topic R80.20.M1 and Cloudguard NSX in Cloud Firewall

R80.20.M1 and Cloudguard NSX

Srdjan_B — Wed, 12 Sep 2018 15:13:11 GMT

I wanted to try R80.20 and vSec for NSX in my lab (trying to figure out if we should start with R80.20M1 or stick with R80.10 for management). The R80.20 documentation covers the management part only, nothing about deployment/registering of OVFs for NSX.

In the sk114518, the R80.20 is not even mentioned and I am unable to find any other SK relevant to R80.20 managing R80.10 Cloudguard for NSX gateway. vSEC Gateway for NSX Managed by R80.10 Platforms Administration Guide has info how to deploy gateways managed by R80.10 but these commands are not working. On R80.20.M1, there is cloudguard on command (instead of vsec on) but there is no vsec_config or cloudguard_config.

Should I just stick with R80.10 for managing Cloudguard for NSX or there is some SK which I missed? Thanks.

Re: R80.20.M1 and Cloudguard NSX

_Val_ — Wed, 12 Sep 2018 15:16:22 GMT

Tomer Sole‌, can you help here or redirect to a relevant team/person?

Re: R80.20.M1 and Cloudguard NSX

_Val_ — Wed, 12 Sep 2018 15:22:37 GMT

Srdjan Bosnjak‌, SecureKnowledge does not mentioned versions that are not GA. R80.20 is on public EA now, and the focus of that cycle is GW part.

For all production purposes, including pre-production tests in your lab, I would recommend sticking to GA releases. R80.20.M1 is GA, and I am quite sure all management command working there will be availabe with R80.20 GA as well.

Testing and making your mind based on EA version is tricky, as there is no guarantie EA version will be consistent with GA one.

That said, I hope Tomer will be able to give you some guidance.

Re: R80.20.M1 and Cloudguard NSX

Srdjan_B — Fri, 14 Sep 2018 14:06:10 GMT

I was not clear, sorry for confusion. The idea was to use R80.20.M1 management and R80.10 Cloudguard gateway (both are GA). This combo (or anything with R80.20.M1) is not covered in sk114518.

The issue I am facing is this: Cloudguard controller is integrated in R80.20.M1, but there is no equivalent of vSEC Service Registration v5 Hotfix for R80.10 Management Server. On R80.10 management, this hotfix brings cloudguard_config command. In the sk128612 it is written that during the upgrade from R80.10 to R80.20.M1 the hotfix needs to be uninstalled but it does not say anything about installing a new one for R80.20.M1. I expected that functionality of the hotfix was integrated in R80.20.M1, but I was probably wrong. So, I will change my question and ask if service registration is supported in R80.20.M1 with R80.10 Cloudguard gateway for NSX?

I also tried to start with R80.10 management with the idea to use R80.10 management to deploy R80.10 gateways and immediately upgrade management to R80.20.M1 (keeping GWs at R80.10). However, it seems that even my NSX version is too recent. Basically, it looks that VMware made a change which throws Cloudguard off. When registering service, Cloudguard is checking https://nsx-manager.your.domain//api/2.0/global/heartbeat. With that call, NSX 6.3 returns:

<?xml version="1.0" encoding="UTF-8"?>
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<versionInfo>6.4</versionInfo>
</vsmGlobalConfig>

while NSX 6.4.2 returns (please note there is no red text from above):

<?xml version="1.0" encoding="UTF-8"?>
<vsmGlobalConfig>
<versionInfo>6.4</versionInfo>
</vsmGlobalConfig>

The bottom line is that with 6.4.2 the registration fails and $FWDIR/log/vsec_config.elg records this error:

ERROR [main] (RestRequest.java:113) - Parsing the XML failed..
DEBUG [main] (RestRequest.java:70) - Stack trace:

javax.xml.bind.UnmarshalException: unexpected element (uri:"", local:"vsmGlobalConfig"). Expected elements are <{vmware.vshield.edge.2.0}vsmGlobalConfig>

As this is lab environment, I cannot open service request for this but I guess it will need to be fixed anyway.

I will downgrade my NSX but since I spent some time on this, I wanted to report it as it would be wasted time otherwise.

Re: R80.20.M1 and Cloudguard NSX

Srdjan_B — Tue, 18 Sep 2018 06:16:42 GMT

Just an update: with R80.10 management, VSR5 hotfix and NSX 6.4.1 everything went well, service can be registered without issues. It seems that only NSX 6.4.2 returns version info without xmlns="vmware.vshield.edge.2.0" part as show in previous post.