Check Point Security Gateway CloudGuard R80.10 for ESXi 5.5 or later With NSX 6.2.4, 6.3.0, 6.4.0, 6.4.1
search cancel

Check Point Security Gateway CloudGuard R80.10 for ESXi 5.5 or later With NSX 6.2.4, 6.3.0, 6.4.0, 6.4.1

book

Article ID: 321348

calendar_today

Updated On: 02-03-2025

Products

VMware NSX for vSphere

Issue/Introduction

This article provides information about Check Point Security Gateway CloudGuard for ESXi 5.5 or later.
 
Disclaimer: The partner product referenced in this article is a software module that is developed and supported by a partner. Use of this product is governed by the end user license agreement of the partner. You must obtain from the partner the application, support, and licensing for using this product. For more information, see www.checkpoint.com.

Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Resolution

Checkpoint CloudGuard

Supported Software
 
Check Point Security Gateway CloudGuard protects virtualized environments in private and public clouds from internal and external threats by securing virtual machines and applications with the full range of Check Point Software Blades and central management. Check Point Security Gateway CloudGuard product is integrated with VMware NSX Manager ecosystem, using NetX API.
 
For more information on the additional supported software, see the VMware Compatibility Guide.

VMware Components

ESXi host
  • 5.5 GA update 3 (build 2068190) or later
vCenter Server
  • 5.5 GA update 2 (build 2063318)
  • 6.0 GA (build 3018523) or later
NSX Manager
  • 6.2.4 GA (build 4292526)
  • 6.3.0 GA (build 5007049)
  • 6.4.0 GA (build 7564187)
  • 6.4.1 GA (build 8408468)

Used VMware Libs:

VMware Netx SDK 6.3.3  build number 6276725

Upgrading the CloudGuard Service Registration Hotfix

Upgrading from v3/v4  

To upgrade from CloudGuard Service Registration v3/v4:

  1. Uninstall the previous version of the CloudGuard Service Registration. If you currently have R80, upgrade to R80.10.
  2. Install the R80.10 CloudGuard Service Registration v5. 
  3. Connect to the CloudGuard Management Server or the Multi-Domain Server with a console connection or SSH. Run: cloudguard_config. On a Multi-Domain Server run cloudguard_config on every Domain Management Server.
  4. Select VMware Configuration.
  5. Configure the CloudGuard Management Server Properties.
  6. Select n, because you are not registering this service for the first time.
  7. For each NSX Service Manager that has a service registered, update the credentials. Go to Change Global Configuration > Service Manager Credentials and follow the on-screen prompts.

Upgrading from v2

To upgrade from CloudGuard Service Registration v2:

  1. Upgrade to R80.10.
  2. Install the R80.10 CloudGuard Service Registration v5.
  3. Connect to the CloudGuard Management Server or the Multi-Domain Server with a console connection or SSH. Run: vsec on.
  4. When you perform the upgrade, the vCenter and NSX objects disable the Trusted connection.To enable the objects again, from SmartConsole, Trust the connection to reconnect the NSX and vCenter objects.
  5. On a Multi-Domain Server only:  

    a) Run cloudguard_config on every Domain Management Server.  
    b) Select VMware Configuration.
    c) Configure the CloudGuard Management Server properties.  
    d) Select n, because you are not registering this service for the first time.  
     
  6. Run: cloudguard_config -upgrade. On a Multi-Domain Server, run the command from the Multi-Domain Server IP.

The Security Management Server with the new CloudGuard registration Hotfix, re-attaches itself to a gateway that has already been deployed. All services continue as they did before the upgrade.

Using CPUSE to Install the Management Server Hotfix

Go to the Gaia Portal. If you are online, the Hotfix will show in the Gaia Portal. If you are offline, you have to download the file to a local drive or external media (such as a USB).

To install the Management Server Hotfix with CPUSE online:

  1. From the Gaia Portal, go to Upgrades (CPUSE) > Status and Actions.
  2. From the menu bar, click the drop-down arrow. Select Showing All packages.The Hotfix package shows. If you do not see the Hotfix package, click Check for Updates.
  3. Click Install Update.
  4. The online installation starts immediately. The Management Server reboots when the installation is complete. If you want to confirm the package installation, right-click Verifier.

To install the Management Server Hotfix with CPUSE offline:

Select the CloudGuard Service Registration Hotfix for CloudGuard R80.10

After you copy the file to the external media, the steps for downloading the package with CPUSE offline are the same.

  1. Download the file to a local drive or external media (such as a USB).
  2. From the Gaia Portal, go to Upgrades (CPUSE) > click Status and Actions.
  3. Select Import Package.The Import Package window opens.
  4. Click Browse and select the CPUSE package (TGZ file or TAR file).
  5. Click Upload.
  6. Click Showing Recommended packages, and select All.
  7. Click Install Update.

The offline installation starts immediately. The Management Server reboots automatically when the installation is complete.

Upgrading the CloudGuard Gateway for NSX

Before you start the upgrade, you have to enable the OVF files, and make sure the service status in the vSphere Web Client is UP, or the upgrade will fail.

  1. Log in to Expert Mode.
  2. Run: cloudguard_config.
  3. Select VMware Configuration > Manage Register Service > Upgrade Service > NSX.
  4. Select the service you want to upgrade.
  5. Select the Cluster you want to upgrade.
  6. To register the service with a default configuration, press y to accept the default settings.  Enter y to automatically create the CloudGuard Gateway object on the CloudGuard Management Server and to automatically assign the IP gateway address from the NSX IP pool. OR  Enter n to manually create an object. Then, enter y to automatically assign the IP gateway address from the NSX IP pool, or n, to set the IP address manually.  See below on details to register the service.
  7. Enter and confirm the default administrator password for the CloudGuard Gateway.
  8. Enter and confirm the SIC one-time password.
  9. Select the IP pool, if you had selected to assign the IP gateway address from the NSX IP pool.  If your IP pool has no IP, you can change your selection, or create new IP pool. 

To register the service with a manual configuration, select n to configure manually.

  • Enter a Service Name.
  • Select how you want to register the service.
    • As a tap device.
    • As a gateway, select Inspection.
  • Configure the Failure Policy (for the Inspection Mode only). The default policy is Fail close and all packets are dropped. If you choose Fail open, all packets are accepted. The Failure Policy determines if packets are allowed or dropped when the ESXi kernel cannot communicate with the CloudGuard Gateway agent. This can happen when the CloudGuard Gateway is down, restarts, or has an unexpected error. You can change the policy later.
  • Configure IPv6 support.

The upgrade is now in progress. The process will take some time. You can follow the progress on the Management Server console.  When the installation is complete, you have to redirect the traffic to the new service.

  1. Select VMware Configuration > Manage Register Service > Change Redirection Rules > NSX.
  2. Select the old service.
  3. Select the new service.

Confirm that the new service is running, and then uninstall the old service.

NetX log files locations:

  • In an MDS ( Multi Domain Server ) management:

    $MDS_TEMPLATE/log/netx_server.elg
     
  • Otherwise: $FWDIR/log/netx_server.elg

For Troubleshooting Information (logs, procedures and techniques), please refer to Check Point CloudGuard Gateways on NSX  Platforms Administration Guide R80.


Powered by Wolken Software