Configuration Parameters

The CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. uses configuration parameters that can be adjusted to your specific needs.

This section provides a list of the configuration parameters including their description, minimum and maximum value, and the command to force the parameter's update.

CloudGuard Controller can be configured through various parameters in the vsec.conf file. See the vsec.conf file for more information.

Locations of the vsec.conf file:

On a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

$FWDIR/conf/vsec.conf

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.:

$MDSDIR/conf/vsec.conf

Note - In a Multi-Domain Security Management High-Availability environment, the configuration file is synchronized from the Multi-Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. member who's its Global domain is active, to the other members.

Restart the CloudGuard Controller service on the other member for the changes to take effect.

Important - All configuration values are read from the vsec.conf file only when CloudGuard Controller is loaded. If you change one of the parameters, you must restart the CloudGuard Controller with the "vsec stop ; vsec start" commands.

Copy

# ports for Management<-->Controller communications
# Do not change
wsPort=999
wsTaggerPort=1004


# delay time (secs) between Gateway policy update cycles
# Default value: 10
enforcementUpdateIntervalTime=10


# TTL (mins) for objects expiration on Gateway in case there are no updates
# from the Controller
# min value=60
# max value=43200
# Default value: 20160
enforcementSessionTimeoutInMinutes=20160


# Update interval on changes of properties of imported data center in 
# the Management/SmartConsole
# This value is used by the Management to pull changes from Controller
# When changing this value, Management need to restart
# Default value: 30
autoUpdateIntervalInSeconds=30


# Number of Gateways to update policy concurrently. 
# Increasing to too high value will increase load on the server.
# Default value: 15
enforcementThreadPool=15

# Number of concurrent threads to use when checking for policy changes. 
# Increasing to too high value will increase load on the server.
# Default value: 15
enforcementUpdatingThreadPool=15

# Number of consecutive Gateway update failures which then will send CRITICAL log
consecutiveNumOfGWFailureToCriticalLog = 5

# Number of consecutive scan failures which then will send CRITICAL log
consecutiveNumOfScanFailureToCriticalLog = 5

# If sending Data Center updates directly to cluster Active member 
# disabling this will send the updates to cluster VIP.
updateClusterMemberAndNotVip=true

# How long wait for threads
minMinuetsToWait=15

# If to use the system (Gaia) proxy when connecting to Data Centers.
# !! Enabling this will affect all Data Centers and can cause connectivity issues !!
# This setting is not relevant to Azure+AWS+GCP. 
useSystemProxy=false 


# Interval (secs) for fetching the Gaia proxy settings for connections 
# to data centers when 'useSystemProxy' is set to true
# Default value: 60
systemProxyUpdateIntervalSeconds=60


# Number of retries and delay (secs) between retries when sending 
# policy updates to the Gateway
# Default value: 2, 1
sendAndRunScriptRetryTimes=2
sendAndRunScriptRetrySleep=1


# Delay time (millisecs) between each enforcement update chunk 
# Default value 750
sleepBetweenEachEnforcementUpdateChunk=750 


# The payload size (in bytes) of the update request to the Gateways.
# Too higher value might cause performance issue on the Gateway!!
# Too lower value might increase the time it takes to push updates to the Gateway.
# This value can be configured separatly for each gateway version.
# Default and max value: 140000
gatewaysproperty.maxRequestSizeInBytes=140000 
gatewaysproperty.maxRequestSizeInBytes.R80.30=50000
gatewaysproperty.maxRequestSizeInBytes.R80.40=140000
gatewaysproperty.maxRequestSizeInBytes.R81=140000
gatewaysproperty.maxRequestSizeInBytes.R81.10=140000
gatewaysproperty.maxRequestSizeInBytes.R81.20=140000
gatewaysproperty.maxRequestSizeInBytes.R82=140000



# Number of chunks to send at once
# Default value: 10
enforcementRequestChunksToSendAtOnce=10


# Number of retries and delay (milliseconds) between retries when doing 
# API calls to NSXT data center
# Default value: 5, 1000
failAPIRetryNumber=5
failAPIRetrySleepInMilliseconds=1000


# Controll Data Center scanning on Standby domain in management-ha environment.
# In management-ha only the Controller on the Active domain is pushing policy 
# updates to the Gateways so there is no real need for the Controller on the 
# Standby domain to scan the data centers consume system resources. 
# When the Standby domain will be promoted to Active, the Controller on 
# that new-Active domain will automatocally start pushing policy updates
# to the Gateways 
# Default value: false
scanStandbyManagement=false


# Sending logs interval (in secs)
# The allowed max value is 300 sec
# Default value: 10
sendLogInterval=10

# Number of minutes to keep and retry to send logs. Logs older than that will be deleted.
# Default value: 30 
latestLogToSendToSmartConsole=30

# Number of minutes to keep and retry to update CloudGuard Controller SmartTask logs. Logs older than that will be deleted.
# Default value: 30
latestLogToSendToSmartTask=30

# How many logs to send in each send log interval
# Default value: 100
maxLogsToSend=100

# Collect ipv6 addresses for each Data Center type.
# Can Enable this for all Data Centers (global) or for a specific data center type.
# (Azure \ AWS \ GCP \ NSXT \ vCenter).
# When enabled the ipv6 addresses will be collected, seen in the picker and pushed to the Gateway.
global.collectIpv6=false


# Delay time (secs) between successfull Data Center scan intervals.
# This is a global setting that will be applied only to Data Centers 
# without this setting
# Default value: 30
global.scannerInterval=30


# Upper limit value (secs) for delay between failed Data Center scan 
# intervals. When Data Center scan fails, the delay between further 
# scans will growth gradually up to this value. 
# Default value: 300
global.scanSleepUpperLimitInSeconds=300


# Maximum sub-process TTL (milliseconds) when sub-process is used to connect to a Data Center.
# If the Data Center mapping will reach this TTL, the sub-process will be killed and the 
# mapping will fail.
# This is relevant for AWS & Azure & GCP & Oracle.
# This is a global setting that will be applied only to data centers.
# without this setting
# Default value: 5000000
global.connectTimeoutInMilliseconds=5000000

# Maximum HTTP timeout (milliseconds) for API calls for public cloud Data Centers.
# This is relevant for AWS & Azure & GCP & Oracle.
# This is a global setting that will be applied only to data centers without this setting
# Default value: 60000
global.httpTimeoutInMilliseconds=60000


# Maximum timeout (milliseconds) when reading data from Data Center APIs
# This is a global setting that will be applied only to data centers 
# without this setting
# Default value: 120000
global.readTimeoutInMilliseconds=120000


# ACI Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
apic.scannerInterval=30
apic.scanSleepUpperLimitInSeconds=300
apic.connectTimeoutInMilliseconds=5000000
apic.readTimeoutInMilliseconds=120000

# NSX-T Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# global.collectIpv6
# Default value: 30, 300, 5000000, 120000, false
nsxt.scannerInterval=30
nsxt.scanSleepUpperLimitInSeconds=300
nsxt.connectTimeoutInMilliseconds=5000000
nsxt.readTimeoutInMilliseconds=120000
nsxt.collectIpv6=false

# Nutanix Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
nutanix.scannerInterval=30
nutanix.scanSleepUpperLimitInSeconds=300
nutanix.connectTimeoutInMilliseconds=5000000
nutanix.readTimeoutInMilliseconds=120000


# OpenStack Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
openstack.scannerInterval=30
openstack.scanSleepUpperLimitInSeconds=300
openstack.connectTimeoutInMilliseconds=5000000
openstack.readTimeoutInMilliseconds=120000


# vCenter Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# global.collectIpv6
# Default value: 30, 300, 5000000, 120000, false
vcenter.scannerInterval=30
vcenter.scanSleepUpperLimitInSeconds=300
vcenter.connectTimeoutInMilliseconds=5000000
vcenter.readTimeoutInMilliseconds=120000
vcenter.collectIpv6=false


# AWS Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# global.collectIpv6
# Default value: 30, 300, 5000000, 60000, false
aws.scannerInterval=30
aws.scanSleepUpperLimitInSeconds=300
aws.connectTimeoutInMilliseconds=5000000
aws.httpTimeoutInMilliseconds=60000
aws.collectIpv6=false

# Support search based on GroupName field of AWS SG object.
aws.supportSearchGroupName=true

# Control the VPN Cloud monitor (VCM).
# When set to true, VPN Cloud monitor will run after every Data Center scan.
# VCM is responsible for analyzing the VPN configuration associated with the 
# imported VPN Gateway objects, and for determining if that configuration 
# is aligned with the cloud configuration.
aws.runVpnCloudMonitor=true


# Azure Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# global.collectIpv6
# Default value: 30, 300, 5000000, 60000, false
azure.scannerInterval=30
azure.scanSleepUpperLimitInSeconds=300
azure.connectTimeoutInMilliseconds=5000000
azure.httpTimeoutInMilliseconds=60000
azure.collectIpv6=false

# Number of threads to paralel the Azure scan
# If the value will be zero or less then default value 10 will be used
# Note: Using very high value might impact the process performance!
azure.numOfScanThread=10

# Control the VPN Cloud monitor (VCM).
# When set to true, VPN Cloud monitor will run after every Data Center scan.
# VCM is responsible for analyzing the VPN configuration associated with the 
# imported VPN Gateway objects, and for determining if that configuration
# is aligned with the cloud configuration.
azure.runVpnCloudMonitor=true


# AzureAD Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# Default value: 30, 300, 5000000
azure_ad.scannerInterval=30
azure_ad.scanSleepUpperLimitInSeconds=300
azure_ad.connectTimeoutInMilliseconds=5000000


# Updatable Objects Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# Default value: 300, 300
onlineservices.scannerInterval=300
onlineservices.scanSleepUpperLimitInSeconds=300


# Google Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# global.collectIpv6
# Default value: 30, 300, 5000000, 60000, false
google.scannerInterval=30
google.scanSleepUpperLimitInSeconds=300
google.connectTimeoutInMilliseconds=5000000
google.httpTimeoutInMilliseconds=60000
google.collectIpv6=false

# Control the VPN Cloud monitor (VCM).
# When set to true, VPN Cloud monitor will run after every Data Center scan.
# VCM is responsible for analyzing the VPN configuration associated with the 
# imported VPN Gateway objects, and for determining if that configuration
# is aligned with the cloud configuration.
google.runVpnCloudMonitor=true


# oracle (OCI) Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# global.collectIpv6 
# Default value: 30, 300, 5000000, 60000, false
oracle.scannerInterval=30
oracle.scanSleepUpperLimitInSeconds=300
oracle.connectTimeoutInMilliseconds=5000000
oracle.httpTimeoutInMilliseconds=60000
oracle.collectIpv6=false


# Kubernetes Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
kubernetes.scannerInterval=30
kubernetes.scanSleepUpperLimitInSeconds=300
kubernetes.connectTimeoutInMilliseconds=5000000
kubernetes.readTimeoutInMilliseconds=120000
# show or hide specific Kubernetes types of assets
kubernetes.displayServiceLabels=true
kubernetes.displayServices=true
kubernetes.displayNodes=true
kubernetes.displayNodeLabels=true
kubernetes.displayPods=true


# ISE Data Center configuration values. 
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds 
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
ise.scannerInterval=30
ise.scanSleepUpperLimitInSeconds=300
ise.connectTimeoutInMilliseconds=5000000
ise.readTimeoutInMilliseconds=120000
# number of concurrent worker threads that poll data from the ISE server
ise.threadPoolSize=2
# the page size argument when calling ISE /sgt API
ise.maxPageSize=100


# IoTDiscovery scanner config
iotdiscovery.handleFirstPolicyRequestOnly=false
iotdiscovery.applyAccountingToRules=true
iotdiscovery.validPolicyPorts=["any", "ssh", "ftp", "telnet", "http", "https"]
iotdiscovery.validPolicyProtocols=["any", "tcp", "udp", "icmp", "igmp"]
iotdiscovery.validPolicyProperties=["src", "dst", "name", "action", "service", "port", "protocol", "application"]
# policySource options: VISIBILITY_RULES, VENDOR, CHECKPOINT_BASELINE
iotdiscovery.policySource=VENDOR


# Generic Data Center scanner config
genericdatacenter.scannerInterval=60
genericdatacenter.deleteTemporaryFiles=true
genericdatacenter.ignoreInvalidContent=false
genericdatacenter.scanningLogsOn=false
genericdatacenter.scanFlatListFiles=false

# Proxmox Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
proxmox.scannerInterval=30
proxmox.scanSleepUpperLimitInSeconds=300
proxmox.connectTimeoutInMilliseconds=5000000
proxmox.readTimeoutInMilliseconds=120000
proxmox.importTags=false
proxmox.collectIpv6=false