CloudGuard Controller for VMware Servers

Connecting to a VMware Server with SmartConsole

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways: In the top left corner, click Objects menu > More object types > Server > Data Center > New VMware vCenter, VMware NSX-T, or VMware Global NSX-T. In the top right corner, click Objects Pane > New > More > Server > Data Center > VMware vCenter, VMware NSX-T, or VMware Global NSX-T.
2	In the Enter Object Name field, enter the applicable name.
3	In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server.
4	In the Username field, enter your VMware administrator username.
5	In the Password field, enter your VMware administrator password.
6	Click Test Connection.
7	Click OK.
8	Publish the SmartConsole session.
9	Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Connecting to a VMware Data Center Server with Management API

Go to Management API Reference > Click on see arguments per Data Center Server type and select VMWare vCenter or VMWare NSX-T.

Connecting to a VMWare Data Center Server with Terraform

See checkpoint_management_vmware_data_center_server.

CloudGuard Controller for VMware vCenter

VMware vCenter Prerequisites

VMware vCenter versions 5.x, 6.x, 7.x, 8.0.
You must have a VMware user with Auditor (or higher) permission to access the CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security..

For NSX operations, it is necessary to have at minimum read-only permissions.
The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point security.

VMware vCenter Objects and Properties

VMware vCenter Imported Objects

Object	Description
Cluster	A collection of ESXi hosts and associated Virtual Machines configured to work as a unit.
Datacenter	An aggregation of many object types required to work in a virtual infrastructure. These include hosts, Virtual Machines, networks, and datastores.
Folder	Lets you group similar objects.
Host	The physical computer where you install ESXi. All Virtual Machines run on a host.
Resource pool	Compartmentalizes the host or cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. CPU and memory resources.
Virtual machine	A virtual computer environment where a guest operating system and associated application software runs.
vSphere vApp	A packaging and managing application format. A vSphere vApp can contain multiple Virtual Machines.
Tags	All the Virtual Machines tagged with the vCenter tag. Note - This is supported with vCenter 6.5 and above.

VMware vCenter Imported Properties

Imported Property	Description
IP	IP address or Hostname of vCenter Server. You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer.
Note	VMware vCenter object notes.
URI	Object path.

Imported Property

Description

IP address or Hostname of vCenter Server.

You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer.

Note

VMware vCenter object notes.

URI

Object path.

CloudGuard Controller for VMware NSX-T Management Server

The CloudGuard Controller integrates the VMware NSX-T Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with Check Point security.

show this section

VMware NSX-T Prerequisites

NSX-T versions 2.5, 3.0, 3.1.x, 3.2.1, 4.0.x, 4.1.x.
You must have a VMware NSX-T username with the minimum permission of an Auditor (or higher) to access the CloudGuard Controller.

Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for service registration (CloudGuard Gateway for NSX-T).

VMware NSX-T Policy mode APIs

In NSX-T 4.0.0.x and higher versions, Manager Mode APIs are deprecated. The use of Policy Mode is recommended.
Import NSX-T Tags (NSgroups and VMs) is supported.
Import NSX-T Virtual Machine objects is supported.

Note - You can enable Virtual Machines Import only with Policy Mode APIs. When enabled, the number of API requests to the NSX-T Manager increases.

Migration from Manager Mode to Policy Mode:

Use VMware Promotion Process: Promote Manager Objects to Policy Objects
Change NSX-T DC property to Policy Mode.

To use Policy Mode:

For new NSX-T DC objects: Select the Policy Mode (Recommended) field.
For all old NSX-T DC objects: Use the usePolicyModeApis parameter in the vsec.conf file.

For more information refer to Configuration Parameters.

VMware NSX-T Imported Objects

Object	Description
Ns Group	Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.
Virtual Machine (VM)	A virtual computer environment that runs a guest operating system and applications software. You can import a VM only with Policy Mode API's.
Tag	All the NS Groups and Virtual Machines tagged with the NSX-T tag.

Object

Description

Ns Group

Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

Virtual Machine (VM)

A virtual computer environment that runs a guest operating system and applications software.

You can import a VM only with Policy Mode API's.

Tag

All the NS Groups and Virtual Machines tagged with the NSX-T tag.

To import Virtual Machines:

For new NSX-T DC objects: Select the Import Virtual Machines field.
For all old NSX-T DC objects: Use the importVms parameter in the vsec.conf file.

For more information refer to Configuration Parameters.

VMware NSX-T VMware NSX-T is a network virtualization and security platform that builds security into the network virtualization infrastructure. object import supports IPv4/IPv6 IP sets with ranges or CIDR block notations. Each object can be up to 1000 IP addresses.

Supported IP Ranges are in the format: a.b.c.x - a.b.c.y.

Important - This feature is disabled by default.

To enable the import of IPv4/IPv6 IP sets with ranges or CIDR block notations, add this parameter to the vsec.conf file in the NSX-T section:

nsxt.ipRangeEnable=true

To decrease the range value add this parameter to the vsec.conf file in the NSX-T section:

nsxt.ipRangeLimit = <max amount of IP addresses to import in a single range>

CloudGuard Controller for VMware Global NSX-T Management Server

The CloudGuard Controller integrates the VMware Global NSX-T Management Server with Check Point security.

show this section

VMware Global NSX-T Prerequisites

Global NSX-T version 4.1.
You must have a VMware NSX-T username with the minimum permission of an Auditor (or higher) to access the CloudGuard Controller.

Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for service registration (CloudGuard Gateway for NSX-T).

VMware Global NSX-T Imported Objects

Object

Description

Region

A group for security and networking policies. Some regions are created automatically after you onboard locations in Global Manager. You can add more regions as necessary.

Ns Group

Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

Note - To enable the import of Virtual Interfaces (VIFs) IP expressions as part of the NSGroup, add this parameter to the vsec.conf file in the NSX-T section:

nsxt.importGlobalManagerVifs=true

VMware Global NSX-T object import supports IPv4 IP sets with ranges or CIDR block notations. Each object can be up to 1000 IP addresses.

Supported IP Ranges are in the format: a.b.c.x - a.b.c.y.

Important - This feature is disabled by default.

To enable the import of IPv4 IP sets with ranges or CIDR block notations, add this parameter to the vsec.conf file in the NSX-T section:

nsxt.ipRangeEnable=true

Note - IPv4 IP sets with ranges or CIDR block notations import many IP Addresses, which can affect the CloudGuard Controller's performance.

The default number of IP addresses an object can hold is 1000 and you can not increase it.

To decrease the range value add this parameter to the vsec.conf file in the NSX-T section:

nsxt.ipRangeLimit = <max amount of IP addresses to import in a single range>

Important - Global NSX-T and Local NSX-T Data center's configuration parameters are unified and use the nsxt. prefix.

VMware NSX-T Imported Properties

Imported Property	Description
IP	All the Ns Group IP addresses
Note	Description value of a Ns Group
URI	Object path

VMware NSX-T Known Limitations

Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not contain the instance name.
Because of an API change on VMware side in NSX-T Manager 3.2, the creation of NSX-T 3.2 Data Center in the Security Management fails. VMware made a fix in version 3.2.1.
It is recommended to install official VMware Tools on a Virtual Machine for the VMware NSX-T Controller to pool IP addresses successfully. Install the VMware Tools for your specific version. You can find alternatives for IP discovery without VMware Tools in the VMware NSX Administration Guide.
For information regarding VMware Deprecation announcement for NSX-T Manager API's, refer to sk180244.

Limitations

Official VMware Tools must be installed on a VM for the CloudGuard Controller to pool IP addresses successfully.