Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LaRockas
Participant

Use DataCenter objects from vCenter Vmware .

Dear all , 

I am trying to understand the usage of the integration with a Data Center VMware vCenter . 

I have configured successfully the VMware vCenter and i get information (like ip , name , ect ) from our vm infrastructure . So what i thought that i could use this kind of information i get , either to the Access Policy and use Data Center Objects , or for update the information i have for already imported objects . 

I have a few question , which i really have searched a lot before i post here . 

1. The user which is configured for the integration to vCenter , what exactly permissions must have .

2. Why when i try to use a DataCenter object to a rule i got error message like : Data Center objects and Network objects cannot be used together in the Source column OR Please refer to the vSEC Controller Administration Guide to configure the gateway as required by vSec ? Regarding the vSEC Controller Administration Guide , is necessary to enable the Identity Awareness - Identity Web API with the localhost ? I use different gateways for the PDP use & Identity Collector with IDC (Identity Sources - Identity Collector) - should i enable also the Web API ?  

3. When i have import a server manually for example Srv_Web1 - 192.168.10.10 , but from the vCenter integration i have more specific information for the server , like name InternetWebServer - 192.168.10.10 , is it possible to update the information i manually added ? 

I really trying to understand at an environment with Firewall GWs , SMS Server & PDP Gws , which one has the role of vSec controller to integrate with the vCenter .

 

Generally what benefits you have with the integration of the vCenter ? Where you can use this integration ? 

 

Thanks in advanced for any info .

 

Makis 

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

As per the documentation: "You must have a VMware NSX username with permission of an Auditor or greater to access the CloudGuard Controller."
The CloudGuard (formerly vSEC) Controller runs on the Security Management Server.

You cannot use Datacenter and Network Objects in the source/destination of the same rule.
We have a similar limitation with Access Roles and regular Network Objects, and it's by design.
See: https://community.checkpoint.com/t5/Access-Control-Products/Multiple-types-of-objects-in-source-colu...

Likewise, the underlying mechanism for Datacenter objects is Identity Awareness.
Which means it needs to be enabled (along with the API) as described in the docs.

Once you import a specific object/tag from vCenter, any updates to this object in vCenter are propagated to the Check Point gateways in a matter of a minute or two.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.