSeconds=300
checkpoint.connectTimeoutInMilliseconds=60000
checkpoint.readTimeoutInMilliseconds=120000
# Generic Data Center scanner config
genericdatacenter.scannerInterval=60
genericdatacenter.deleteTemporaryFiles=true
genericdatacenter.ignoreInvalidContent=false
genericdatacenter.scanningLogsOn=false
genericdatacenter.scanFlatListFiles=false
In version R81.20 with Jumbo HFA Take 26 and higher:
Added support for sending Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. VIP address on the Data Plane (PRJ-43926, PRHF-27357.)
This feature enables Data Center updates to clusters with MDPS-enabled where cluster members primary IP addresses are on Management Plane and VIP address is on the Data Plane.
# In version R81.20 with Jumbo HFA Take 26 and higher:
# Send Data Center updates from the CloudGuard Controller to the main IP address of Active member
# on the Management Plane instead of the cluster VIP address on the Data Plane
updateClusterMemberAndNotVip=true