Configuration Parameters
The CloudGuard Controller
Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. uses configuration parameters that can be adjusted to your specific needs.
This section provides a list of the configuration parameters including their description, minimum and maximum value, and the command to force the parameter's update.
CloudGuard Controller can be configured through various parameters in the vsec.conf file. See the vsec.conf file for more information.
Locations of the vsec.conf file:
-
$FWDIR/conf/vsec.conf -
$MDSDIR/conf/vsec.conf
Note - In a Multi-Domain Security Management High-Availability environment, the configuration file is synchronized from the Multi-Domain Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. member who's its Global domain is active, to the other members.Restart the CloudGuard Controller service on the other member for the changes to take effect.
|
|
Important - All configuration values are read from the vsec.conf file only when CloudGuard Controller is loaded. If you change one of the parameters, you must restart the CloudGuard Controller with the " |
Copy
# ports for Management<-->Controller communications
# Do not change
wsPort=999
wsTaggerPort=1004
# delay time (secs) between GW policy update cycles
# Default value: 10
enforcementUpdateIntervalTime=10
# TTL (mins) for objects expiration on GW in case there are no updates
# from the Controller
# min value=60
# max value=43200
# Default value: 20160
enforcementSessionTimeoutInMinutes=20160
# Update interval on changes of properties of imported data center in
# the Management/SmartConsole
# This value is used by the Management to pull changes from Controller
# When changing this value, Management need to restart
# Default value: 30
autoUpdateIntervalInSeconds=30
# Number of GWs to update policy concurrently.
# Increasing to too high value will increase load on the server.
# Default value: 15
enforcementThreadPool=15
# Number of concurrent threads to use when checking for policy changes.
# Increasing to too high value will increase load on the server.
# Default value: 15
enforcementUpdatingThreadPool=15
# Number of consecutive GW update failures which then will send CRITICAL log
consecutiveNumOfGWFailureToCriticalLog = 5
# Number of consecutive scan failures which then will send CRITICAL log
consecutiveNumOfScanFailureToCriticalLog = 5
# If sending Data Center updates directly to cluster Active member
# disabling this will send the updates to cluster VIP.
updateClusterMemberAndNotVip=true
# How long wait for threads
minMinuetsToWait=15
# If to use the system (Gaia) proxy when connecting to Data Centers.
# !! Enabling this will affect all Data Centers and can cause connectivity issues !!
# This setting is not relevant to Azure+AWS+GCP.
useSystemProxy=false
# Interval (secs) for fetching the Gaia proxy settings for connections
# to data centers when 'useSystemProxy' is set to true
# Default value: 60
systemProxyUpdateIntervalSeconds=60
# Number of retries and delay (secs) between retries when sending
# policy updates to the GW
# Default value: 2, 1
sendAndRunScriptRetryTimes=2
sendAndRunScriptRetrySleep=1
# The payload size (in bytes) of the update request to the GWs.
# Too higher value might cause performance issue on the GW!!
# Too lower value might increase the time it takes to push updates to the GW.
maxRequestSizeInBytes=140000
# Number of retries and delay (milliseconds) between retries when doing
# API calls to NSXT data center
# Default value: 5, 1000
failAPIRetryNumber=5
failAPIRetrySleepInMilliseconds=1000
# Controll Data Center scanning on Standby domain in mgmt-ha environment.
# In mgmt-ha only the Controller on the Active domain is pushing policy
# updates to the GWs so there is no real need for the Controller on the
# Standby domain to scan the data centers consume system resources.
# When the Standby domain will be promoted to Active, the Controller on
# that new-Active domain will automatocally start pushing policy updates
# to the GWs
# Default value: false
scanStandbyManagement=false
# Collect ipv6 addresses for each Data Center type.
# Can Enable this for all Data Centers (global) or for a specific data center type.
# (Azure \ AWS \ GCP).
# When enabled the ipv6 addresses will be collected, seen in the picker and pushed to the GW.
aws.collectIpv6=false
azure.collectIpv6=false
google.collectIpv6=false
# Sending logs interval (in secs)
# The allowed max value is 300 sec
# Default value: 10
sendLogInterval=10
# Number of minutes to keep and retry to send logs. Logs older than that will be deleted.
# Default value: 30
latestLogToSendToSmartConsole=30
# Number of minutes to keep and retry to update CloudGuard Controller SmartTask logs. Logs older than that will be deleted.
# Default value: 30
latestLogToSendToSmartTask=30
# How many logs to send in each send log interval
# Default value: 100
maxLogsToSend=100
# Delay time (secs) between successfull Data Center scan intervals.
# This is a global setting that will be applied only to Data Centers
# without this setting
# Default value: 30
global.scannerInterval=30
# Upper limit value (secs) for delay between failed Data Center scan
# intervals. When Data Center scan fails, the delay between further
# scans will growth gradually up to this value.
# Default value: 300
global.scanSleepUpperLimitInSeconds=300
# Maximum sub-process TTL (milliseconds) when sub-process is used to connect to a Data Center.
# If the Data Center mapping will reach this TTL, the sub-process will be killed and the
# mapping will fail.
# This is relevant for AWS & Azure & GCP & Oracle.
# This is a global setting that will be applied only to data centers.
# without this setting
# Default value: 5000000
global.connectTimeoutInMilliseconds=5000000
# Maximum HTTP timeout (milliseconds) for API calls for public cloud Data Centers.
# This is relevant for AWS & Azure & GCP & Oracle.
# This is a global setting that will be applied only to data centers without this setting
# Default value: 60000
global.httpTimeoutInMilliseconds=60000
# Maximum timeout (milliseconds) when reading data from Data Center APIs
# This is a global setting that will be applied only to data centers
# without this setting
# Default value: 120000
global.readTimeoutInMilliseconds=120000
# ACI Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
apic.scannerInterval=30
apic.scanSleepUpperLimitInSeconds=300
apic.connectTimeoutInMilliseconds=5000000
apic.readTimeoutInMilliseconds=120000
# NSX-T Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
nsxt.scannerInterval=30
nsxt.scanSleepUpperLimitInSeconds=300
nsxt.connectTimeoutInMilliseconds=5000000
nsxt.readTimeoutInMilliseconds=120000
# Nutanix Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
nutanix.scannerInterval=30
nutanix.scanSleepUpperLimitInSeconds=300
nutanix.connectTimeoutInMilliseconds=5000000
nutanix.readTimeoutInMilliseconds=120000
# OpenStack Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
openstack.scannerInterval=30
openstack.scanSleepUpperLimitInSeconds=300
openstack.connectTimeoutInMilliseconds=5000000
openstack.readTimeoutInMilliseconds=120000
# vCenter Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
vcenter.scannerInterval=30
vcenter.scanSleepUpperLimitInSeconds=300
vcenter.connectTimeoutInMilliseconds=5000000
vcenter.readTimeoutInMilliseconds=120000
# AWS Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 60000
aws.scannerInterval=30
aws.scanSleepUpperLimitInSeconds=300
aws.connectTimeoutInMilliseconds=5000000
aws.httpTimeoutInMilliseconds=60000
# Support search based on GroupName field of AWS SG object.
aws.supportSearchGroupName=true
# Control the VPN Cloud monitor (VCM).
# When set to true, VPN Cloud monitor will run after every Data Center scan.
# VCM is responsible for analyzing the VPN configuration associated with the
# imported VPN Gateway objects, and for determining if that configuration
# is aligned with the cloud configuration.
aws.runVpnCloudMonitor=true
# Azure Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 60000
azure.scannerInterval=30
azure.scanSleepUpperLimitInSeconds=300
azure.connectTimeoutInMilliseconds=5000000
azure.httpTimeoutInMilliseconds=60000
# Number of threads to paralel the Azure scan
# If the value will be zero or less then default value 10 will be used
# Note: Using very high value might impact the process performance!
azure.numOfScanThread=10
# Control the VPN Cloud monitor (VCM).
# When set to true, VPN Cloud monitor will run after every Data Center scan.
# VCM is responsible for analyzing the VPN configuration associated with the
# imported VPN Gateway objects, and for dete
azure.runVpnCloudMonitor=true
# AzureAD Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# Default value: 30, 300, 5000000
azure_ad.scannerInterval=30
azure_ad.scanSleepUpperLimitInSeconds=300
azure_ad.connectTimeoutInMilliseconds=5000000
# Updatable Objects Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# Default value: 300, 300
onlineservices.scannerInterval=300
onlineservices.scanSleepUpperLimitInSeconds=300
# Google Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 60000
google.scannerInterval=30
google.scanSleepUpperLimitInSeconds=300
google.connectTimeoutInMilliseconds=5000000
google.httpTimeoutInMilliseconds=60000
# Control the VPN Cloud monitor (VCM).
# When set to true, VPN Cloud monitor will run after every Data Center scan.
# VCM is responsible for analyzing the VPN configuration associated with the
# imported VPN Gateway objects, and for dete
google.runVpnCloudMonitor=true
# oracle (OCI) Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.httpTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 60000
oracle.scannerInterval=30
oracle.scanSleepUpperLimitInSeconds=300
oracle.connectTimeoutInMilliseconds=5000000
oracle.httpTimeoutInMilliseconds=60000
# Kubernetes Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
kubernetes.scannerInterval=30
kubernetes.scanSleepUpperLimitInSeconds=300
kubernetes.connectTimeoutInMilliseconds=5000000
kubernetes.readTimeoutInMilliseconds=120000
# show or hide specific Kubernetes types of assets
kubernetes.displayServiceLabels=true
kubernetes.displayServices=true
kubernetes.displayNodes=true
kubernetes.displayNodeLabels=true
kubernetes.displayPods=true
# ISE Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 5000000, 120000
ise.scannerInterval=30
ise.scanSleepUpperLimitInSeconds=300
ise.connectTimeoutInMilliseconds=5000000
ise.readTimeoutInMilliseconds=120000
# number of concurrent worker threads that poll data from the ISE server
ise.threadPoolSize=2
# the page size argument when calling ISE /sgt API
ise.maxPageSize=100
# Nuage Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 60000, 120000
nuage.scannerInterval=30
nuage.scanSleepUpperLimitInSeconds=300
nuage.connectTimeoutInMilliseconds=5000000
nuage.readTimeoutInMilliseconds=120000
# IoTDiscovery scanner config
iotdiscovery.handleFirstPolicyRequestOnly=false
iotdiscovery.applyAccountingToRules=true
iotdiscovery.validPolicyPorts=["any", "ssh", "ftp", "telnet", "http", "https"]
iotdiscovery.validPolicyProtocols=["any", "tcp", "udp", "icmp", "igmp"]
iotdiscovery.validPolicyProperties=["src", "dst", "name", "action", "service", "port", "protocol", "application"]
# policySource options: VISIBILITY_RULES, VENDOR, CHECKPOINT_BASELINE
iotdiscovery.policySource=VENDOR
# Check Point Data Center configuration values.
# Overrides:
# global.scannerInterval
# global.scanSleepUpperLimitInSeconds
# global.connectTimeoutInMilliseconds
# global.readTimeoutInMilliseconds
# Default value: 30, 300, 60000, 120000
checkpoint.scannerInterval=30
checkpoint.scanSleepUpperLimitInSeconds=300
checkpoint.connectTimeoutInMilliseconds=60000
checkpoint.readTimeoutInMilliseconds=120000
# Generic Data Center scanner config
genericdatacenter.scannerInterval=60
genericdatacenter.deleteTemporaryFiles=true
genericdatacenter.ignoreInvalidContent=false
genericdatacenter.scanningLogsOn=false
genericdatacenter.scanFlatListFiles=false